From ac8d4478556da56764fef87f494b38900baac077 Mon Sep 17 00:00:00 2001 From: Barry Tam Date: Tue, 8 Oct 2019 19:32:28 -0700 Subject: [PATCH 1/6] init commit of elasticsearch require https --- aws/resource_aws_elasticsearch_domain.go | 21 +++++++++++++++++++ .../docs/r/elasticsearch_domain.html.markdown | 1 + 2 files changed, 22 insertions(+) diff --git a/aws/resource_aws_elasticsearch_domain.go b/aws/resource_aws_elasticsearch_domain.go index 3a559c513e0d..22e4c1a42cf1 100644 --- a/aws/resource_aws_elasticsearch_domain.go +++ b/aws/resource_aws_elasticsearch_domain.go @@ -86,6 +86,11 @@ func resourceAwsElasticSearchDomain() *schema.Resource { Type: schema.TypeString, Computed: true, }, + "require_https": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, "endpoint": { Type: schema.TypeString, Computed: true, @@ -361,6 +366,12 @@ func resourceAwsElasticSearchDomainCreate(d *schema.ResourceData, meta interface input.AdvancedOptions = stringMapToPointers(v.(map[string]interface{})) } + if d.Get("require_https").(bool) { + input.DomainEndpointOptions = &elasticsearch.DomainEndpointOptions{ + EnforceHTTPS: aws.Bool(true), + } + } + if v, ok := d.GetOk("ebs_options"); ok { options := v.([]interface{}) @@ -642,6 +653,10 @@ func resourceAwsElasticSearchDomainRead(d *schema.ResourceData, meta interface{} d.Set("log_publishing_options", m) } + if ds.DomainEndpointOptions != nil && ds.DomainEndpointOptions.EnforceHTTPS { + d.Set("require_https", true) + } + d.Set("arn", ds.ARN) listOut, err := conn.ListTags(&elasticsearch.ListTagsInput{ @@ -684,6 +699,12 @@ func resourceAwsElasticSearchDomainUpdate(d *schema.ResourceData, meta interface input.AdvancedOptions = stringMapToPointers(d.Get("advanced_options").(map[string]interface{})) } + if d.HasChange("require_https") { + input.SetDomainEndpointOptions(&elasticsearch.DomainEndpointOptions{ + EnforceHTTPS: aws.Bool(d.Get("require_https").(string)), + }) + } + if d.HasChange("ebs_options") || d.HasChange("cluster_config") { options := d.Get("ebs_options").([]interface{}) diff --git a/website/docs/r/elasticsearch_domain.html.markdown b/website/docs/r/elasticsearch_domain.html.markdown index bab2fcb0c0ac..6eedf63bdd47 100644 --- a/website/docs/r/elasticsearch_domain.html.markdown +++ b/website/docs/r/elasticsearch_domain.html.markdown @@ -223,6 +223,7 @@ The following arguments are supported: * `vpc_options` - (Optional) VPC related options, see below. Adding or removing this configuration forces a new resource ([documentation](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-vpc-limitations)). * `log_publishing_options` - (Optional) Options for publishing slow logs to CloudWatch Logs. * `elasticsearch_version` - (Optional) The version of Elasticsearch to deploy. Defaults to `1.5` +* `require_https` - (Optional) Whether the Elasticsearch domain requires HTTPS to connect * `tags` - (Optional) A mapping of tags to assign to the resource **ebs_options** supports the following attributes: From 4a2e0509cf23ecd8fe20e703406f3784fd47b209 Mon Sep 17 00:00:00 2001 From: Barry Tam Date: Wed, 9 Oct 2019 10:27:53 -0700 Subject: [PATCH 2/6] adding tests --- aws/resource_aws_elasticsearch_domain.go | 8 ++-- aws/resource_aws_elasticsearch_domain_test.go | 39 +++++++++++++++++++ go.mod | 2 +- go.sum | 4 +- 4 files changed, 46 insertions(+), 7 deletions(-) diff --git a/aws/resource_aws_elasticsearch_domain.go b/aws/resource_aws_elasticsearch_domain.go index 22e4c1a42cf1..d8b1e7c5d7d0 100644 --- a/aws/resource_aws_elasticsearch_domain.go +++ b/aws/resource_aws_elasticsearch_domain.go @@ -367,9 +367,9 @@ func resourceAwsElasticSearchDomainCreate(d *schema.ResourceData, meta interface } if d.Get("require_https").