Cannot provison ElasticSearch nested stack

[AffiTheCreator]

I'm trying to integrate Amazon Elasticsearch with SaaS boost, I have created a yaml file similar to the rds and efs extensions, i have also modified tenant-onboarding to fit the new extension modification.

Reproduction Steps

Project: https://github.com/AffiTheCreator/aws-saas-boost/tree/elasticsearch

1. Download the tenant-onboarding.yaml and tenant-onboarding-es.yaml
2. Upload the files to the S3 bucket of saas boost
3. Provision a Tenant

What did you expect to happen?

A tenant to be provision with an Elasticsearch node

What actually happened?

The stack failed to create with status reason:

User: arn:aws:sts::AAAAAAAAAAA:assumed-role/sb-dev-onboarding-svc-role-eu-west-1/sb-dev-onboarding-provision is not authorized to perform: es:DescribeElasticsearchDomain on resource: arn:aws:es:eu-west-1:AAAAAAAAAAA:domain/tenant-4d1e2ae8-es-cluster (Service: AWSElasticsearch; Status Code: 403; Error Code: AccessDeniedException; Request ID: 5733a27c-dbec-4325-ba7a-7526fc374dfe; Proxy: null)

2. The following resource(s) failed to create: [ElasticsearchDomain].

Environment

• **AWS Region : eu-west-1
• **AWS SaaS Boost Version : v0
• **Workload OS (Linux or Windows) : Linux

Other

This is 🐛 Bug Report

[4patelr]

The errors is happening because the execution role for the Lambda function that executes the tenant-onboarding.yaml does not have permissions for elasticsearch. Take a look at the saas-boost-svc-onboarding.yaml and the role on line 224 with:
RoleName: !Sub sb-${Environment}-onboarding-svc-role-${AWS::Region}.

You need to add permissions to the role for es:DescribeElasticsearchDomain and other permissions like es:CreateElasticsearchDomain. Take a look at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticsearchservice.html. For development, since the role is already existing in your account, you could go into the AWS IAM console --> Roles and edit the sb-dev-onboarding-svc-role-eu-west-1 to add the permissions and then try to onboard a tenant again. Once you have the permissions determined, modify the saas-boost-svc-onboarding.yaml and update your environment.

Besides the onboarding-svc-role, you will need to add permissions to the onboarding-delete-tenant role in the same saas-boost-svc-onboarding.yaml to allowing delete of the ES resources.

[AffiTheCreator]

@4patelr thanks for the reply :)

So after reading the documentation I added this to the Policy that starts in line 243 - PolicyName: !Sub sb-${Environment}-onboarding-svc-policy-${AWS::Region}

              # Elasticsearch onboarding policy
              - Effect: Allow
                Action:
                  - es:AddTags 
                  - es:CreateElasticsearchDomain  
                  - es:DescribeElasticsearchDomain
                  - es:CreateElasticsearchServiceRole
                Resource: 
                  - !Sub arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/$(Fn::GetAtt:[es.outputs.ESClusterName])/*

Also added the above to onboarding-delete-tenant role in the same way as before:

              # Elasticsearch onboarding delete policy
              - Effect: Allow
                Action:
                  - es:DeleteElasticsearchDomain   
                  - es:DeleteElasticsearchServiceRole 
                  - es:DescribeElasticsearchDomain  
                  - es:RemoveTags 
                Resource: 
                  - !Sub arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/$(Fn::GetAtt:[es.outputs.ESClusterName])/*

In my tenant-onboarding-es.yaml I already defined my AccessPolicies, althought it's for dev purpose:

      AccessPolicies:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Principal:
            AWS: '*'
          Action: "es:*"
          Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticsearchName}/*"
      Tags:
        - Key: Tenant
          Value: !Ref TenantId

I have also updated my repository with the new changes

[4patelr]

If you are provisioning a ES cluster per tenant then you would not want to use the outputs from the es stack in the following as that won't be available when the Lamba execution role is created.

                Resource: 
                  - !Sub arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/$(Fn::GetAtt:[es.outputs.ESClusterName])/*

Instead, you could use something like this:

                Resource: 
                  - !Sub arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/*/*

[AffiTheCreator]

After modifying the scripts, I keep getting the same error:

User: arn:aws:sts::AAAAAAAA:assumed-role/sb-dev-onboarding-svc-role-eu-west-1/sb-dev-onboarding-provision is not authorized to perform: es:DescribeElasticsearchDomain on resource: arn:aws:es:eu-west-1:AAAAAAAA:domain/tenant-00786408-es-cluster (Service: AWSElasticsearch; Status Code: 403; Error Code: AccessDeniedException; Request ID: 8ab321ad-5dfc-4dd1-9f95-930fa390abf7; Proxy: null)

[4patelr]

Did you run the install.sh to update SaaS Boost environment after adding the permissions to the yaml file?

[AffiTheCreator]

I uploaded the files directly to the s3 bucket of SaaS boost - so I don't need to run install.sh (right?)

[4patelr]

In the case where you modify any of the saas-boost-* yaml files, you have to run the update of the CloudFormation stack and you can do this either by going into the CloudFormation console and performing an "Update" or you can run install.sh and choose to upgrade your existing environment.

[AffiTheCreator]

I ran the install.sh script and did the update, but I keep getting the same error.

[4patelr]

When you go to IAM --> Roles, do you see the permissions for ES in the sb-dev-onboarding-svc-role-eu-west-1 role? If not, try adding them there in the policy and then try to provision a tenant to see if it works.