From 2db45046bd0f2d2d7e04d40f2a76d01146ba8aa9 Mon Sep 17 00:00:00 2001 From: Julieta Aghamyan Date: Mon, 2 Oct 2023 14:08:34 +0400 Subject: [PATCH 1/4] feat(DMVP-elasticsearch): Added Advance Security Option --- modules/elastic-search/README.md | 7 +++ modules/elastic-search/main.tf | 10 +++++ modules/elastic-search/tests/basic/0-setup.tf | 16 +++++++ .../elastic-search/tests/basic/1-example.tf | 15 +++++++ .../elastic-search/tests/basic/2-assert.tf | 9 ++++ modules/elastic-search/tests/basic/README.md | 35 +++++++++++++++ modules/elastic-search/variables.tf | 43 +++++++++++++++++++ 7 files changed, 135 insertions(+) create mode 100644 modules/elastic-search/tests/basic/0-setup.tf create mode 100644 modules/elastic-search/tests/basic/1-example.tf create mode 100644 modules/elastic-search/tests/basic/2-assert.tf create mode 100644 modules/elastic-search/tests/basic/README.md diff --git a/modules/elastic-search/README.md b/modules/elastic-search/README.md index ef8ac475..223ef3ce 100644 --- a/modules/elastic-search/README.md +++ b/modules/elastic-search/README.md @@ -50,6 +50,13 @@ module "elastic-search" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [access\_policies](#input\_access\_policies) | Custom access policies, if not provided one being generated automatically | `string` | `""` | no | +| [advanced\_security\_options\_create\_random\_master\_password](#input\_advanced\_security\_options\_create\_random\_master\_password) | Whether to create random master password for Elasticsearch master user | `bool` | `false` | no | +| [advanced\_security\_options\_enabled](#input\_advanced\_security\_options\_enabled) | Whether advanced security is enabled (Forces new resource) | `bool` | `false` | no | +| [advanced\_security\_options\_internal\_user\_database\_enabled](#input\_advanced\_security\_options\_internal\_user\_database\_enabled) | Whether the internal user database is enabled. If not set, defaults to false by the AWS API. | `bool` | `false` | no | +| [advanced\_security\_options\_master\_user\_arn](#input\_advanced\_security\_options\_master\_user\_arn) | ARN for the master user. Only specify if `internal_user_database_enabled` is not set or set to `false`) | `string` | `null` | no | +| [advanced\_security\_options\_master\_user\_password](#input\_advanced\_security\_options\_master\_user\_password) | The master user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`. | `string` | `null` | no | +| [advanced\_security\_options\_master\_user\_username](#input\_advanced\_security\_options\_master\_user\_username) | The master user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`. | `string` | `null` | no | +| [advanced\_security\_options\_random\_master\_password\_length](#input\_advanced\_security\_options\_random\_master\_password\_length) | Length of random master password to create | `number` | `16` | no | | [availability\_zone\_count](#input\_availability\_zone\_count) | The number of availability zones of ES | `number` | `2` | no | | [create\_service\_link\_role](#input\_create\_service\_link\_role) | Create service link role for AWS Elasticsearch Service | `bool` | `true` | no | | [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Have dedicated master or not for ES | `bool` | `false` | no | diff --git a/modules/elastic-search/main.tf b/modules/elastic-search/main.tf index 0a123f50..a1bd94bf 100644 --- a/modules/elastic-search/main.tf +++ b/modules/elastic-search/main.tf @@ -39,6 +39,16 @@ module "elastic_search" { timeouts_update = var.timeouts_update create_service_link_role = var.create_service_link_role + + + advanced_security_options_enabled = var.advanced_security_options_enabled + advanced_security_options_internal_user_database_enabled = var.advanced_security_options_internal_user_database_enabled + advanced_security_options_master_user_arn = var.advanced_security_options_master_user_arn + advanced_security_options_master_user_username = var.advanced_security_options_master_user_username + advanced_security_options_master_user_password = var.advanced_security_options_master_user_password + advanced_security_options_create_random_master_password = var.advanced_security_options_create_random_master_password + advanced_security_options_random_master_password_length = var.advanced_security_options_random_master_password_length + } diff --git a/modules/elastic-search/tests/basic/0-setup.tf b/modules/elastic-search/tests/basic/0-setup.tf new file mode 100644 index 00000000..db10e19d --- /dev/null +++ b/modules/elastic-search/tests/basic/0-setup.