AWS OpenSearch Terraform Module

Requirements

No requirements.

Providers

Name	Version
aws	>= 4.52.0
random	>= 3.4.3
time	>= 0.9.1

Usage

OpenSearch with basic setup with domain level access policy

module "opensearch" {
  source  = "cyberlabrs/opensearch/aws"
  name    = "basic-os"
  region  = "eu-central-1"

  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : ["arn:aws:iam::acc-number:role/xxx"]
        },
        "Action" : "es:*",
        "Resource" : "arn:aws:es:region:acc-number:domain/domain-name/*"
      }
    ]
  })

}

OpenSearch with basic setup with fine grained access control with default policy with internal_user enabled

module "opensearch" {
  source                                         = "cyberlabrs/opensearch/aws"
  name                                           = "basic-os"
  region                                         = "eu-central-1"
  advanced_security_options_enabled              = true
  default_policy_for_fine_grained_access_control = true
  internal_user_database_enabled                 = true
  node_to_node_encryption                        = true
  encrypt_at_rest = {
    enabled = true
  }
}

OpenSearch with basic setup with fine grained access control with default policy with internal_user enabled inside VPC

module "opensearch" {
  source                                         = "cyberlabrs/opensearch/aws"
  name                                           = "vpc-os"
  region                                         = "eu-central-1"
  advanced_security_options_enabled              = true
  default_policy_for_fine_grained_access_control = true
  internal_user_database_enabled                 = true
  inside_vpc                                     = true
  vpc                                            = "vpc-xxxxxxxx"
  subnet_ids                                     = ["subnet-1xxx", "subnet-2xxx"]
  allowed_cidrs                                  = ["xxxxxx"]
  node_to_node_encryption                        = true
  encrypt_at_rest = {
    enabled = true
  }
}

OpenSearch with basic setup with fine grained access control with Cognito authentication (need to go to AWS Cognito User Pool to create a new user to login to Dashboard)

module "opensearch" {
  source                                         = "cyberlabrs/opensearch/aws"
  name                                           = "basic-os"
  region                                         = "eu-central-1"
  advanced_security_options_enabled              = true
  default_policy_for_fine_grained_access_control = true
  cognito_enabled                                = true
  node_to_node_encryption                        = true
  encrypt_at_rest = {
    enabled = true
  }

  # custom endpoint if needed
  custom_endpoint                 = "xxxxxx"
  custom_endpoint_enabled         = true
  custom_endpoint_certificate_arn = "xxxx"

  # route53 zone if needed
  zone_id = "zone_id"
}

Modules

No modules.

Resources

Name	Type
aws_cognito_identity_pool.identity_pool	resource
aws_cognito_identity_pool_roles_attachment.roles_attachment	resource
aws_cognito_user_pool.user_pool	resource
aws_cognito_user_pool_domain.user_pool_domain	resource
aws_iam_policy.cognito_es_policy	resource
aws_iam_role.authenticated	resource
aws_iam_role.cognito_es_role	resource
aws_iam_role.unauthenticated	resource
aws_iam_role_policy.authenticated	resource
aws_iam_role_policy.unauthenticated	resource
aws_iam_role_policy_attachment.cognito_es_attach	resource
aws_iam_service_linked_role.es	resource
aws_opensearch_domain.opensearch	resource
aws_route53_record.domain_record	resource
aws_security_group.es	resource
random_password.password	resource
aws_ssm_parameter.opensearch_master_user	resource
time_sleep.role_dependency	resource
aws_caller_identity.current	data source
aws_iam_policy_document.es_assume_policy	data source
aws_subnet.selected	data source
aws_vpc.selected	data source

