Skip to content

Terraform module to provision an OpenSearch cluster with SAML and Cognito authentication.

License

Notifications You must be signed in to change notification settings

cyberlabrs/terraform-aws-opensearch

Repository files navigation

AWS OpenSearch Terraform Module

Requirements

No requirements.

Providers

Name Version
aws >= 4.52.0
random >= 3.4.3
time >= 0.9.1

Usage

OpenSearch with basic setup with domain level access policy

module "opensearch" {
  source  = "cyberlabrs/opensearch/aws"
  name    = "basic-os"
  region  = "eu-central-1"

  access_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : ["arn:aws:iam::acc-number:role/xxx"]
        },
        "Action" : "es:*",
        "Resource" : "arn:aws:es:region:acc-number:domain/domain-name/*"
      }
    ]
  })

}

OpenSearch with basic setup with fine grained access control with default policy with internal_user enabled

module "opensearch" {
  source                                         = "cyberlabrs/opensearch/aws"
  name                                           = "basic-os"
  region                                         = "eu-central-1"
  advanced_security_options_enabled              = true
  default_policy_for_fine_grained_access_control = true
  internal_user_database_enabled                 = true
  node_to_node_encryption                        = true
  encrypt_at_rest = {
    enabled = true
  }
}

OpenSearch with basic setup with fine grained access control with default policy with internal_user enabled inside VPC

module "opensearch" {
  source                                         = "cyberlabrs/opensearch/aws"
  name                                           = "vpc-os"
  region                                         = "eu-central-1"
  advanced_security_options_enabled              = true
  default_policy_for_fine_grained_access_control = true
  internal_user_database_enabled                 = true
  inside_vpc                                     = true
  vpc                                            = "vpc-xxxxxxxx"
  subnet_ids                                     = ["subnet-1xxx", "subnet-2xxx"]
  allowed_cidrs                                  = ["xxxxxx"]
  node_to_node_encryption                        = true
  encrypt_at_rest = {
    enabled = true
  }
}

OpenSearch with basic setup with fine grained access control with Cognito authentication (need to go to AWS Cognito User Pool to create a new user to login to Dashboard)

module "opensearch" {
  source                                         = "cyberlabrs/opensearch/aws"
  name                                           = "basic-os"
  region                                         = "eu-central-1"
  advanced_security_options_enabled              = true
  default_policy_for_fine_grained_access_control = true
  cognito_enabled                                = true
  node_to_node_encryption                        = true
  encrypt_at_rest = {
    enabled = true
  }

  # custom endpoint if needed
  custom_endpoint                 = "xxxxxx"
  custom_endpoint_enabled         = true
  custom_endpoint_certificate_arn = "xxxx"

  # route53 zone if needed
  zone_id = "zone_id"
}

Modules

No modules.

Resources

Name Type
aws_cognito_identity_pool.identity_pool resource
aws_cognito_identity_pool_roles_attachment.roles_attachment resource
aws_cognito_user_pool.user_pool resource
aws_cognito_user_pool_domain.user_pool_domain resource
aws_iam_policy.cognito_es_policy resource
aws_iam_role.authenticated resource
aws_iam_role.cognito_es_role resource
aws_iam_role.unauthenticated resource
aws_iam_role_policy.unauthenticated resource
aws_iam_role_policy_attachment.cognito_es_attach resource
aws_iam_service_linked_role.es resource
aws_opensearch_domain.opensearch resource
aws_route53_record.domain_record resource
aws_security_group.es resource
random_password.password resource
aws_ssm_parameter.opensearch_master_user resource
time_sleep.role_dependency resource
aws_caller_identity.current data source
aws_iam_policy_document.es_assume_policy data source
aws_subnet.selected data source
aws_vpc.selected data source

