Adds support for AWS OpenSearch Serverless (AOSS)

Why are these changes being introduced:

* We are planning a migration to AOSS
* We need to maintain our existing AWS OpenSearch Service (ES)
  integration while migrating to AOSS

Relevant ticket(s):

* https://mitlibraries.atlassian.net/browse/USE-423

How does this address that need:

* Added support for AWS OpenSearch Serverless (AOSS) using either
  expiring credentials by passing a session token or by assuming a role.

* Configured the application to support AWS OpenSearch Serverless (AOSS)
  in addition to the existing AWS OpenSearch Service (ES).
* Added logic to choose the appropriate client based on environment variables.
* Implemented AWS SigV4 signing for AOSS authentication.

Document any side effects to this change:

* Updated lambda configuration to support session tokens. It does not
  have assume role configuration at this time, but we needed to support
  temporary credentials in the lambda to support them locally in
  OpenSearch Serverless (AOSS) so I included that in this change.

Author: JPrevost

Gemfile

@@ -4,6 +4,8 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 ruby '3.4.8'
 
 gem 'aws-sdk-lambda'
+gem 'aws-sdk-sts'
+gem 'aws-sigv4'
 gem 'bootsnap', require: false
 gem 'devise'
 gem 'faraday_middleware-aws-sigv4'
@@ -12,6 +14,7 @@ gem 'graphql'
 gem 'jwt'
 gem 'lograge'
 gem 'mitlibraries-theme', git: 'https://github.com/mitlibraries/mitlibraries-theme', tag: 'v1.4'
+gem 'opensearch-aws-sigv4'
 gem 'opensearch-ruby'
 gem 'puma'
 gem 'rack-attack'
@@ -24,7 +27,7 @@ gem 'sentry-ruby'
 gem 'uglifier'
 
 group :production do
-  gem 'connection_pool', '< 3'   # 3.x requires keyword args; pin to 2.x for Rails 7.2.3
+  gem 'connection_pool', '< 3' # 3.x requires keyword args; pin to 2.x for Rails 7.2.3
   gem 'pg'
 end
 

Gemfile.lock

@@ -102,6 +102,9 @@ GEM
     aws-sdk-lambda (1.176.0)
       aws-sdk-core (~> 3, >= 3.244.0)
       aws-sigv4 (~> 1.5)
+    aws-sdk-sts (1.12.0)
+      aws-sdk-core (~> 3, >= 3.110.0)
+      aws-sigv4 (~> 1.1)
     aws-sigv4 (1.12.1)
       aws-eventstream (~> 1, >= 1.0.2)
     base64 (0.3.0)
@@ -277,6 +280,9 @@ GEM
     nokogiri (1.19.1)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
+    opensearch-aws-sigv4 (1.3.0)
+      aws-sigv4 (>= 1)
+      opensearch-ruby (>= 1.0.1, < 4.0)
     opensearch-ruby (3.4.0)
       faraday (>= 1.0, < 3)
       multi_json (>= 1.0)
@@ -478,6 +484,8 @@ PLATFORMS
 DEPENDENCIES
   annotate
   aws-sdk-lambda
+  aws-sdk-sts
+  aws-sigv4
   bootsnap
   byebug
   capybara
@@ -497,6 +505,7 @@ DEPENDENCIES
   minitest (< 6)
   mitlibraries-theme!
   mocha
+  opensearch-aws-sigv4
   opensearch-ruby
   pg
   puma

config/initializers/lambda.rb

@@ -1,11 +1,20 @@
 require 'aws-sdk-lambda'
 
 def configure_lambda_client
-  Aws::Lambda::Client.new(
-    region: ENV.fetch('AWS_REGION', 'us-east-1'),
-    access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
-    secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY')
-  )
+  if ENV['AWS_SESSION_TOKEN'].present?
+    Aws::Lambda::Client.new(
+      region: ENV.fetch('AWS_REGION', 'us-east-1'),
+      access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
+      secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY'),
+      session_token: ENV.fetch('AWS_SESSION_TOKEN')
+    )
+  else
+    Aws::Lambda::Client.new(
+      region: ENV.fetch('AWS_REGION', 'us-east-1'),
+      access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
+      secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY')
+    )
+  end
 end
 
 Timdex::LambdaClient = configure_lambda_client

config/initializers/opensearch.rb

@@ -1,36 +1,122 @@
-require 'faraday_middleware/aws_sigv4'
+require 'faraday_middleware/aws_sigv4' if ENV['AWS_OPENSEARCH'] == 'true' && ENV.fetch('AWS_AOSS', 'false') == 'false'
+require 'opensearch-aws-sigv4'
+require 'aws-sigv4'
 
+# Priority is given to AWS AOSS, then AWS OpenSearch, and finally vanilla OpenSearch
 def configure_opensearch
-  if ENV['AWS_OPENSEARCH'] == 'true'
+  if ENV['AWS_AOSS'] == 'true'
+    aws_aoss_client
+  elsif ENV['AWS_OPENSEARCH'] == 'true'
     aws_os_client
   else
     os_client
   end
 end
 
+# os_client is used to connect to a standard OpenSearch cluster that does not require AWS SigV4 signing for
+# authentication. It creates a new OpenSearch::Client with logging enabled based on the OPENSEARCH_LOG
+# environment variable.
+#
+# @return [OpenSearch::Client] a client for connecting to a standard OpenSearch cluster
+# @note This is mostly used for connecting to a locally running OpenSearch instance
 def os_client
   OpenSearch::Client.new log: ENV.fetch('OPENSEARCH_LOG', false)
 end
 