(bool) { - input.DomainEndpointOptions = &elasticsearch.DomainEndpointOptions{ + input.SetDomainEndpointOptions(&elasticsearch.DomainEndpointOptions{ EnforceHTTPS: aws.Bool(true), - } + }) } if v, ok := d.GetOk("ebs_options"); ok { @@ -653,7 +653,7 @@ func resourceAwsElasticSearchDomainRead(d *schema.ResourceData, meta interface{} d.Set("log_publishing_options", m) } - if ds.DomainEndpointOptions != nil && ds.DomainEndpointOptions.EnforceHTTPS { + if *ds.DomainEndpointOptions.EnforceHTTPS { d.Set("require_https", true) } @@ -701,7 +701,7 @@ func resourceAwsElasticSearchDomainUpdate(d *schema.ResourceData, meta interface if d.HasChange("require_https") { input.SetDomainEndpointOptions(&elasticsearch.DomainEndpointOptions{ - EnforceHTTPS: aws.Bool(d.Get("require_https").(string)), + EnforceHTTPS: aws.Bool(d.Get("require_https").(bool)), }) } diff --git a/aws/resource_aws_elasticsearch_domain_test.go b/aws/resource_aws_elasticsearch_domain_test.go index 47e395b4fa8d..1a346c037e74 100644 --- a/aws/resource_aws_elasticsearch_domain_test.go +++ b/aws/resource_aws_elasticsearch_domain_test.go @@ -77,6 +77,30 @@ func TestAccAWSElasticSearchDomain_basic(t *testing.T) { }) } +func TestAccAWSElasticSearchDomain_RequireHTTPS(t *testing.T) { + var domain elasticsearch.ElasticsearchDomainStatus + ri := acctest.RandInt() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckESDomainDestroy, + Steps: []resource.TestStep{ + { + Config: testAccESDomainConfig_RequireHTTPS(ri), + Check: resource.ComposeTestCheckFunc( + testAccCheckESDomainExists("aws_elasticsearch_domain.example", &domain), + resource.TestCheckResourceAttr( + "aws_elasticsearch_domain.example", "elasticsearch_version", "1.5"), + resource.TestMatchResourceAttr("aws_elasticsearch_domain.example", "kibana_endpoint", regexp.MustCompile(".*es.amazonaws.com/_plugin/kibana/")), + resource.TestCheckResourceAttr( + "aws_elasticsearch_domain.example", "require_https", "true"), + ), + }, + }, + }) +} + func TestAccAWSElasticSearchDomain_ClusterConfig_ZoneAwarenessConfig(t *testing.T) { var domain1, domain2, domain3, domain4 elasticsearch.ElasticsearchDomainStatus rName := acctest.RandomWithPrefix("tf-acc-test")[:28] @@ -807,6 +831,21 @@ resource "aws_elasticsearch_domain" "example" { `, randInt) } +func testAccESDomainConfig_RequireHTTPS(randInt int) string { + return fmt.Sprintf(` +resource "aws_elasticsearch_domain" "example" { + domain_name = "tf-test-%d" + + require_https = true + + ebs_options { + ebs_enabled = true + volume_size = 10 + } +} +`, randInt) +} + func testAccESDomainConfig_ClusterConfig_ZoneAwarenessConfig_AvailabilityZoneCount(rName string, availabilityZoneCount int) string { return fmt.Sprintf(` resource "aws_elasticsearch_domain" "test" { diff --git a/go.mod b/go.mod index d460238f0a3b..774357b95c65 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.13 require ( github.com/apparentlymart/go-dump v0.0.0-20190214190832-042adf3cf4a0 // indirect - github.com/aws/aws-sdk-go v1.25.4 + github.com/aws/aws-sdk-go v1.25.8 github.com/beevik/etree v1.1.0 github.com/bflad/tfproviderlint v0.5.0 github.com/client9/misspell v0.3.4 diff --git a/go.sum b/go.sum index beb483b293f6..c4a7be230383 100644 --- a/go.sum +++ b/go.sum @@ -36,8 +36,8 @@ github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgI github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM= github.com/aws/aws-sdk-go v1.19.39/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.25.