Inputs

Name Description Type Default Required
access_policy Access policy to OpenSearch. If default_policy_for_fine_grained_access_control is enabled, this policy would be overwritten. string null no
advanced_options Key-value string pairs to specify advanced configuration options. map(string) {} no
advanced_security_options_enabled If advanced security options is enabled. bool false no
allowed_cidrs Allowed cidrs in security group. list(string) [] no
aws_service_name_for_linked_role AWS service name for linked role. string "opensearchservice.amazonaws.com" no
cluster_config Auto tune options from documentation. any {} no
cognito_enabled Cognito authentification enabled for OpenSearch. bool false no
cognito_role_arn Cognito role ARN. We need to enable advanced_security_options_enabled. string "" no
create_a_record Create A record for custom domain. bool true no
create_linked_role Should linked role be created bool true no
custom_endpoint Custom endpoint https. string "" no
custom_endpoint_certificate_arn Custom endpoint certificate. string null no
custom_endpoint_enabled If custom endpoint is enabled. bool false no
default_policy_for_fine_grained_access_control Default policy for fine grained access control would be created. bool false no
domain_endpoint_options_enforce_https Enforce https. bool true no
ebs_enabled EBS enabled bool true no
encrypt_at_rest Encrypt at rest. any {} no
engine_version Engine version of elasticsearch. string "OpenSearch_1.3" no
identity_pool_id Cognito identity pool id. string "" no
implicit_create_cognito Cognito will be created inside module. If this is not enables and we want cognito authentication, we need to create cognito resources outside of module. bool true no
inside_vpc OpenSearch inside VPC. bool false no
instance_type Instance type. string "t3.small.search" no
internal_user_database_enabled Internal user database enabled. This should be enabled if we want authentication with master username and master password. bool false no
iops Baseline input/output (I/O) performance of EBS volumes attached to data nodes. number null no
log_publishing_options Encrypt at rest. any {} no
master_password Master password for accessing OpenSearch. If not specified password will be randomly generated. Password will be stored in AWS System Manager -> Parameter Store string "" no
master_user_arn Master user ARN for accessing OpenSearch. If this is set, advanced_security_options_enabled must be set to true and internal_user_database_enabled should be set to false. string "" no
master_user_name Master username for accessing OpenSearch. string "admin" no
name Name of OpenSearch domain and suffix of all other resources. string n/a yes
node_to_node_encryption Is node to node encryption enabled. bool false no
region AWS region. string n/a yes
sg_ids Use any pre-existing SGs. string "" no
default_security_group_name Default security group name. string "" no
subnet_ids CIDS blocks of subnets. list(string) [] no
tags Tags. map(any) {} no
throughput Specifies the throughput. number null no
tls_security_policy TLS security policy. string "Policy-Min-TLS-1-2-2019-07" no
user_pool_id Cognito user pool id. string "" no
volume_size Volume size of ebs storage. number 10 no
volume_type Volume type of ebs storage. string "gp2" no
custom_es_cognito_role_name Custom name for Opensearch Cognito role name string null no
vpc VPC ID string "" no
create_default_sg Creates default security group if value is true bool true no
zone_id Route 53 Zone id. string "" no
auto_software_update_enabled Whether automatic service software updates are enabled for the domain. Defaults to false. bool false no

Outputs

Name Description
arn ARN of the domain
availability_zones If the domain was created inside a VPC, the names of the availability zones the configured subnet_ids were created inside
cognito_map cognito info
domain_id Unique identifier for the domain
domain_name Name of the Elasticsearch domain
endpoint Domain-specific endpoint used to submit index, search, and data upload requests
identity_pool_id Cognito identity pool ID
kibana_endpoint Domain-specific endpoint for kibana without https scheme
os_user_name Master username for OpenSearch
os_password Master user password for OpenSearch
tags_all Map of tags assigned to the resource, including those inherited from the provider
user_pool_id Cognito user pool ID
vpc_id If the domain was created inside a VPC, the ID of the VPC

Authors

Module is maintained by Andrija Vojnović with help from CyberLab Team.

License

Apache 2 Licensed. See LICENSE for full details.