Skip to content

dod-iac/terraform-aws-opensearch-domain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.circleci
.circleci
 
 
scripts
scripts
 
 
.editorconfig
.editorconfig
 
 
.envrc
.envrc
 
 
.envrc.local.template
.envrc.local.template
 
 
.gitignore
.gitignore
 
 
.markdownlintrc
.markdownlintrc
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.tflint.hcl
.tflint.hcl
 
 
INTENT.md
INTENT.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
make.bat
make.bat
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

Usage

Creates an Amazon OpenSearch Service domain with secure defaults. This module always requires node-to-node encryption, encryption at rest, HTTPS endpoints, and use of a VPC.

module "opensearch_kms_key" {
  source = "dod-iac/opensearch-kms-key/aws"

  name = format("alias/app-%s-opensearch-%s", var.application, var.environment)
  description = format("A KMS key used to encrypt data in Amazon OpenSearch Service for %s:%s.", var.application, var.environment)
  principals = ["*"]
  tags = {
    Application = var.application
    Environment = var.environment
    Automation  = "Terraform"
  }
}

module "opensearch_domain" {
  source = "dod-iac/opensearch-domain/aws"

  name = format("app-%s-%s", var.application, var.environment)
  kms_key_arn = module.opensearch_kms_key.aws_kms_key_arn
  ingress_cidr_blocks  = ["0.0.0.0/0"]
  subnet_ids = slice(module.vpc.private_subnets, 0, 1)
  vpc_id = module.vpc.vpc_id
  tags = {
    Application = var.application
    Environment = var.environment
    Automation  = "Terraform"
  }
}

The IAM service-linked role for Amazon OpenSearch Service is required before you can create a domain. If the role does not exist, then you can create the role with the following resource.

resource "aws_iam_service_linked_role" "main" {
  aws_service_name = "opensearchservice.amazonaws.com"
}

Terraform Version

Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to main branch.

Terraform 0.11 and 0.12 are not supported.

License

This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.

Requirements

Name Version
terraform >= 0.13
aws >= 4.26.0, < 5.0

Providers

Name Version
aws >= 4.26.0, < 5.0

Modules

No modules.

Resources

Name Type
aws_opensearch_domain.main resource
aws_security_group.main resource
aws_security_group_rule.egress resource
aws_security_group_rule.ingress_cidr_blocks resource
aws_security_group_rule.ingress_security_groups resource
aws_caller_identity.current data source
aws_iam_policy_document.access_policies data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
access_policies IAM policy document specifying the access policies for the domain. If not specified, then access is open to all principals. string "" no
automated_snapshot_start_hour Hour during which the service takes an automated daily snapshot of the indices in the domain. string 23 no
cold_enabled Enable cold storage for the domain to store infrequently accessed or historical data. Requires dedicated_master_enabled and warm_enabled to also be true. bool false no
dedicated_master_count Number of dedicated master nodes in the cluster. The value must be the number 3 or 5. For production domains, 3 is recommended. number 3 no
dedicated_master_enabled Use dedicated master nodes with the Amazon OpenSearch Service domain. bool false no
dedicated_master_instance_type Instance type of the dedicated main nodes in the cluster. If not provided, then defaults to the value of the "instance_type" variable. string "" no
engine_version Either Elasticsearch_X.Y or OpenSearch_X.Y to specify the engine version for the Amazon OpenSearch Service domain. For example, OpenSearch_1.3 or Elasticsearch_7.9. string "OpenSearch_1.3" no
fielddata_cache_size Specifies the percentage of heap space that is allocated to fielddata. The value must be a number between 0 and 100. number 20 no
ingress_cidr_blocks A list of CIDR blocks to allow access to the Amazon OpenSearch Service domain. Use ["0.0.0.0/0"] to allow all connections within the VPC. list(string) [] no
ingress_security_groups A list of EC2 security groups to allow access to the Amazon OpenSearch Service domain. list(string) [] no
instance_count Number of instances in the cluster. number 1 no
instance_type Instance type of data nodes in the cluster. string "r6g.large.search" no
kms_key_arn The KMS key ARN to encrypt the Amazon OpenSearch Service domain with. If not specified, then it defaults to using the AWS-managed aws/es key. string "" no
max_clause_count Specifies the maximum number of allowed boolean clauses in a query. The number must be between 1 and 2147483647. number 1024 no
name Name of the Amazon OpenSearch Service domain. string n/a yes
security_group_name The name of the EC2 security group used by the Amazon OpenSearch Service domain. Defaults to opensearch-[name]. string "" no
subnet_ids List of VPC Subnet IDs for the Amazon OpenSearch Service domain endpoints to be created in. list(string) [] no
tags Tags applied to the Amazon OpenSearch Service domain. map(string) {} no
tls_security_policy The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values: Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07. string "Policy-Min-TLS-1-2-2019-07" no
volume_iops Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the gp3 volume type. Valid values are between 3000 and 16000. number 3000 no
volume_size The size of EBS volumes attached to data nodes (in GB). number 20 no
volume_throughput Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. Valid values are between 125 and 1000. number 125 no
volume_type The type of EBS volumes attached to data nodes. string "gp3" no
vpc_id The ID of the VPC that the security group for the Amazon OpenSearch Service domain will be associated with. string n/a yes
warm_count Number of warm nodes in the cluster. Valid values are between 2 and 150. number 3 no
warm_enabled Enable UltraWarm data nodes for the domain to economically retain large amounts of data. bool false no
warm_instance_type Instance type for the domain's warm nodes. Valid values are ultrawarm1.medium.search, ultrawarm1.large.search and ultrawarm1.xlarge.search. string "ultrawarm1.medium.search" no

Outputs

Name Description
arn The ARN of the Amazon OpenSearch Service domain.
endpoint Domain-specific endpoint used to submit index, search, and data upload requests.
id The id of the Amazon OpenSearch Service domain.
kibana_endpoint Domain-specific endpoint for kibana without https scheme.
name The name of the Amazon OpenSearch Service domain.

About

An Amazon OpenSearch Service domain

registry.terraform.io/modules/dod-iac/opensearch-domain/aws

Topics

aws terraform opensearch terraform-module

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases

1 tags

Packages

No packages published

Languages