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.25.4 h1:exwxtR517g6OKm2rtAD5EANtjbzmnjEAco189zy/Uhc= -github.com/aws/aws-sdk-go v1.25.4/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.25.8 h1:n7I+HUUXjun2CsX7JK+1hpRIkZrlKhd3nayeb+Xmavs= +github.com/aws/aws-sdk-go v1.25.8/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs= github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= From d880754cc023f3c8507c814a4a5aa0b18d3ce09d Mon Sep 17 00:00:00 2001 From: Barry Tam Date: Sat, 9 Nov 2019 18:37:35 -0800 Subject: [PATCH 3/6] removing default value --- aws/resource_aws_elasticsearch_domain.go | 1 - 1 file changed, 1 deletion(-) diff --git a/aws/resource_aws_elasticsearch_domain.go b/aws/resource_aws_elasticsearch_domain.go index d8b1e7c5d7d0..000c23a4b740 100644 --- a/aws/resource_aws_elasticsearch_domain.go +++ b/aws/resource_aws_elasticsearch_domain.go @@ -89,7 +89,6 @@ func resourceAwsElasticSearchDomain() *schema.Resource { "require_https": { Type: schema.TypeBool, Optional: true, - Default: false, }, "endpoint": { Type: schema.TypeString, From 863138c9203b63effb2dd7fba5832a0d5a811281 Mon Sep 17 00:00:00 2001 From: Barry Tam Date: Fri, 6 Dec 2019 12:03:46 -0800 Subject: [PATCH 4/6] domain endpoint options --- aws/resource_aws_elasticsearch_domain.go | 68 ++++++++++++++++--- aws/resource_aws_elasticsearch_domain_test.go | 20 +++++- .../docs/r/elasticsearch_domain.html.markdown | 7 +- 3 files changed, 81 insertions(+), 14 deletions(-) diff --git a/aws/resource_aws_elasticsearch_domain.go b/aws/resource_aws_elasticsearch_domain.go index 000c23a4b740..8ee60c839588 100644 --- a/aws/resource_aws_elasticsearch_domain.go +++ b/aws/resource_aws_elasticsearch_domain.go @@ -86,9 +86,24 @@ func resourceAwsElasticSearchDomain() *schema.Resource { Type: schema.TypeString, Computed: true, }, - "require_https": { - Type: schema.TypeBool, + "domain_endpoint_options": { + Type: schema.TypeList, Optional: true, + Computed: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "require_https": { + Type: schema.TypeBool, + Required: true, + }, + "tls_security_policy": { + Type: schema.TypeString, + Optional: true, + Default: "Policy-Min-TLS-1-2-2019-07", + }, + }, + }, }, "endpoint": { Type: schema.TypeString, @@ -365,12 +380,6 @@ func resourceAwsElasticSearchDomainCreate(d *schema.ResourceData, meta interface input.AdvancedOptions = stringMapToPointers(v.(map[string]interface{})) } - if d.Get("require_https").(bool) { - input.SetDomainEndpointOptions(&elasticsearch.DomainEndpointOptions{ - EnforceHTTPS: aws.Bool(true), - }) - } - if v, ok := d.GetOk("ebs_options"); ok { options := v.([]interface{}) @@ -453,6 +462,26 @@ func resourceAwsElasticSearchDomainCreate(d *schema.ResourceData, meta interface } } + if v, ok := d.GetOk("domain_endpoint_options"); ok { + options := v.([]interface{}) + + if len(options) == 1 { + if options[0] == nil { + return fmt.Errorf("At least one field is expected inside domain_endpoint_options") + } + + s := options[0].(map[string]interface{}) + domainOptions := elasticsearch.DomainEndpointOptions{} + if requireHTTPS, ok := s["require_https"]; ok { + domainOptions.EnforceHTTPS = aws.Bool(requireHTTPS.(bool)) + } + if tls, ok := s["tls_security_policy"]; ok { + domainOptions.TLSSecurityPolicy = aws.String(tls.(string)) + } + input.SetDomainEndpointOptions(&domainOptions) + } + } + if v, ok := d.GetOk("cognito_options"); ok { input.CognitoOptions = expandESCognitoOptions(v.