-
Unfortunately, I don't have time to create an appropriate
README
and different examples of usage for this module currently. -
You can find
actual
examples of usage in the rootexamples/complete
folder (now available only forVPC configuration
). Keep in mind they show implementation withTerragrunt
. -
I'm open to community contributions 🤗 Don't hesitate to create
Issues
orPull requests
!
Forked from https://github.com/cyberlabrs/terraform-aws-opensearch
No requirements.
Name | Version |
---|---|
aws | >= 4.52.0 |
random | >= 3.4.3 |
time | >= 0.9.1 |
OpenSearch with basic setup with domain level access policy
module "opensearch" {
source = "cyberlabrs/opensearch/aws"
name = "basic-os"
region = "eu-central-1"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"AWS" : ["arn:aws:iam::acc-number:role/xxx"]
},
"Action" : "es:*",
"Resource" : "arn:aws:es:region:acc-number:domain/domain-name/*"
}
]
})
}
OpenSearch with basic setup with fine grained access control with default policy with internal_user enabled
module "opensearch" {
source = "cyberlabrs/opensearch/aws"
name = "basic-os"
region = "eu-central-1"
advanced_security_options_enabled = true
default_policy_for_fine_grained_access_control = true
internal_user_database_enabled = true
node_to_node_encryption = true
encrypt_at_rest = {
enabled = true
}
}
OpenSearch with basic setup with fine grained access control with default policy with internal_user enabled inside VPC
module "opensearch" {
source = "cyberlabrs/opensearch/aws"
name = "vpc-os"
region = "eu-central-1"
advanced_security_options_enabled = true
default_policy_for_fine_grained_access_control = true
internal_user_database_enabled = true
inside_vpc = true
vpc = "vpc-xxxxxxxx"
subnet_ids = ["subnet-1xxx", "subnet-2xxx"]
allowed_cidrs = ["xxxxxx"]
node_to_node_encryption = true
encrypt_at_rest = {
enabled = true
}
}
OpenSearch with basic setup with fine grained access control with Cognito authentication (need to go to AWS Cognito User Pool to create a new user to login to Dashboard)
module "opensearch" {
source = "cyberlabrs/opensearch/aws"
name = "basic-os"
region = "eu-central-1"
advanced_security_options_enabled = true
default_policy_for_fine_grained_access_control = true
cognito_enabled = true
node_to_node_encryption = true
encrypt_at_rest = {
enabled = true
}
# custom endpoint if needed
custom_endpoint = "xxxxxx"
custom_endpoint_enabled = true
custom_endpoint_certificate_arn = "xxxx"
# route53 zone if needed
zone_id = "zone_id"
}
No modules.
Name | Type |
---|---|
aws_cognito_identity_pool.identity_pool | resource |
aws_cognito_identity_pool_roles_attachment.roles_attachment | resource |
aws_cognito_user_pool.user_pool | resource |
aws_cognito_user_pool_domain.user_pool_domain | resource |
aws_iam_policy.cognito_es_policy | resource |
aws_iam_role.authenticated | resource |
aws_iam_role.cognito_es_role | resource |
aws_iam_role.unauthenticated | resource |
aws_iam_role_policy.unauthenticated | resource |
aws_iam_role_policy_attachment.cognito_es_attach | resource |
aws_iam_service_linked_role.es | resource |
aws_opensearch_domain.opensearch | resource |
aws_route53_record.domain_record | resource |
aws_security_group.es | resource |
random_password.password | resource |
aws_ssm_parameter.opensearch_master_user | resource |
time_sleep.role_dependency | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.es_assume_policy | data source |
aws_subnet.selected | data source |
aws_vpc.selected | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_policy | Access policy to OpenSearch. If default_policy_for_fine_grained_access_control is enabled, this policy would be overwritten. |
string |
null |
no |
advanced_options | Key-value string pairs to specify advanced configuration options. | map(string) |
{} |
no |
advanced_security_options_enabled | If advanced security options is enabled. | bool |
false |
no |
allowed_cidrs | Allowed cidrs in security group. | list(string) |
[] |
no |
aws_service_name_for_linked_role | AWS service name for linked role. | string |
"opensearchservice.amazonaws.com" |
