-
-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial implementation #1
Conversation
README.yaml
Outdated
The subnets must be in different Availability Zones in the same region. | ||
If you don't enable zone awareness, Amazon ES places an endpoint into only one subnet | ||
|
||
Further reading: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move this to references:
section
main.tf
Outdated
name = "${module.label.id}" | ||
description = "Allow inbound traffic from Security Groups and CIDRs" | ||
|
||
ingress { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Always use aws_security_group_rule
for idempotency
README.yaml
Outdated
description: |- | ||
Terraform module to provision an [`Elasticsearch`](https://aws.amazon.com/elasticsearch-service/) cluster with built-in integrations with [Kibana](https://aws.amazon.com/elasticsearch-service/kibana/) and [Logstash](https://aws.amazon.com/elasticsearch-service/logstash/). | ||
|
||
This module will create: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move this to introduction
[![Cloud Posse](https://cloudposse.com/logo-300x69.svg)](https://cloudposse.com) | ||
|
||
# terraform-aws-elasticsearch [![Build Status](https://travis-ci.org/cloudposse/terraform-aws-elasticsearch.svg?branch=master)](https://travis-ci.org/cloudposse/terraform-aws-elasticsearch) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-elasticsearch.svg)](https://github.com/cloudposse/terraform-aws-elasticsearch/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
main.tf
Outdated
enabled = "${var.enabled == "true" && length(var.dns_zone_id) > 0 ? "true" : "false"}" | ||
namespace = "${var.namespace}" | ||
stage = "${var.stage}" | ||
name = "${format("kibana%s%s", var.delimiter, var.name)}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's make kibana
a variable that defaults to kibana
. e.g. it could be overridden to ui
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, let's make kibana%s%s
a variable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See inline comments
README.yaml
Outdated
- name: "es-createupdatedomains" | ||
description: "Creating and Configuring Amazon Elasticsearch Service Domains" | ||
url: "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html" | ||
- name: "es-kibana" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Name doesn't need to be codified. It's the name (or title) of the link. We use "codified" names when referring to repositories because that's the easiest way to refer to them. In this case, I would make "Name" the title of the document and a description about why you think it's worth referencing.
README.yaml
Outdated
- "docs/terraform.md" | ||
|
||
references: | ||
- name: "what-is-amazon-elasticsearch-service" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't codify
README.yaml
Outdated
- name: "what-is-amazon-elasticsearch-service" | ||
description: "What is Amazon Elasticsearch Service" | ||
url: "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/what-is-amazon-elasticsearch-service.html" | ||
- name: "es-ac" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't codify.... etc...
tags = "${module.label.tags}" | ||
} | ||
|
||
resource "aws_security_group_rule" "ingress_security_groups" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like we should distinguish between Elastic Search and Kibana.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good pint.
they are separate resources and having different roles to access them would be preferable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually, Kibana does not support IAM.
https://forums.aws.amazon.com/thread.jspa?threadID=217149
It's little bit complicated to set up access to Kibana.
The solution is to use a proxy for IP-based control, and Amazon Cognito for use-based control.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's move the decision of who can access what
out of the module.
Top-level modules will provide:
variable "iam_role_arns" {
type = "list"
default = []
description = "List of IAM role ARNs to permit access to the Elasticsearch domain"
}
variable "iam_actions" {
type = "list"
default = []
description = "List of actions to allow for the IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost`"
}
main.tf
Outdated
tags = "${module.label.tags}" | ||
} | ||
|
||
resource "aws_elasticsearch_domain_policy" "es_vpc_management_access" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from es_
prefix as we do not need the disambiguation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See inline comments
README.md
Outdated
- [Kibana and Logstash](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-kibana.html) - Describes some considerations for using Kibana and Logstash with Amazon Elasticsearch Service | ||
- [Amazon Cognito Authentication for Kibana](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html) - Amazon Elasticsearch Service uses Amazon Cognito to offer user name and password protection for Kibana | ||
- [elasticsearch_domain](https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain.html) - Configuration for `elasticsearch_domain` Terraform resource |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Terraform reference documentation for the elasticsearch_domain
resource
README.md
Outdated
- [Amazon Cognito Authentication for Kibana](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html) - Amazon Elasticsearch Service uses Amazon Cognito to offer user name and password protection for Kibana | ||
- [elasticsearch_domain](https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain.html) - Configuration for `elasticsearch_domain` Terraform resource | ||
- [elasticsearch_domain_policy](https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain_policy.html) - Configuration for `elasticsearch_domain_policy` Terraform resource |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Terraform reference documentation for the elasticsearch_domain_policy
resource
Travis is failing |
Custom/removebuiltinusers
what
Elasticsearch
cluster in a VPC with build-inKibana
andLogstash
why
Elasticsearch
cluster with the specified node count in the provided subnets in a VPC