([]interface{})) } @@ -652,8 +681,11 @@ func resourceAwsElasticSearchDomainRead(d *schema.ResourceData, meta interface{} d.Set("log_publishing_options", m) } - if *ds.DomainEndpointOptions.EnforceHTTPS { - d.Set("require_https", true) + if ds.DomainEndpointOptions != nil { + m := make(map[string]interface{}) + m["require_https"] = ds.DomainEndpointOptions.EnforceHTTPS + m["tls_security_policy"] = ds.DomainEndpointOptions.TLSSecurityPolicy + d.Set("domain_endpoint_options", m) } d.Set("arn", ds.ARN) @@ -704,6 +736,22 @@ func resourceAwsElasticSearchDomainUpdate(d *schema.ResourceData, meta interface }) } + if d.HasChange("domain_endpoint_options") { + options := d.Get("domain_endpoint_options").([]interface{}) + + if len(options) == 1 { + s := options[0].(map[string]interface{}) + domainOptions := elasticsearch.DomainEndpointOptions{} + if requireHTTPS, ok := s["require_https"]; ok { + domainOptions.EnforceHTTPS = aws.Bool(requireHTTPS.(bool)) + } + if tls, ok := s["tls_security_policy"]; ok { + domainOptions.TLSSecurityPolicy = aws.String(tls.(string)) + } + input.SetDomainEndpointOptions(&domainOptions) + } + } + if d.HasChange("ebs_options") || d.HasChange("cluster_config") { options := d.Get("ebs_options").([]interface{}) diff --git a/aws/resource_aws_elasticsearch_domain_test.go b/aws/resource_aws_elasticsearch_domain_test.go index 75262dc3eb8b..0d77e23f27c4 100644 --- a/aws/resource_aws_elasticsearch_domain_test.go +++ b/aws/resource_aws_elasticsearch_domain_test.go @@ -100,11 +100,10 @@ func TestAccAWSElasticSearchDomain_RequireHTTPS(t *testing.T) { Config: testAccESDomainConfig_RequireHTTPS(ri), Check: resource.ComposeTestCheckFunc( testAccCheckESDomainExists("aws_elasticsearch_domain.example", &domain), + testAccCheckESDomainEndpointOptions(true, "Policy-Min-TLS-1-2-2019-07", &domain), resource.TestCheckResourceAttr( "aws_elasticsearch_domain.example", "elasticsearch_version", "1.5"), resource.TestMatchResourceAttr("aws_elasticsearch_domain.example", "kibana_endpoint", regexp.MustCompile(".*es.amazonaws.com/_plugin/kibana/")), - resource.TestCheckResourceAttr( - "aws_elasticsearch_domain.example", "require_https", "true"), ), }, }, @@ -783,6 +782,19 @@ func TestAccAWSElasticSearchDomain_update_version(t *testing.T) { }}) } +func testAccCheckESDomainEndpointOptions(enforceHTTPS bool, tls string, status *elasticsearch.ElasticsearchDomainStatus) resource.TestCheckFunc { + return func(s *terraform.State) error { + options := status.DomainEndpointOptions + if *options.EnforceHTTPS != enforceHTTPS { + return fmt.Errorf("EnforceHTTPS differ. Given: %t, Expected: %t", *options.EnforceHTTPS, enforceHTTPS) + } + if *options.TLSSecurityPolicy != tls { + return fmt.Errorf("TLSSecurityPolicy differ. Given: %s, Expected: %s", *options.TLSSecurityPolicy, tls) + } + return nil + } +} + func testAccCheckESNumberOfSecurityGroups(numberOfSecurityGroups int, status *elasticsearch.ElasticsearchDomainStatus) resource.TestCheckFunc { return func(s *terraform.State) error { count := len(status.VPCOptions.SecurityGroupIds) @@ -1005,7 +1017,9 @@ func testAccESDomainConfig_RequireHTTPS(randInt int) string { resource "aws_elasticsearch_domain" "example" { domain_name = "tf-test-%d" - require_https = true + domain_endpoint_options { + require_https = true + } ebs_options { ebs_enabled = true diff --git a/website/docs/r/elasticsearch_domain.html.markdown b/website/docs/r/elasticsearch_domain.html.markdown index f63686e275e1..a14897a129ba 100644 --- a/website/docs/r/elasticsearch_domain.html.markdown +++ b/website/docs/r/elasticsearch_domain.html.markdown @@ -224,7 +224,7 @@ The following arguments are supported: * `vpc_options` - (Optional) VPC related options, see below. Adding or removing this configuration forces a new resource ([documentation](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-vpc-limitations)). * `log_publishing_options` - (Optional) Options for publishing slow logs to CloudWatch Logs. * `elasticsearch_version` - (Optional) The