Creates an Amazon Elasticsearch Service domain with secure defaults. This module always requires node-to-node encryption, encryption at rest, HTTPS endpoints, and use of a VPC.
module "elasticsearch_domain" {
source = "dod-iac/elasticsearch-domain/aws"
domain_name = format("app-%s-%s", var.application, var.environment)
kms_key_id = var.kms_key_id
subnet_ids = slice(module.vpc.private_subnets, 0, 1)
security_group_ids = [aws_security_group.elasticsearch.id]
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}The IAM service-linked role for Amazon Elasticsearch Service is required before you can create a domain. If the role does not exist, then you can create the role with the following resource.
resource "aws_iam_service_linked_role" "main" {
aws_service_name = "es.amazonaws.com"
}Terraform 0.12. Pin module version to ~> 1.0.0 . Submit pull-requests to master branch.
Terraform 0.11 is not supported.
This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | ~> 3.0 |
| Name | Version |
|---|---|
| aws | ~> 3.0 |
No modules.
| Name | Type |
|---|---|
| aws_elasticsearch_domain.main | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.access_policies | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_policies | IAM policy document specifying the access policies for the domain. | string |
"" |
no |
| advanced_security_options_enabled | n/a | bool |
false |
no |
| automated_snapshot_start_hour | Hour during which the service takes an automated daily snapshot of the indices in the domain. | string |
23 |
no |
| cognito_auth_role_name | n/a | string |
"" |
no |
| cognito_enabled | n/a | bool |
false |
no |
| cognito_identity_pool_id | n/a | string |
"" |
no |
| cognito_role_arn | n/a | string |
"" |
no |
| cognito_user_pool_id | n/a | string |
"" |
no |
| domain_name | Name of the domain. | string |
n/a | yes |
| elasticsearch_version | The version of Elasticsearch to deploy. | string |
"7.7" |
no |
| instance_count | Number of instances in the cluster. | number |
1 |
no |
| instance_type | Instance type of data nodes in the cluster. | string |
"r5.large.elasticsearch" |
no |
| kibana_cognito_role_name | n/a | string |
"" |
no |
| kms_key_id | The KMS key id to encrypt the Elasticsearch domain with. If not specified then it defaults to using the aws/es service KMS key. | string |
"" |
no |
| master_user_arn | n/a | string |
"" |
no |
| security_group_ids | List of VPC Security Group IDs to be applied to the Elasticsearch domain endpoints. If omitted, the default Security Group for the VPC will be used. | list(string) |
null |
no |
| subnet_ids | List of VPC Subnet IDs for the Elasticsearch domain endpoints to be created in. | list(string) |
[] |
no |
| tags | Tags applied to the KMS key. | map(string) |
{} |
no |
| tls_security_policy | The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values: Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07. Terraform will only perform drift detection if a configuration value is provided. | string |
"Policy-Min-TLS-1-2-2019-07" |
no |
| volume_size | The size of EBS volumes attached to data nodes (in GB). Required if ebs_enabled is set to true. | number |
20 |
no |
| volume_type | The type of EBS volumes attached to data nodes. | string |
"gp2" |
no |
| Name | Description |
|---|---|
| es_arn | n/a |
| es_endpoint | n/a |