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + test = { + source = "terraform.io/builtin/test" + } + + aws = { + source = "hashicorp/aws" + version = "~> 4.33" + } + } +} + +provider "aws" { + region = "eu-central-1" +} diff --git a/modules/elastic-search/tests/basic/1-example.tf b/modules/elastic-search/tests/basic/1-example.tf new file mode 100644 index 00000000..171b57c7 --- /dev/null +++ b/modules/elastic-search/tests/basic/1-example.tf @@ -0,0 +1,15 @@ +module "this" { + source = "../../" + + + domain_name = "dev" + vpc_options_subnet_ids = ["subnet-id1", "subnet-id2"] + vpc_options_security_group_whitelist_cidr = ["10.16.0.0/16"] + ebs_options_volume_size = 10 + + advanced_security_options_enabled = true + advanced_security_options_internal_user_database_enabled = true + advanced_security_options_master_user_username = "admin" + advanced_security_options_create_random_master_password = true + // Or you can use advanced_security_options_master_user_password variable +} diff --git a/modules/elastic-search/tests/basic/2-assert.tf b/modules/elastic-search/tests/basic/2-assert.tf new file mode 100644 index 00000000..909a5004 --- /dev/null +++ b/modules/elastic-search/tests/basic/2-assert.tf @@ -0,0 +1,9 @@ +resource "test_assertions" "dummy" { + component = "monitoring-modules-cloudwatch-alarm-actions" + + equal "scheme" { + description = "As module does not have any output and data just make sure the case runs. Probably can be thrown away." + got = "all good" + want = "all good" + } +} diff --git a/modules/elastic-search/tests/basic/README.md b/modules/elastic-search/tests/basic/README.md new file mode 100644 index 00000000..4b61f199 --- /dev/null +++ b/modules/elastic-search/tests/basic/README.md @@ -0,0 +1,35 @@ +# basic + + +## Requirements + +| Name | Version | +|------|---------| +| [aws](#requirement\_aws) | ~> 4.33 | + +## Providers + +| Name | Version | +|------|---------| +| [test](#provider\_test) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [this](#module\_this) | ../../ | n/a | + +## Resources + +| Name | Type | +|------|------| +| test_assertions.dummy | resource | + +## Inputs + +No inputs. + +## Outputs + +No outputs. + diff --git a/modules/elastic-search/variables.tf b/modules/elastic-search/variables.tf index 30df1b9a..da780ee1 100644 --- a/modules/elastic-search/variables.tf +++ b/modules/elastic-search/variables.tf @@ -109,3 +109,46 @@ variable "create_service_link_role" { type = bool default = true } + + +variable "advanced_security_options_enabled" { + description = "Whether advanced security is enabled (Forces new resource)" + type = bool + default = false +} + +variable "advanced_security_options_internal_user_database_enabled" { + description = "Whether the internal user database is enabled. If not set, defaults to false by the AWS API." + type = bool + default = false +} + +variable "advanced_security_options_master_user_arn" { + description = "ARN for the master user. Only specify if `internal_user_database_enabled` is not set or set to `false`)" + type = string + default = null +} + +variable "advanced_security_options_master_user_username" { + description = "The master user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`." + type = string + default = null +} + +variable "advanced_security_options_master_user_password" { + description = "The master user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`." + type = string + default = null +} + +variable "advanced_security_options_create_random_master_password" { + description = "Whether to create random master password for Elasticsearch master user" + type = bool + default = false +} + +variable "advanced_security_options_random_master_password_length" { + description = "Length of random master password to create" + type = number + default = 16 +} From e87f716540f856f0d7d8265b50e2425310d88f76 Mon Sep 17 00:00:00 2001 From: Julieta Aghamyan Date: Mon, 2 Oct 2023 15:12:13 +0400 Subject: [PATCH 2/4] feat(DMVP-elasticsearch): enable encryption --- modules/elastic-search/tests/basic/1-example.