version of Elasticsearch to deploy. Defaults to `1.5` -* `require_https` - (Optional) Whether the Elasticsearch domain requires HTTPS to connect +* `domain_endpoint_options` - (Optional) Domain endpoint HTTP(S) related options. See below. * `tags` - (Optional) A mapping of tags to assign to the resource **ebs_options** supports the following attributes: @@ -241,6 +241,11 @@ The following arguments are supported: * `enabled` - (Required) Whether to enable encryption at rest. If the `encrypt_at_rest` block is not provided then this defaults to `false`. * `kms_key_id` - (Optional) The KMS key id to encrypt the Elasticsearch domain with. If not specified then it defaults to using the `aws/es` service KMS key. +**domain_endpoint_options** supports the following attributes: + +* `require_https` - (Required) wether or not to require HTTPS +* `tls_security_policy` - (Optional) the TLS security policy that needs to be applied to the HTTPS endpoint. Defaults to `Policy-Min-TLS-1-2-2019-07` + **cluster_config** supports the following attributes: * `instance_type` - (Optional) Instance type of data nodes in the cluster. From 5860909124b83abcbd176fcc2fd2d9b39264261d Mon Sep 17 00:00:00 2001 From: Barry Tam Date: Sun, 26 Jan 2020 14:45:58 -0800 Subject: [PATCH 5/6] PR review changes --- aws/resource_aws_elasticsearch_domain.go | 53 ++++--------------- aws/resource_aws_elasticsearch_domain_test.go | 33 ++++++++---- aws/structure.go | 32 +++++++++++ .../docs/r/elasticsearch_domain.html.markdown | 6 +-- 4 files changed, 67 insertions(+), 57 deletions(-) diff --git a/aws/resource_aws_elasticsearch_domain.go b/aws/resource_aws_elasticsearch_domain.go index 8ee60c839588..867ad820e4f3 100644 --- a/aws/resource_aws_elasticsearch_domain.go +++ b/aws/resource_aws_elasticsearch_domain.go @@ -93,14 +93,18 @@ func resourceAwsElasticSearchDomain() *schema.Resource { MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "require_https": { + "enforce_https": { Type: schema.TypeBool, Required: true, }, "tls_security_policy": { Type: schema.TypeString, Optional: true, - Default: "Policy-Min-TLS-1-2-2019-07", + Computed: true, + ValidateFunc: validation.StringInSlice([]string{ + elasticsearch.TLSSecurityPolicyPolicyMinTls10201907, + elasticsearch.TLSSecurityPolicyPolicyMinTls12201907, + }, false), }, }, }, @@ -463,23 +467,7 @@ func resourceAwsElasticSearchDomainCreate(d *schema.ResourceData, meta interface } if v, ok := d.GetOk("domain_endpoint_options"); ok { - options := v.([]interface{}) - - if len(options) == 1 { - if options[0] == nil { - return fmt.Errorf("At least one field is expected inside domain_endpoint_options") - } - - s := options[0].(map[string]interface{}) - domainOptions := elasticsearch.DomainEndpointOptions{} - if requireHTTPS, ok := s["require_https"]; ok { - domainOptions.EnforceHTTPS = aws.Bool(requireHTTPS.(bool)) - } - if tls, ok := s["tls_security_policy"]; ok { - domainOptions.TLSSecurityPolicy = aws.String(tls.(string)) - } - input.SetDomainEndpointOptions(&domainOptions) - } + input.DomainEndpointOptions = expandESDomainEndpointOptions(v.([]interface{})) } if v, ok := d.GetOk("cognito_options"); ok { @@ -681,11 +669,8 @@ func resourceAwsElasticSearchDomainRead(d *schema.ResourceData, meta interface{} d.Set("log_publishing_options", m) } - if ds.DomainEndpointOptions != nil { - m := make(map[string]interface{}) - m["require_https"] = ds.DomainEndpointOptions.EnforceHTTPS - m["tls_security_policy"] = ds.DomainEndpointOptions.TLSSecurityPolicy - d.Set("domain_endpoint_options", m) + if err := d.Set("domain_endpoint_options", flattenESDomainEndpointOptions(ds.DomainEndpointOptions)); err != nil { + return fmt.Errorf("error setting domain_endpoint_options: %s", err) } d.Set("arn", ds.ARN) @@ -730,26 +715,8 @@ func resourceAwsElasticSearchDomainUpdate(d *schema.ResourceData, meta interface input.AdvancedOptions = stringMapToPointers(d.Get("advanced_options").