Terraform module for supporting AWS OpenSearch. Creates an admin role and outputs parameters to SSM for downstream utilization or additional automation.
See the example
folder for a working module example.
################################################################################
## opensearch
################################################################################
module "opensearch" {
source = "sourcefuse/arc-opensearch/aws"
version = "0.1.2"
environment = var.environment
namespace = var.namespace
vpc_id = data.aws_vpc.default.id
create_iam_service_linked_role = false # set to false if a cluster already exists
subnet_ids = local.private_subnet_ids
availability_zones = local.private_subnet_azs
tags = module.tags.tags
}
Name | Version |
---|---|
terraform | ~> 1.3 |
aws | ~> 4.0 |
null | >= 3.2 |
random | >= 3.4 |
Name | Version |
---|---|
aws | 4.54.0 |
random | 3.4.3 |
Name | Source | Version |
---|---|---|
opensearch | git::https://github.com/cloudposse/terraform-aws-elasticsearch | 0.44.0 |
Name | Type |
---|---|
aws_iam_role.admin | resource |
aws_iam_role.read_only | resource |
aws_iam_role_policy_attachment.admin | resource |
aws_iam_role_policy_attachment.read_only | resource |
aws_ssm_parameter.this | resource |
random_password.admin_password | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_iam_role_arns | List of additional IAM role ARNs to permit access to the Elasticsearch domain | list(string) |
[] |
no |
admin_username | Admin username when fine grained access control | string |
"os_admin" |
no |
advanced_options | Key-value string pairs to specify advanced configuration options | map(any) |
{ |
no |
advanced_security_options_enabled | AWS Elasticsearch Kibana enchanced security plugin enabling (forces new resource) | bool |
true |
no |
advanced_security_options_internal_user_database_enabled | Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin | bool |
true |
no |
availability_zones | List of availability zones to deploy the cluster in. | list(string) |
[ |
no |
cognito_authentication_enabled | Whether to enable Amazon Cognito authentication with Kibana | bool |
false |
no |
cognito_iam_role_arn | ARN of the IAM role that has the AmazonESCognitoAccess policy attached | string |
"" |
no |
cognito_identity_pool_id | The ID of the Cognito Identity Pool to use | string |
"" |
no |
cognito_user_pool_id | The ID of the Cognito User Pool to use | string |
"" |
no |
create_iam_service_linked_role | Whether to create AWSServiceRoleForAmazonElasticsearchService service-linked role. Set it to false if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See hashicorp/terraform-provider-aws#5218 for more info |
bool |
true |
no |
custom_endpoint | Fully qualified domain for custom endpoint. | string |
"" |
no |
custom_endpoint_certificate_arn | ACM certificate ARN for custom endpoint. | string |
"" |
no |
custom_endpoint_enabled | Whether to enable custom endpoint for the Elasticsearch domain. | bool |
false |
no |
custom_opensearch_password | Custom Administrator password to be assigned to var.admin_username . If undefined, it will be a randomly generated password. Does not work if var.generate_random_password is true . |
string |
"" |
no |
ebs_volume_size | EBS volumes for data storage in GB | number |
10 |
no |
elasticsearch_version | Version of ElasticSearch or OpenSearch to deploy (_e.g._ OpenSearch_2.3, OpenSearch_1.3, OpenSearch_1.2, OpenSearch_1.1, OpenSearch_1.0, 7.4, 7.1, etc. | string |
"OpenSearch_2.3" |
no |
encrypt_at_rest_enabled | Whether to enable encryption at rest | bool |
true |
no |
environment | Name of the environment, i.e. dev, stage, prod | string |
n/a | yes |
generate_random_password | Generate a random password for the OpenSearch Administrator. If this value is true and var.custom_opensearch_password is defined, var.custom_opensearch_password will be ignored. |
bool |
true |
no |
iam_actions | List of actions to allow for the IAM roles, e.g. es:ESHttpGet, es:ESHttpPut, es:ESHttpPost | list(string) |
[] |
no |
instance_count | Number of data nodes in the cluster. | number |
2 |
no |
instance_type | ElasticSearch or OpenSearch instance type for data nodes in the cluster | string |
"t3.medium.elasticsearch" |
no |
kibana_subdomain_name | The name of the subdomain for Kibana in the DNS zone (_e.g._ kibana, ui, ui-es, search-ui, kibana.elasticsearch) | string |
"" |
no |
name | Name of the OpenSearch resource | string |
n/a | yes |
namespace | Namespace of the project, i.e. arc | string |
n/a | yes |
node_to_node_encryption_enabled | Whether to enable node-to-node encryption | bool |
true |
no |
security_group_ids | List of security groups to assign OpenSearch | list(string) |
[] |
no |
subnet_ids | List of Subnet IDs to assign OpenSearch | list(string) |
n/a | yes |
tags | Default tags to apply to every resource | map(string) |
n/a | yes |
vpc_id | ID of the VPC where resources will be deployed to | string |
n/a | yes |
zone_awareness_enabled | Enable zone awareness for Elasticsearch cluster | bool |
true |
no |
Name | Description |
---|---|
domain_arn | ARN of the OpenSearch domain |
domain_endpoint | Domain-specific endpoint used to submit index, search, and data upload requests |
domain_hostname | OpenSearch domain hostname to submit index, search, and data upload requests |
domain_id | Unique identifier for the OpenSearch domain |
kibana_endpoint | Domain-specific endpoint for Kibana without https scheme |
kibana_hostname | Kibana hostname |
opensearch_user_iam_role_arn | The ARN of the IAM role to allow access to OpenSearch cluster |
opensearch_user_iam_role_name | The name of the IAM role to allow access to OpenSearch cluster |
security_group_id | Security Group ID to control access to the OpenSearch domain |
This project uses a .version
file at the root of the repo which the pipeline reads from and does a git tag.
When you intend to commit to main
, you will need to increment this version. Once the project is merged,
the pipeline will kick off and tag the latest git commit.
- Configure pre-commit hooks
pre-commit install
- Tests are available in
test
directory - Configure the dependencies
cd test/ go mod init github.com/sourcefuse/terraform-aws-refarch-opensearch go get github.com/gruntwork-io/terratest/modules/terraform
- Now execute the test
go test -timeout 30m
This project is authored by:
- SourceFuse ARC Team