feat(opensearch): FTRS-856 Index creation and population (#673)

* feat(opensearch): FTRS-856 Index creation and population

Author: gurinder-s-brar

.github/actions/create-open-search-index/action.yaml

@@ -0,0 +1,52 @@
+name: 'Create open search index action'
+description: 'Creates the required index in open search'
+
+inputs:
+  workspace:
+    description: 'The name of the workspace'
+    required: false
+    default: ''
+  environment:
+    description: 'Environment to authenticate against (e.g., dev, test, prod)'
+    required: true
+  domain:
+    description: 'The name of the collection to target (defaults to ftrs-dos-dev-osc)'
+    required: true
+    default: 'ftrs-dos-dev-osc'
+  index:
+    description: 'The OpenSearch index name to create'
+    required: true
+    default: 'triage_code'
+  aws_region:
+    description: 'AWS region to use for AWS CLI and boto3 calls (optional)'
+    required: false
+    default: ''
+outputs:
+  endpoint:
+    description: 'Resolved OpenSearch collection endpoint'
+    value: '${{ steps.create_index.outputs.endpoint }}'
+  final_index:
+    description: 'Final index name created'
+    value: '${{ steps.create_index.outputs.final_index }}'
+runs:
+  using: 'composite'
+  steps:
+    - name: Create OpenSearch index
+      id: create_index
+      shell: bash
+      env:
+        INDEX: ${{ inputs.index }}
+        OPEN_SEARCH_DOMAIN: ${{ inputs.domain }}
+        WORKSPACE: ${{ inputs.workspace }}
+        ENVIRONMENT: ${{ inputs.environment }}
+        AWS_REGION: ${{ inputs.aws_region }}
+      run: |
+        set -euo pipefail
+
+        echo "Using OPEN_SEARCH_DOMAIN=${OPEN_SEARCH_DOMAIN} INDEX=${INDEX} WORKSPACE=${WORKSPACE} AWS_REGION=${AWS_REGION:-<unset>}"
+
+        python3 -m pip install --upgrade pip setuptools wheel
+
+        python3 -m pip install boto3 requests
+
+        python3 ./scripts/workflow/create_open_search_index.py

.github/actions/populate-open-search-index/action.yaml

@@ -0,0 +1,50 @@
+name: 'Populate open search index action'
+description: 'Populates the required index in open search'
+
+inputs:
+  workspace:
+    description: 'The name of the workspace'
+    required: false
+    default: ''
+  environment:
+    description: 'Environment to authenticate against (e.g., dev, test, prod)'
+    required: true
+  aws_region:
+    description: 'AWS region to use for AWS CLI and boto3 calls (optional)'
+    required: false
+    default: ''
+  table:
+    description: 'The DynamoDB table name to use'
+    required: true
+    default: 'ftrs-dos-dev-database-healthcare-service'
+  endpoint:
+    description: 'Resolved OpenSearch endpoint (from build action)'
+    required: true
+    default: ''
+  final_index:
+    description: 'Final index name created (from build action)'
+    required: true
+    default: ''
+runs:
+  using: 'composite'
+  steps:
+    - name: Populate OpenSearch index
+      id: populate_index
+      shell: bash
+      env:
+        WORKSPACE: ${{ inputs.workspace }}
+        ENVIRONMENT: ${{ inputs.environment }}
+        AWS_REGION: ${{ inputs.aws_region }}
+        DYNAMODB_TABLE: ${{ inputs.table }}
+        OS_ENDPOINT: ${{ inputs.endpoint }}
+        OS_FINAL_INDEX: ${{ inputs.final_index }}
+      run: |
+        set -euo pipefail
+
+        echo "Using WORKSPACE=${WORKSPACE} AWS_REGION=${AWS_REGION:-<unset>} OS_ENDPOINT=${OS_ENDPOINT:-<unset>} OS_FINAL_INDEX=${OS_FINAL_INDEX:-<unset>}"
+
+        python3 -m pip install --upgrade pip setuptools wheel
+
+        python3 -m pip install boto3 requests
+
+        python3 ./scripts/workflow/populate_open_search_index.py