(map[string]interface{})) } - if d.HasChange("require_https") { - input.SetDomainEndpointOptions(&elasticsearch.DomainEndpointOptions{ - EnforceHTTPS: aws.Bool(d.Get("require_https").(bool)), - }) - } - if d.HasChange("domain_endpoint_options") { - options := d.Get("domain_endpoint_options").([]interface{}) - - if len(options) == 1 { - s := options[0].(map[string]interface{}) - domainOptions := elasticsearch.DomainEndpointOptions{} - if requireHTTPS, ok := s["require_https"]; ok { - domainOptions.EnforceHTTPS = aws.Bool(requireHTTPS.(bool)) - } - if tls, ok := s["tls_security_policy"]; ok { - domainOptions.TLSSecurityPolicy = aws.String(tls.(string)) - } - input.SetDomainEndpointOptions(&domainOptions) - } + input.DomainEndpointOptions = expandESDomainEndpointOptions(d.Get("domain_endpoint_options").([]interface{})) } if d.HasChange("ebs_options") || d.HasChange("cluster_config") { diff --git a/aws/resource_aws_elasticsearch_domain_test.go b/aws/resource_aws_elasticsearch_domain_test.go index 0d77e23f27c4..d3578559e054 100644 --- a/aws/resource_aws_elasticsearch_domain_test.go +++ b/aws/resource_aws_elasticsearch_domain_test.go @@ -97,13 +97,23 @@ func TestAccAWSElasticSearchDomain_RequireHTTPS(t *testing.T) { CheckDestroy: testAccCheckESDomainDestroy, Steps: []resource.TestStep{ { - Config: testAccESDomainConfig_RequireHTTPS(ri), + Config: testAccESDomainConfig_DomainEndpointOptions(ri, true, "Policy-Min-TLS-1-0-2019-07"), + Check: resource.ComposeTestCheckFunc( + testAccCheckESDomainExists("aws_elasticsearch_domain.example", &domain), + testAccCheckESDomainEndpointOptions(true, "Policy-Min-TLS-1-0-2019-07", &domain), + ), + }, + { + ResourceName: "aws_elasticsearch_domain.example", + ImportState: true, + ImportStateId: resourceId, + ImportStateVerify: true, + }, + { + Config: testAccESDomainConfig_DomainEndpointOptions(ri, true, "Policy-Min-TLS-1-2-2019-07"), Check: resource.ComposeTestCheckFunc( testAccCheckESDomainExists("aws_elasticsearch_domain.example", &domain), testAccCheckESDomainEndpointOptions(true, "Policy-Min-TLS-1-2-2019-07", &domain), - resource.TestCheckResourceAttr( - "aws_elasticsearch_domain.example", "elasticsearch_version", "1.5"), - resource.TestMatchResourceAttr("aws_elasticsearch_domain.example", "kibana_endpoint", regexp.MustCompile(".*es.amazonaws.com/_plugin/kibana/")), ), }, }, @@ -1012,21 +1022,22 @@ resource "aws_elasticsearch_domain" "test" { `, randInt) } -func testAccESDomainConfig_RequireHTTPS(randInt int) string { +func testAccESDomainConfig_DomainEndpointOptions(randInt int, enforceHttps bool, tlsSecurityPolicy string) string { return fmt.Sprintf(` resource "aws_elasticsearch_domain" "example" { - domain_name = "tf-test-%d" - - domain_endpoint_options { - require_https = true - } + domain_name = "tf-test-%[1]d" + + domain_endpoint_options { + enforce_https = %[2]t + tls_security_policy = %[3]q + } ebs_options { ebs_enabled = true volume_size = 10 } } -`, randInt) +`, randInt, enforceHttps, tlsSecurityPolicy) } func testAccESDomainConfig_ClusterConfig_ZoneAwarenessConfig_AvailabilityZoneCount(rName string, availabilityZoneCount int) string { diff --git a/aws/structure.go b/aws/structure.go index 69c32f9c069d..f4e35e92355a 100644 --- a/aws/structure.go +++ b/aws/structure.go @@ -1313,6 +1313,38 @@ func flattenESCognitoOptions(c *elasticsearch.CognitoOptions) []map[string]inter return []map[string]interface{}{m} } +func expandESDomainEndpointOptions(l []interface{}) *elasticsearch.DomainEndpointOptions { + if len(l) == 0 || l[0] == nil { + return nil + } + + m := l[0].