Skip to content

terraform-aws-arc-opensearch

Quality gate

Known Vulnerabilities

Overview

Terraform module for supporting AWS OpenSearch. Creates an admin role and outputs parameters to SSM for downstream utilization or additional automation.

Usage

See the example folder for a working module example.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
################################################################################
## opensearch
################################################################################
module "opensearch" {
  source                         = "sourcefuse/arc-opensearch/aws"
  version                        = "0.1.2"
  environment                    = var.environment
  namespace                      = var.namespace
  vpc_id                         = data.aws_vpc.default.id
  create_iam_service_linked_role = false # set to false if a cluster already exists
  subnet_ids                     = local.private_subnet_ids
  availability_zones             = local.private_subnet_azs

  tags = module.tags.tags
}

Requirements

Name Version
terraform ~> 1.3
aws ~> 4.0
null >= 3.2
random >= 3.4

Providers

Name Version
aws 4.54.0
random 3.4.3

Modules

Name Source Version
opensearch git::https://github.com/cloudposse/terraform-aws-elasticsearch 0.44.0

Resources

Name Type
aws_iam_role.admin resource
aws_iam_role.read_only resource
aws_iam_role_policy_attachment.admin resource
aws_iam_role_policy_attachment.read_only resource
aws_ssm_parameter.this resource
random_password.admin_password resource

Inputs

Name Description Type Default Required
additional_iam_role_arns List of additional IAM role ARNs to permit access to the Elasticsearch domain list(string) [] no
admin_username Admin username when fine grained access control string "os_admin" no
advanced_options Key-value string pairs to specify advanced configuration options map(any) 
{
  "override_main_response_version": false,
  "rest.action.multi.allow_explicit_index": "true"
}
 no
advanced_security_options_enabled AWS Elasticsearch Kibana enchanced security plugin enabling (forces new resource) bool true no
advanced_security_options_internal_user_database_enabled Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin bool true no
availability_zones List of availability zones to deploy the cluster in. list(string) 
[
  "us-east-1a",
  "us-east-1b"
]
 no
cognito_authentication_enabled Whether to enable Amazon Cognito authentication with Kibana bool false no
cognito_iam_role_arn ARN of the IAM role that has the AmazonESCognitoAccess policy attached string "" no
cognito_identity_pool_id The ID of the Cognito Identity Pool to use string "" no
cognito_user_pool_id The ID of the Cognito User Pool to use string "" no
create_iam_service_linked_role Whether to create AWSServiceRoleForAmazonElasticsearchService service-linked role. Set it to false if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info bool true no
custom_endpoint Fully qualified domain for custom endpoint. string "" no
custom_endpoint_certificate_arn ACM certificate ARN for custom endpoint. string "" no
custom_endpoint_enabled Whether to enable custom endpoint for the Elasticsearch domain. bool false no
custom_opensearch_password Custom Administrator password to be assigned to var.admin_username. If undefined, it will be a randomly generated password. Does not work if var.generate_random_password is true. string "" no
ebs_volume_size EBS volumes for data storage in GB number 10 no
elasticsearch_version Version of ElasticSearch or OpenSearch to deploy (_e.g._ OpenSearch_2.3, OpenSearch_1.3, OpenSearch_1.2, OpenSearch_1.1, OpenSearch_1.0, 7.4, 7.1, etc. string "OpenSearch_2.3" no
encrypt_at_rest_enabled Whether to enable encryption at rest bool true no
environment Name of the environment, i.e. dev, stage, prod string n/a yes
generate_random_password Generate a random password for the OpenSearch Administrator.
If this value is true and var.custom_opensearch_password is defined, var.custom_opensearch_password will be ignored.		 bool true no
iam_actions List of actions to allow for the IAM roles, e.g. es:ESHttpGet, es:ESHttpPut, es:ESHttpPost list(string) [] no
instance_count Number of data nodes in the cluster. number 2 no
instance_type ElasticSearch or OpenSearch instance type for data nodes in the cluster string "t3.medium.elasticsearch" no
kibana_subdomain_name The name of the subdomain for Kibana in the DNS zone (_e.g._ kibana, ui, ui-es, search-ui, kibana.elasticsearch) string "" no
name Name of the OpenSearch resource string n/a yes
namespace Namespace of the project, i.e. arc string n/a yes
node_to_node_encryption_enabled Whether to enable node-to-node encryption bool true no
security_group_ids List of security groups to assign OpenSearch list(string) [] no
subnet_ids List of Subnet IDs to assign OpenSearch list(string) n/a yes
tags Default tags to apply to every resource map(string) n/a yes
vpc_id ID of the VPC where resources will be deployed to string n/a yes
zone_awareness_enabled Enable zone awareness for Elasticsearch cluster bool true no

Outputs

Name Description
domain_arn ARN of the OpenSearch domain
domain_endpoint Domain-specific endpoint used to submit index, search, and data upload requests
domain_hostname OpenSearch domain hostname to submit index, search, and data upload requests
domain_id Unique identifier for the OpenSearch domain
kibana_endpoint Domain-specific endpoint for Kibana without https scheme
kibana_hostname Kibana hostname
opensearch_user_iam_role_arn The ARN of the IAM role to allow access to OpenSearch cluster
opensearch_user_iam_role_name The name of the IAM role to allow access to OpenSearch cluster
security_group_id Security Group ID to control access to the OpenSearch domain

Versioning

This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.

When you intend to commit to main, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.

Development

Prerequisites

Configurations

  • Configure pre-commit hooks 
    1
    pre-commit install

Tests

  • Tests are available in test directory
  • Configure the dependencies 
    1
2
3
    cd test/
go mod init github.com/sourcefuse/terraform-aws-refarch-opensearch
go get github.com/gruntwork-io/terratest/modules/terraform
  • Now execute the test 
    1
    go test -timeout  30m

Authors

This project is authored by: * SourceFuse ARC Team