
terraform-aws-arc-opensearch¶
Module:
sourcefuse/arc-opensearch/awsRegistry: https://registry.terraform.io/modules/sourcefuse/arc-opensearch/aws
Category: Analytics / Search
Source: https://github.com/sourcefuse/terraform-aws-arc-opensearch
Tip
🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓
Overview¶
Deploys Amazon OpenSearch Service domains (managed or serverless) with VPC, encryption, fine-grained access control, and CloudWatch alarms.
Architecture¶

What It Does¶
- Managed OpenSearch domain with configurable instance type and count
- OpenSearch Serverless collections
- VPC deployment with security groups
- Encryption at rest and in transit
- Fine-grained access control with master user
- Automated snapshots and UltraWarm storage
- CloudWatch alarms for cluster health
Quickstart¶
Required Inputs¶
| Name | Type | Description |
|---|---|---|
namespace |
string |
Namespace prefix |
environment |
string |
Deployment environment |
name |
string |
Domain name suffix |
engine_version |
string |
OpenSearch version |
| ## Key Outputs |
| Name | Description |
|---|---|
domain_endpoint |
OpenSearch domain endpoint |
domain_arn |
OpenSearch domain ARN |
kibana_endpoint |
Kibana/Dashboards endpoint |
| ## Full Variable & Output Reference |
The complete inputs/outputs reference is auto-generated below.
Requirements¶
| Name | Version |
|---|---|
| terraform | >= 1.5.0 |
| aws | ~> 5.0 |
Providers¶
| Name | Version |
|---|---|
| aws | 5.74.0 |
Modules¶
| Name | Source | Version |
|---|---|---|
| opensearch | ./modules/opensearch-domain | n/a |
| opensearch_serverless | ./modules/opensearch-serverless | n/a |
Resources¶
| Name | Type |
|---|---|
| aws_caller_identity.current | data source |
Inputs¶
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_policies | Custom access policy for OpenSearch domain. If empty, default policy will be used | string |
"" |
no |
| access_policy_rules | List of rules for the access policy. | list(object({ |
[] |
no |
| advanced_security_enabled | Enable advanced security options (fine-grained access control) | bool |
false |
no |
| anonymous_auth_enabled | Enable anonymous authentication | bool |
false |
no |
| auto_software_update_enabled | Enable automatic software updates for OpenSearch | bool |
false |
no |
| auto_tune_cron_expression | Cron expression for Auto-Tune maintenance schedule | string |
"0 1 * * ?" |
no |
| auto_tune_desired_state | Desired state of Auto-Tune | string |
"ENABLED" |
no |
| auto_tune_duration_unit | Duration unit for Auto-Tune maintenance | string |
"HOURS" |
no |
| auto_tune_duration_value | Duration value for Auto-Tune maintenance | number |
1 |
no |
| auto_tune_start_at | Start time for Auto-Tune maintenance | string |
"2024-10-23T01:00:00Z" |
no |
| availability_zone_count | The number of availability zones to use for zone awareness. | number |
2 |
no |
| cognito_identity_pool_id | Cognito Identity Pool ID | string |
"" |
no |
| cognito_user_pool_id | Cognito User Pool ID | string |
"" |
no |
| create_access_policy | Flag to determine if access policy should be created. | bool |
true |
no |
| create_data_lifecycle_policy | Flag to determine if data lifecycle policy should be created. | bool |
true |
no |
| create_encryption_policy | Flag to determine if encryption policy should be created. | bool |
true |
no |
| custom_certificate_arn | ARN of the ACM certificate for the custom endpoint | string |
"" |
no |
| custom_hostname | Custom domain name for the OpenSearch endpoint | string |
"" |
no |
| data_lifecycle_policy_rules | Data lifecycle policy rules for the indices. | list(object({ |
[ |
no |
| dedicated_master_count | Number of dedicated master instances | number |
3 |
no |
| dedicated_master_enabled | Whether dedicated master is enabled | bool |
false |
no |
| dedicated_master_type | Instance type for the dedicated master node | string |
"m5.large.search" |
no |
| description | A description for the OpenSearch collection. | string |
"OpenSearch collection domain for logs and search" |
no |
| ebs_enabled | Whether EBS is enabled for the domain | bool |
true |
no |
| egress_rules | A list of egress rules for the security group. | list(object({ |
[] |
no |
| enable_auto_tune | Enable Auto-Tune for the domain | bool |
false |
no |
| enable_cognito_options | Enable Cognito authentication for the OpenSearch domain | bool |
false |
no |
| enable_custom_endpoint | Enable custom domain endpoint | bool |
false |
no |
| enable_domain_endpoint_options | Enable custom domain endpoint options for the OpenSearch domain. | bool |
false |
no |
| enable_encrypt_at_rest | Enable encryption at rest for the OpenSearch domain. | bool |
false |
no |
| enable_off_peak_window_options | Enable off-peak window options for the domain | bool |
false |
no |
| enable_public_access | Enable public access for the OpenSearch collection. If false, private access will be used. | bool |
false |
no |
| enable_serverless | Enable OpenSearch Serverless. If true, creates the serverless module; if false, creates the standard module. | bool |
false |
no |
| enable_snapshot_options | Enable snapshot options for the domain | bool |
false |
no |
| enable_vpc_options | Enable VPC options for the OpenSearch domain. | bool |
false |
no |
| enable_zone_awareness | Enable zone awareness for the OpenSearch domain. | bool |