+# aws_os_client is used to connect to AWS OpenSearch Service which requires AWS SigV4 signing for authentication. It
+# creates a new OpenSearch::Client and configures it to use the aws_sigv4 middleware for request signing. The middleware
+# is configured with the AWS region, access key ID, secret access key, and optionally a session token if using temporary
+# credentials. The OPENSEARCH_URL environment variable is used to specify the endpoint of the OpenSearch cluster.
+#
+# @return [OpenSearch::Client] a client for connecting to AWS OpenSearch Service (ES)
+# @note This is the legacy method for this application and will be removed when we migrate to AOSS.
+# @note AWS OpenSearch Service can use long-lived access keys, unlike AWS AOSS which requires temporary credentials
+# obtained by assuming a role.
 def aws_os_client
-  OpenSearch::Client.new log: ENV.fetch('OPENSEARCH_LOG', false), url: ENV['OPENSEARCH_URL'] do |config|
+  OpenSearch::Client.new log: ENV.fetch('OPENSEARCH_LOG', false), url: ENV.fetch('OPENSEARCH_URL', nil) do |config|
+    Rails.logger.debug "Configuring AWS OpenSearch Service client with URL: #{ENV.fetch('OPENSEARCH_URL', nil)}"
     # personal keys use expiring credentials with tokens
     if ENV['AWS_SESSION_TOKEN'].present?
+      Rails.logger.debug "Using temporary credentials with session token"
       config.request :aws_sigv4,
-                      service: 'es',
-                      region: ENV['AWS_REGION'],
-                      access_key_id: ENV['AWS_ACCESS_KEY_ID'],
-                      secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'],
-                      session_token: ENV['AWS_SESSION_TOKEN']
+                     service: 'es',
+                     region: ENV.fetch('AWS_REGION', nil),
+                     access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID', nil),
+                     secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY', nil),
+                     session_token: ENV['AWS_SESSION_TOKEN']
     # application keys don't use tokens
     else
+      Rails.logger.debug "Using long-lived credentials without session token"
       config.request :aws_sigv4,
-                      service: 'es',
-                      region: ENV['AWS_REGION'],
-                      access_key_id: ENV['AWS_ACCESS_KEY_ID'],
-                      secret_access_key: ENV['AWS_SECRET_ACCESS_KEY']
+                     service: 'es',
+                     region: ENV.fetch('AWS_REGION', nil),
+                     access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID', nil),
+                     secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY', nil)
     end
   end
 end
 
+# aws_aoss_client is used to connect to AWS OpenSearch Serverless (AOSS) which has a different authentication mechanism
+# than AWS OpenSearch Service. It uses AWS SigV4 signing for authentication, and the OpenSearch::Aws::Sigv4Client is
+# specifically designed to handle this type of authentication.
+#
+# @return [OpenSearch::Aws::Sigv4Client] a client for connecting to AWS OpenSearch Serverless (AOSS)
+# @note this configuration uses temporary credentials obtained by assuming a role or via the AWS console, unlike
+# AWS OpenSearch Service which can use long-lived access keys directly.
+def aws_aoss_client
+  Rails.logger.debug "Configuring AWS AOSS client with URL: #{ENV.fetch('OPENSEARCH_URL', nil)}"
+
+  signer = Aws::Sigv4::Signer.new(
+    service: 'aoss',
+    region: ENV.fetch('AWS_REGION', nil),
+    credentials_provider: credentials
+  )
+
+  OpenSearch::Aws::Sigv4Client.new(
+    {
+      host: ENV.fetch('OPENSEARCH_URL', nil),
+      log: true
+    },
+    signer
+  )
+end
+
+def credentials
+  if ENV.fetch('AWS_SESSION_TOKEN', false).present?
+    Rails.logger.debug "Using temporary credentials with session token"
+    temporary_credentials
+  else
+    Rails.logger.debug "Using long-lived credentials and assuming role"
+    assume_role_credentials
+  end
+end
+
+# personal keys use expiring credentials with tokens, so we use them directly without assuming a role
+# application keys use long-lived credentials and assume a role to get temporary credentials for AOSS
+def temporary_credentials
+  Aws::Credentials.new(
+    ENV.fetch('AWS_ACCESS_KEY_ID', nil),
+    ENV.fetch('AWS_SECRET_ACCESS_KEY', nil),
+    ENV.fetch('AWS_SESSION_TOKEN', nil)
+  )
+end
+
+# AWS AOSS uses temporary credentials that are obtained by assuming a role. The
+# Aws::AssumeRoleCredentials class is used to get these temporary credentials. It requires the ARN of
+# the role to assume, a session name, and a client for the AWS Security Token Service (STS) which is
+# used to perform the AssumeRole operation. It uses the AWS region and access keys from the
+# environment variables to create the STS client. When the session token expires, the
+# Aws::AssumeRoleCredentials will automatically refresh the credentials by calling AssumeRole again.
+def assume_role_credentials
+  Aws::AssumeRoleCredentials.new(
+    role_arn: ENV.fetch('AWS_AOSS_ROLE_ARN', nil),
+    role_session_name: 'timdex-opensearch',
+    client: Aws::STS::Client.new(
+      region: ENV.fetch('AWS_REGION', nil),
+      access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID', nil),
+      secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY', nil)
+    )
+  )
+end
+
 Timdex::OSClient = configure_opensearch