(map[string]interface{}) + domainEndpointOptions := &elasticsearch.DomainEndpointOptions{} + + if v, ok := m["enforce_https"].(bool); ok { + domainEndpointOptions.EnforceHTTPS = aws.Bool(v) + } + + if v, ok := m["tls_security_policy"].(string); ok { + domainEndpointOptions.TLSSecurityPolicy = aws.String(v) + } + + return domainEndpointOptions +} + +func flattenESDomainEndpointOptions(domainEndpointOptions *elasticsearch.DomainEndpointOptions) []interface{} { + if domainEndpointOptions == nil { + return nil + } + + m := map[string]interface{}{ + "enforce_https": aws.BoolValue(domainEndpointOptions.EnforceHTTPS), + "tls_security_policy": aws.StringValue(domainEndpointOptions.TLSSecurityPolicy), + } + + return []interface{}{m} +} + func flattenESSnapshotOptions(snapshotOptions *elasticsearch.SnapshotOptions) []map[string]interface{} { if snapshotOptions == nil { return []map[string]interface{}{} diff --git a/website/docs/r/elasticsearch_domain.html.markdown b/website/docs/r/elasticsearch_domain.html.markdown index a14897a129ba..173def4da0b8 100644 --- a/website/docs/r/elasticsearch_domain.html.markdown +++ b/website/docs/r/elasticsearch_domain.html.markdown @@ -224,7 +224,7 @@ The following arguments are supported: * `vpc_options` - (Optional) VPC related options, see below. Adding or removing this configuration forces a new resource ([documentation](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-vpc-limitations)). * `log_publishing_options` - (Optional) Options for publishing slow logs to CloudWatch Logs. * `elasticsearch_version` - (Optional) The version of Elasticsearch to deploy. Defaults to `1.5` -* `domain_endpoint_options` - (Optional) Domain endpoint HTTP(S) related options. See below. +* `enforce_httpsnt_options` - (Optional) Domain endpoint HTTP(S) related options. See below. * `tags` - (Optional) A mapping of tags to assign to the resource **ebs_options** supports the following attributes: @@ -243,8 +243,8 @@ The following arguments are supported: **domain_endpoint_options** supports the following attributes: -* `require_https` - (Required) wether or not to require HTTPS -* `tls_security_policy` - (Optional) the TLS security policy that needs to be applied to the HTTPS endpoint. Defaults to `Policy-Min-TLS-1-2-2019-07` +* `require_https` - (Required) Whether or not to require HTTPS +* `tls_security_policy` - (Optional) The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values: `Policy-Min-TLS-1-0-2019-07` and `Policy-Min-TLS-1-2-2019-07`. Terraform will only perform drift detection if a configuration value is provided. **cluster_config** supports the following attributes: From b34fb97804c7c2de19a6bc2b1500ef939277115a Mon Sep 17 00:00:00 2001 From: Barry Tam Date: Mon, 27 Jan 2020 09:47:22 -0800 Subject: [PATCH 6/6] fixing tests --- aws/resource_aws_elasticsearch_domain_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/aws/resource_aws_elasticsearch_domain_test.go b/aws/resource_aws_elasticsearch_domain_test.go index d3578559e054..23607c88a471 100644 --- a/aws/resource_aws_elasticsearch_domain_test.go +++ b/aws/resource_aws_elasticsearch_domain_test.go @@ -90,6 +90,7 @@ func TestAccAWSElasticSearchDomain_basic(t *testing.T) { func TestAccAWSElasticSearchDomain_RequireHTTPS(t *testing.T) { var domain elasticsearch.ElasticsearchDomainStatus ri := acctest.RandInt() + resourceId := fmt.Sprintf("tf-test-%d", ri) resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) },