no |
cluster_config | Auto tune options from documentation. | any |
{} |
no |
cognito_enabled | Cognito authentification enabled for OpenSearch. | bool |
false |
no |
cognito_role_arn | Cognito role ARN. We need to enable advanced_security_options_enabled . |
string |
"" |
no |
create_a_record | Create A record for custom domain. | bool |
true |
no |
create_linked_role | Should linked role be created | bool |
true |
no |
custom_endpoint | Custom endpoint https. | string |
"" |
no |
custom_endpoint_certificate_arn | Custom endpoint certificate. | string |
null |
no |
custom_endpoint_enabled | If custom endpoint is enabled. | bool |
false |
no |
default_policy_for_fine_grained_access_control | Default policy for fine grained access control would be created. | bool |
false |
no |
domain_endpoint_options_enforce_https | Enforce https. | bool |
true |
no |
ebs_enabled | EBS enabled | bool |
true |
no |
encrypt_at_rest | Encrypt at rest. | any |
{} |
no |
engine_version | Engine version of elasticsearch. | string |
"OpenSearch_1.3" |
no |
identity_pool_id | Cognito identity pool id. | string |
"" |
no |
implicit_create_cognito | Cognito will be created inside module. If this is not enables and we want cognito authentication, we need to create cognito resources outside of module. | bool |
true |
no |
inside_vpc | Openserach inside VPC. | bool |
false |
no |
instance_type | Instance type. | string |
"t3.small.search" |
no |
internal_user_database_enabled | Internal user database enabled. This should be enabled if we want authentication with master username and master password. | bool |
false |
no |
iops | Baseline input/output (I/O) performance of EBS volumes attached to data nodes. | number |
null |
no |
log_publishing_options | Encrypt at rest. | any |
{} |
no |
master_password | Master password for accessing OpenSearch. If not specified password will be randomly generated. Password will be stored in AWS System Manager -> Parameter Store |
string |
"" |
no |
master_user_arn | Master user ARN for accessing OpenSearch. If this is set, advanced_security_options_enabled must be set to true and internal_user_database_enabled should be set to false. |
string |
"" |
no |
master_user_name | Master username for accessing OpenSerach. | string |
"admin" |
no |
name | Name of OpenSerach domain and suffix of all other resources. | string |
n/a | yes |
node_to_node_encryption | Is node to node encryption enabled. | bool |
false |
no |
region | AWS region. | string |
n/a | yes |
sg_ids | Use any pre-existing SGs. | string |
"" |
no |
default_security_group_name | Default security group name. | string |
"" |
no |
subnet_ids | CIDS blocks of subnets. | list(string) |
[] |
no |
tags | Tags. | map(any) |
{} |
no |
throughput | Specifies the throughput. | number |
null |
no |
tls_security_policy | TLS security policy. | string |
"Policy-Min-TLS-1-2-2019-07" |
no |
user_pool_id | Cognito user pool id. | string |
"" |
no |
volume_size | Volume size of ebs storage. | number |
10 |
no |
volume_type | Volume type of ebs storage. | string |
"gp2" |
no |
vpc | VPC ID | string |
"" |
no |
zone_id | Route 53 Zone id. | string |
"" |
no |
Name | Description |
---|---|
arn | ARN of the domain |
availability_zones | If the domain was created inside a VPC, the names of the availability zones the configured subnet_ids were created inside |
cognito_map | cognito info |
domain_id | Unique identifier for the domain |
domain_name | Name of the Elasticsearch domain |
endpoint | Domain-specific endpoint used to submit index, search, and data upload requests |
identity_pool_id | Cognito identity pool ID |
kibana_endpoint | Domain-specific endpoint for kibana without https scheme |
os_password | Master user password for OpenSearch |
tags_all | Map of tags assigned to the resource, including those inherited from the provider |
user_pool_id | Cognito user pool ID |
vpc_id | If the domain was created inside a VPC, the ID of the VPC |
Module is maintained by Andrija Vojnović with help from CyberLab Team.
Apache 2 Licensed. See LICENSE for full details.