No requirements.
| Name | Version |
|---|---|
| aws | >= 4.52.0 |
| random | >= 3.4.3 |
| time | >= 0.9.1 |
OpenSearch with basic setup with domain level access policy
module "opensearch" {
source = "cyberlabrs/opensearch/aws"
name = "basic-os"
region = "eu-central-1"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"AWS" : ["arn:aws:iam::acc-number:role/xxx"]
},
"Action" : "es:*",
"Resource" : "arn:aws:es:region:acc-number:domain/domain-name/*"
}
]
})
}OpenSearch with basic setup with fine grained access control with default policy with internal_user enabled
module "opensearch" {
source = "cyberlabrs/opensearch/aws"
name = "basic-os"
region = "eu-central-1"
advanced_security_options_enabled = true
default_policy_for_fine_grained_access_control = true
internal_user_database_enabled = true
node_to_node_encryption = true
encrypt_at_rest = {
enabled = true
}
}OpenSearch with basic setup with fine grained access control with default policy with internal_user enabled inside VPC
module "opensearch" {
source = "cyberlabrs/opensearch/aws"
name = "vpc-os"
region = "eu-central-1"
advanced_security_options_enabled = true
default_policy_for_fine_grained_access_control = true
internal_user_database_enabled = true
inside_vpc = true
vpc = "vpc-xxxxxxxx"
subnet_ids = ["subnet-1xxx", "subnet-2xxx"]
allowed_cidrs = ["xxxxxx"]
node_to_node_encryption = true
encrypt_at_rest = {
enabled = true
}
}OpenSearch with basic setup with fine grained access control with Cognito authentication (need to go to AWS Cognito User Pool to create a new user to login to Dashboard)
module "opensearch" {
source = "cyberlabrs/opensearch/aws"
name = "basic-os"
region = "eu-central-1"
advanced_security_options_enabled = true
default_policy_for_fine_grained_access_control = true
cognito_enabled = true
node_to_node_encryption = true
encrypt_at_rest = {
enabled = true
}
# custom endpoint if needed
custom_endpoint = "xxxxxx"
custom_endpoint_enabled = true
custom_endpoint_certificate_arn = "xxxx"
# route53 zone if needed
zone_id = "zone_id"
}No modules.
| Name | Type |
|---|---|
| aws_cognito_identity_pool.identity_pool | resource |
| aws_cognito_identity_pool_roles_attachment.roles_attachment | resource |
| aws_cognito_user_pool.user_pool | resource |
| aws_cognito_user_pool_domain.user_pool_domain | resource |
| aws_iam_policy.cognito_es_policy | resource |
| aws_iam_role.authenticated | resource |
| aws_iam_role.cognito_es_role | resource |
| aws_iam_role.unauthenticated | resource |
| aws_iam_role_policy.unauthenticated | resource |
| aws_iam_role_policy_attachment.cognito_es_attach | resource |
| aws_iam_service_linked_role.es | resource |
| aws_opensearch_domain.opensearch | resource |
| aws_route53_record.domain_record | resource |
| aws_security_group.es | resource |
| random_password.password | resource |
| aws_ssm_parameter.opensearch_master_user | resource |
| time_sleep.role_dependency | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.es_assume_policy | data source |
| aws_subnet.selected | data source |
| aws_vpc.selected | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_policy | Access policy to OpenSearch. If default_policy_for_fine_grained_access_control is enabled, this policy would be overwritten. |
string |
null |
no |
| advanced_options | Key-value string pairs to specify advanced configuration options. | map(string) |
{} |
no |
| advanced_security_options_enabled | If advanced security options is enabled. | bool |
false |
no |
| allowed_cidrs | Allowed cidrs in security group. | list(string) |
[] |
no |
| aws_service_name_for_linked_role | AWS service name for linked role. | string |
"opensearchservice.amazonaws.com" |
no |
| cluster_config | Auto tune options from documentation. | any |
{} |
no |
| cognito_enabled | Cognito authentification enabled for OpenSearch. | bool |
false |
no |
| cognito_role_arn | Cognito role ARN. We need to enable advanced_security_options_enabled. |