.github/workflows/deploy-open-search-indexes.yaml

@@ -0,0 +1,57 @@
+name: Deploy Open Search Indexes workflow
+
+permissions:
+  id-token: write
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: "Environment to authenticate against (for example: dev, test, prod)"
+        required: true
+        type: string
+      workspace:
+        description: "Workspace name to deploy into"
+        required: true
+        type: string
+      aws_region:
+        description: "AWS region to use for AWS CLI calls"
+        required: false
+        type: string
+        default: ''
+
+jobs:
+  build-index:
+    name: Build index
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Configure AWS credentials
+        uses: ./.github/actions/configure-credentials
+        with:
+          aws_account_id: ${{ secrets.ACCOUNT_ID }}
+          aws_region: ${{ inputs.aws_region }}
+          type: app
+          environment: ${{ inputs.environment }}
+
+      - name: Create OpenSearch index
+        id: create-index
+        uses: ./.github/actions/create-open-search-index
+        with:
+          environment: ${{ inputs.environment }}
+          workspace: ${{ inputs.workspace }}
+          aws_region: ${{ inputs.aws_region }}
+
+      - name: Populate OpenSearch index
+        id: populate-index
+        uses: ./.github/actions/populate-open-search-index
+        with:
+          environment: ${{ inputs.environment }}
+          workspace: ${{ inputs.workspace }}
+          aws_region: ${{ inputs.aws_region }}
+          endpoint: ${{ steps.create-index.outputs.endpoint }}
+          final_index: ${{ steps.create-index.outputs.final_index }}

.github/workflows/pipeline-deploy-application.yaml

@@ -202,6 +202,20 @@ jobs:
       type: app
     secrets: inherit
 
+  deploy-open-search-indexes:
+    name: "Deploy OpenSearch indexes to ${{ needs.metadata.outputs.environment }}"
+    if: false
+    needs:
+      - metadata
+      - deploy-application-infrastructure
+      - restore-dynamodb-from-s3
+    uses: ./.github/workflows/deploy-open-search-indexes.yaml
+    with:
+      environment: ${{ needs.metadata.outputs.environment }}
+      workspace: ${{ needs.metadata.outputs.workspace }}
+      aws_region: ${{ vars.AWS_REGION }}
+    secrets: inherit
+
   deploy-frontend-services:
     name: "Deploy ${{ matrix.name }} to ${{ needs.metadata.outputs.environment }}"
     concurrency:

infrastructure/common/common-variables.tf

@@ -177,3 +177,9 @@ variable "included_cloudfront_log_fields" {
     "sc-range-end"
   ]
 }
+
+variable "index_base" {
+  description = "Base name of the OpenSearch index (workspace suffix will be appended at runtime)"
+  type        = string
+  default     = "triage_code"
+}

infrastructure/common/locals.tf

@@ -44,4 +44,7 @@ locals {
     rds             = "alias/${local.project_prefix}-rds-kms"
     opensearch      = "alias/${local.project_prefix}-opensearch-kms"
   }
+
+  # Will be used by dos-search stack
+  opensearch_index_name = "${var.index_base}${local.workspace_suffix}"
 }