false |
no |
| encrypt_at_rest_enabled | Enable encryption at rest | bool |
true |
no |
| enforce_https | Force HTTPS on the OpenSearch endpoint | bool |
true |
no |
| engine_version | OpenSearch or Elasticsearch engine version | string |
"OpenSearch_1.0" |
no |
| environment | Name of the environment, i.e. dev, stage, prod | string |
n/a | yes |
| ingress_rules | A list of ingress rules for the security group. | list(object({ |
[] |
no |
| instance_count | Number of instances in the cluster | number |
2 |
no |
| instance_type | Instance type for the OpenSearch domain | string |
"m5.large.search" |
no |
| internal_user_database_enabled | Enable internal user database for fine-grained access control | bool |
true |
no |
| iops | Provisioned IOPS for the volume | number |
null |
no |
| kms_key_id | KMS key ID for encryption at rest | string |
"" |
no |
| log_publishing_enabled | Whether to enable the log publishing option. | bool |
true |
no |
| log_types | List of log types to publish to CloudWatch (Valid values: INDEX_SLOW_LOGS, SEARCH_SLOW_LOGS, ES_APPLICATION_LOGS, AUDIT_LOGS) | list(string) |
[ |
no |
| master_user_arn | The ARN of the IAM role for fine-grained access control. Required if use_iam_arn_as_master_user is true. | string |
"" |
no |
| master_user_name | Master user name for OpenSearch | string |
"admin" |
no |
| name | Name of the OpenSearch domain | string |
n/a | yes |
| namespace | Namespace of the project, i.e. arc | string |
n/a | yes |
| node_to_node_encryption_enabled | Enable node-to-node encryption | bool |
true |
no |
| off_peak_hours | Off-peak window start time (hours) | number |
0 |
no |
| off_peak_minutes | Off-peak window start time (minutes) | number |
0 |
no |
| retention_in_days | The number of days to retain log events in the log group | number |
7 |
no |
| saml_options | Configuration block for SAML options in the OpenSearch domain. | object({ |
{ |
no |
| security_group_name | Name for the security group | string |
"" |
no |
| snapshot_start_hour | Start hour for the automated snapshot | number |
0 |
no |
| subnet_ids | List of subnet IDs for the OpenSearch domain | list(string) |
[] |
no |
| tags | Tags to apply to resources | map(string) |
n/a | yes |
| throughput | Provisioned throughput for the volume | number |
null |
no |
| tls_security_policy | TLS security policy for HTTPS endpoints | string |
"Policy-Min-TLS-1-2-PFS-2023-10" |
no |
| type | The type of OpenSearch collection. | string |
"TIMESERIES" |
no |
| use_iam_arn_as_master_user | Set to true to use IAM ARN as the master user, false to create a master user. | bool |
false |
no |
| use_standby_replicas | Flag to enable or disable standby replicas. | bool |
true |
no |
| use_ultrawarm | Whether to enable UltraWarm nodes | bool |
false |
no |
| volume_size | EBS volume size in GB | number |
20 |
no |
| volume_type | EBS volume type | string |
"gp2" |
no |
| vpc_id | ID of the VPC for OpenSearch domain | string |
null |
no |
| warm_count | Number of UltraWarm instances | number |
2 |
no |
| warm_type | UltraWarm node instance type | string |
"ultrawarm1.medium.search" |
no |
| zone_awareness_enabled | Whether zone awareness is enabled | bool |
true |
no |
Outputs¶
| Name | Description |
|---|---|
| opensearch_collection_endpoint | The Endpoint of the OpenSearch collection |
| opensearch_domain_arn | The ARN of the OpenSearch domain. |
| opensearch_domain_endpoint | The endpoint of the OpenSearch domain. |
| opensearch_domain_id | The unique identifier for the OpenSearch domain. |
| opensearch_serverless_collection_arn | The ARN of the OpenSearch Serverless collection |
| opensearch_serverless_collection_id | The ID of the OpenSearch Serverless collection |
Versioning¶
This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.
When you intend to commit to main, you will need to increment this version. Once the project is merged,
the pipeline will kick off and tag the latest git commit.
Development¶
Prerequisites¶
AI Assistant Integration (ARC IaC MCP)¶
The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.
What you can do with it:
- Discover — search and filter modules by keyword or AWS resource type.
- Understand — get inputs, outputs, and resources for any module without leaving your editor.
- Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
- Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
- Compare — diff modules side-by-side to make informed architectural decisions.
Setup (one minute)¶
The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:
Claude Code CLI:
Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:
Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).
Example prompts to try¶
- "List all ARC modules sorted by downloads"
- "What inputs does
arc-ecsrequire?" - "Scaffold a production-ready
arc-dbAurora setup with Secrets Manager" - "Compare
arc-eksandarc-ecsfor running 10 microservices" - "Scan this Terraform before I raise a PR:
<paste HCL>"
See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.
Configurations¶
- Configure pre-commit hooks
Tests¶
- Tests are available in
testdirectory - Configure the dependencies
- Now execute the test
Contributing¶
See CONTRIBUTING.md for commit conventions and development setup.
Authors¶
This project is authored by:
* SourceFuse ARC Team