string |
"" |
no |
| create_a_record | Create A record for custom domain. | bool |
true |
no |
| create_linked_role | Should linked role be created | bool |
true |
no |
| custom_endpoint | Custom endpoint https. | string |
"" |
no |
| custom_endpoint_certificate_arn | Custom endpoint certificate. | string |
null |
no |
| custom_endpoint_enabled | If custom endpoint is enabled. | bool |
false |
no |
| default_policy_for_fine_grained_access_control | Default policy for fine grained access control would be created. | bool |
false |
no |
| domain_endpoint_options_enforce_https | Enforce https. | bool |
true |
no |
| ebs_enabled | EBS enabled | bool |
true |
no |
| encrypt_at_rest | Encrypt at rest. | any |
{} |
no |
| engine_version | Engine version of elasticsearch. | string |
"OpenSearch_1.3" |
no |
| identity_pool_id | Cognito identity pool id. | string |
"" |
no |
| implicit_create_cognito | Cognito will be created inside module. If this is not enables and we want cognito authentication, we need to create cognito resources outside of module. | bool |
true |
no |
| inside_vpc | Openserach inside VPC. | bool |
false |
no |
| instance_type | Instance type. | string |
"t3.small.search" |
no |
| internal_user_database_enabled | Internal user database enabled. This should be enabled if we want authentication with master username and master password. | bool |
false |
no |
| iops | Baseline input/output (I/O) performance of EBS volumes attached to data nodes. | number |
null |
no |
| log_publishing_options | Encrypt at rest. | any |
{} |
no |
| master_password | Master password for accessing OpenSearch. If not specified password will be randomly generated. Password will be stored in AWS System Manager -> Parameter Store |
string |
"" |
no |
| master_user_arn | Master user ARN for accessing OpenSearch. If this is set, advanced_security_options_enabled must be set to true and internal_user_database_enabled should be set to false. |
string |
"" |
no |
| master_user_name | Master username for accessing OpenSerach. | string |
"admin" |
no |
| name | Name of OpenSerach domain and suffix of all other resources. | string |
n/a | yes |
| node_to_node_encryption | Is node to node encryption enabled. | bool |
false |
no |
| region | AWS region. | string |
n/a | yes |
| sg_ids | Use any pre-existing SGs. | string |
"" |
no |
| default_security_group_name | Default security group name. | string |
"" |
no |
| subnet_ids | CIDS blocks of subnets. | list(string) |
[] |
no |
| tags | Tags. | map(any) |
{} |
no |
| throughput | Specifies the throughput. | number |
null |
no |
| tls_security_policy | TLS security policy. | string |
"Policy-Min-TLS-1-2-2019-07" |
no |
| user_pool_id | Cognito user pool id. | string |
"" |
no |
| volume_size | Volume size of ebs storage. | number |
10 |
no |
| volume_type | Volume type of ebs storage. | string |
"gp2" |
no |
| vpc | VPC ID | string |
"" |
no |
| zone_id | Route 53 Zone id. | string |
"" |
no |
| Name | Description |
|---|---|
| arn | ARN of the domain |
| availability_zones | If the domain was created inside a VPC, the names of the availability zones the configured subnet_ids were created inside |
| cognito_map | cognito info |
| domain_id | Unique identifier for the domain |
| domain_name | Name of the Elasticsearch domain |
| endpoint | Domain-specific endpoint used to submit index, search, and data upload requests |
| identity_pool_id | Cognito identity pool ID |
| kibana_endpoint | Domain-specific endpoint for kibana without https scheme |
| os_password | Master user password for OpenSearch |
| tags_all | Map of tags assigned to the resource, including those inherited from the provider |
| user_pool_id | Cognito user pool ID |
| vpc_id | If the domain was created inside a VPC, the ID of the VPC |
Module is maintained by Andrija Vojnović with help from CyberLab Team.
Apache 2 Licensed. See LICENSE for full details.