infrastructure/stacks/opensearch/opensearch_collection_policy.tf

@@ -64,3 +64,83 @@ resource "aws_opensearchserverless_access_policy" "opensearch_serverless_data_ac
     }
   ])
 }
+
+// NOTE: Collection and dashboards are currently public (AllowFromPublic = true) for ease of testing.
+// To make the collection private later, create VPCE(s) in the account-wide stack and supply their IDs
+// to this stack, then set AllowFromPublic = false and set SourceVPCEs.
+// This should be done once a Lambda (or any other compute running inside a VPC) needs to read or write
+// indexes in the collection, so that access occurs over PrivateLink instead of the public endpoint.
+
+resource "aws_opensearchserverless_security_policy" "opensearch_serverless_workspace_network_access_policy" {
+  count       = local.workspace_suffix == "" ? 0 : 1
+  name        = "${var.environment}-${var.stack_name}${local.workspace_suffix}-nap"
+  description = "Workspace-level network access for collection dashboards and collection endpoint"
+  type        = "network"
+
+  policy = jsonencode([
+    {
+      Description     = "Workspace dashboard access"
+      AllowFromPublic = true
+      Rules = [
+        {
+          Resource     = ["collection/${data.aws_opensearchserverless_collection.opensearch_serverless_collection.name}"]
+          ResourceType = "dashboard"
+        }
+      ]
+    },
+    {
+      Description     = "Workspace network access for collection"
+      AllowFromPublic = true
+      Rules = [
+        {
+          Resource     = ["collection/${data.aws_opensearchserverless_collection.opensearch_serverless_collection.name}"]
+          ResourceType = "collection"
+        }
+      ]
+    }
+  ])
+}
+
+resource "aws_opensearchserverless_access_policy" "opensearch_serverless_workspace_data_access_policy" {
+  count = local.workspace_suffix == "" ? 0 : 1
+
+  name        = "${var.environment}-${var.stack_name}${local.workspace_suffix}-dap"
+  type        = "data"
+  description = "Collection-level data access policy for OpenSearch collection ${data.aws_opensearchserverless_collection.opensearch_serverless_collection.name} (grants collection & index ops)"
+
+  policy = jsonencode([
+    {
+      Rules = [
+        {
+          ResourceType = "collection"
+          Resource     = ["collection/${data.aws_opensearchserverless_collection.opensearch_serverless_collection.name}"]
+          Permission = [
+            "aoss:CreateCollectionItems",
+            "aoss:UpdateCollectionItems",
+            "aoss:DescribeCollectionItems",
+            "aoss:DeleteCollectionItems"
+          ]
+        },
+        {
+          ResourceType = "index"
+          Resource     = ["index/${data.aws_opensearchserverless_collection.opensearch_serverless_collection.name}/${local.opensearch_index_name}"]
+          Permission = [
+            "aoss:CreateIndex",
+            "aoss:UpdateIndex",
+            "aoss:DescribeIndex",
+            "aoss:DeleteIndex",
+            "aoss:ReadDocument",
+            "aoss:WriteDocument"
+          ]
+        }
+      ],
+      Principal = concat(
+        [
+          data.aws_caller_identity.current.arn,
+          aws_iam_role.osis_pipelines_role.arn
+        ],
+        local.env_sso_roles
+      )
+    }
+  ])
+}

scripts/config/sonar-scanner.properties

@@ -4,8 +4,8 @@ sonar.host.url=https://sonarcloud.io
 sonar.qualitygate.wait=true
 sonar.sourceEncoding=UTF-8
 sonar.sources=.
-sonar.coverage.exclusions= infrastructure/**, tests/**, **/*.test.ts, **/*.spec.ts, tests/ui/src/**
-sonar.exclusions=tests/**, /**/__tests__/**,  */*.test.tsx, **/*.test.ts, **/*test*.py, **/test_*.py, **/tests/unit/**
+sonar.coverage.exclusions= infrastructure/**, tests/**, scripts/workflow/tests/**, **/*.test.ts, **/*.spec.ts, tests/ui/src/**, scripts/workflow/create_open_search_index.py, scripts/workflow/populate_open_search_index.py
+sonar.exclusions=tests/**, scripts/workflow/tests/**, /**/__tests__/**,  */*.test.tsx, **/*.test.ts, **/*test*.py, **/test_*.py, **/tests/unit/**
 
 #sonar.python.coverage.reportPaths=.coverage/coverage.xml
 #sonar.[javascript|typescript].lcov.reportPaths=.coverage/lcov.info