Inputs

Name	Description	Type	Default	Required
access_policy	Access policy to OpenSearch. If `default_policy_for_fine_grained_access_control` is enabled, this policy would be overwritten.	`string`	`null`	no
advanced_options	Key-value string pairs to specify advanced configuration options	`map(string)`	`{}`	no
advanced_security_options_enabled	If advanced security options is enabled.	`bool`	`false`	no
allowed_cidrs	Allowed cidrs in security group.	`list(string)`	`[]`	no
aws_service_name_for_linked_role	AWS service name for linked role.	`string`	`"opensearchservice.amazonaws.com"`	no
cluster_config	Auto tune options from documentation	`any`	`{}`	no
cognito_enabled	Cognito authentification enabled for OpenSearch.	`bool`	`false`	no
cognito_role_arn	Cognito role ARN. We need to enable `advanced_security_options_enabled`.	`string`	`""`	no
create_a_record	Create A record for custom domain.	`bool`	`true`	no
custom_endpoint	Custom endpoint https.	`string`	`""`	no
custom_endpoint_certificate_arn	Custom endpoint certificate.	`string`	`null`	no
custom_endpoint_enabled	If custom endpoint is enabled.	`bool`	`false`	no
default_policy_for_fine_grained_access_control	Default policy for fine grained access control would be created.	`bool`	`false`	no
domain_endpoint_options_enforce_https	Enforce https.	`bool`	`true`	no
ebs_enabled	EBS enabled	`bool`	`true`	no
encrypt_at_rest	Encrypt at rest	`any`	`{}`	no
engine_version	Engine version of elasticsearch.	`string`	`"OpenSearch_1.3"`	no
identity_pool_id	Cognito identity pool id.	`string`	`""`	no
implicit_create_cognito	Cognito will be created inside module. It this is not enables and we want cognito authentication, we need to create cognito resources outside of module.	`bool`	`true`	no
inside_vpc	Openserach inside VPC.	`bool`	`false`	no
instance_type	Instance type.	`string`	`"t3.small.search"`	no
internal_user_database_enabled	Internal user database enabled. This should be enabled if we want authentication with master username and master password.	`bool`	`false`	no
iops	Baseline input/output (I/O) performance of EBS volumes attached to data nodes	`number`	`null`	no
log_publishing_options	Encrypt at rest	`any`	`{}`	no
master_password	Master password for accessing OpenSearch. If not specified password will be randomly generated.	`string`	`""`	no
master_user_arn	Master user ARN for accessing OpenSearch. If this is set, `advanced_security_options_enabled` must be set to true and `internal_user_database_enabled` should be set to false.	`string`	`""`	no
master_user_name	Master username for accessing OpenSerach.	`string`	`"admin"`	no
name	Name of OpenSerach domain and sufix of all other resources.	`string`	n/a	yes
node_to_node_encryption	Is node to node encryption enabled	`bool`	`false`	no
region	AWS region.	`string`	n/a	yes
subnet_ids	CIDS blocks of subnets.	`list(string)`	`[]`	no
tags	Tags	`map(any)`	`{}`	no
throughput	Specifies the throughput	`number`	`null`	no
tls_security_policy	TLS security policy.	`string`	`"Policy-Min-TLS-1-2-2019-07"`	no
user_pool_id	Cognito user pool id.	`string`	`""`	no
volume_size	Volume size of ebs storage.	`number`	`10`	no
volume_type	Volume type of ebs storage.	`string`	`"gp2"`	no
vpc	VPC ID	`string`	`""`	no
zone_id	Route 53 Zone id.	`string`	`""`	no

Outputs

Name	Description
arn	ARN of the domain
availability_zones	If the domain was created inside a VPC, the names of the availability zones the configured subnet_ids were created inside
cognito_map	cognito info
domain_id	Unique identifier for the domain
domain_name	Name of the Elasticsearch domain
endpoint	Domain-specific endpoint used to submit index, search, and data upload requests
identity_pool_id	Cognito identity pool ID
kibana_endpoint	Domain-specific endpoint for kibana without https scheme
os_password	Master user password for OpenSearch
tags_all	Map of tags assigned to the resource, including those inherited from the provider
user_pool_id	Cognito user pool ID
vpc_id	If the domain was created inside a VPC, the ID of the VPC

blue86321 / terraform-aws-opensearch