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/elastic-search/tests/basic/1-example.tf b/modules/elastic-search/tests/basic/1-example.tf index 171b57c7..3043246b 100644 --- a/modules/elastic-search/tests/basic/1-example.tf +++ b/modules/elastic-search/tests/basic/1-example.tf @@ -7,6 +7,7 @@ module "this" { vpc_options_security_group_whitelist_cidr = ["10.16.0.0/16"] ebs_options_volume_size = 10 + encrypt_at_rest_enabled = true advanced_security_options_enabled = true advanced_security_options_internal_user_database_enabled = true advanced_security_options_master_user_username = "admin" From ea637fe22af7d9c5bab3bbf2ba18a074b8ffe4a4 Mon Sep 17 00:00:00 2001 From: Julieta Aghamyan Date: Mon, 2 Oct 2023 15:53:01 +0400 Subject: [PATCH 3/4] feat(DMVP-elasticsearch): enable encryption --- modules/elastic-search/README.md | 12 ++++++------ modules/elastic-search/main.tf | 12 ++++++------ modules/elastic-search/tests/basic/1-example.tf | 12 ++++++------ modules/elastic-search/variables.tf | 12 ++++++------ 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/modules/elastic-search/README.md b/modules/elastic-search/README.md index 223ef3ce..08cfb5ec 100644 --- a/modules/elastic-search/README.md +++ b/modules/elastic-search/README.md @@ -50,14 +50,9 @@ module "elastic-search" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [access\_policies](#input\_access\_policies) | Custom access policies, if not provided one being generated automatically | `string` | `""` | no | -| [advanced\_security\_options\_create\_random\_master\_password](#input\_advanced\_security\_options\_create\_random\_master\_password) | Whether to create random master password for Elasticsearch master user | `bool` | `false` | no | | [advanced\_security\_options\_enabled](#input\_advanced\_security\_options\_enabled) | Whether advanced security is enabled (Forces new resource) | `bool` | `false` | no | -| [advanced\_security\_options\_internal\_user\_database\_enabled](#input\_advanced\_security\_options\_internal\_user\_database\_enabled) | Whether the internal user database is enabled. If not set, defaults to false by the AWS API. | `bool` | `false` | no | -| [advanced\_security\_options\_master\_user\_arn](#input\_advanced\_security\_options\_master\_user\_arn) | ARN for the master user. Only specify if `internal_user_database_enabled` is not set or set to `false`) | `string` | `null` | no | -| [advanced\_security\_options\_master\_user\_password](#input\_advanced\_security\_options\_master\_user\_password) | The master user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`. | `string` | `null` | no | -| [advanced\_security\_options\_master\_user\_username](#input\_advanced\_security\_options\_master\_user\_username) | The master user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`. | `string` | `null` | no | -| [advanced\_security\_options\_random\_master\_password\_length](#input\_advanced\_security\_options\_random\_master\_password\_length) | Length of random master password to create | `number` | `16` | no | | [availability\_zone\_count](#input\_availability\_zone\_count) | The number of availability zones of ES | `number` | `2` | no | +| [create\_random\_master\_password](#input\_create\_random\_master\_password) | Whether to create random master password for Elasticsearch master user | `bool` | `false` | no | | [create\_service\_link\_role](#input\_create\_service\_link\_role) | Create service link role for AWS Elasticsearch Service | `bool` | `true` | no | | [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Have dedicated master or not for ES | `bool` | `false` | no | | [domain\_name](#input\_domain\_name) | The domain name of ES | `string` | n/a | yes | @@ -68,7 +63,12 @@ module "elastic-search" { | [es\_version](#input\_es\_version) | The version of ES | `string` | `"7.1"` | no | | [instance\_count](#input\_instance\_count) | The number of ES node instances | `number` | `2` | no | | [instance\_type](#input\_instance\_type) | The node instance types of ES | `string` | `"t3.small.elasticsearch"` | no | +| [internal\_user\_database\_enabled](#input\_internal\_user\_database\_enabled) | Whether the internal user database is enabled. If not set, defaults to false by the AWS API. | `bool` | `false` | no | +| [master\_user\_arn](#input\_master\_user\_arn) | ARN for the master user. Only specify if `internal_user_database_enabled` is not set or set to `false`) | `string` | `null` | no | +| [master\_user\_password](#input\_master\_user\_password) | The master user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`. | `string` | `null` | no | +| [master\_user\_username](#input\_master\_user\_username) | The master user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`. | `string` | `null` | no | | [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether to enable node to node encryption | `bool` | `true` | no | +| [random\_master\_password\_length](#input\_random\_master\_password\_length) | Length of random master password to create | `number` | `16` | no | | [snapshot\_options\_automated\_snapshot\_start\_hour](#input\_snapshot\_options\_automated\_snapshot\_start\_hour) | The amount of ours to wait to snapshot of ES db | `number` | `0` | no | | [timeouts\_update](#input\_timeouts\_update) | The timeout update of ES | `string` | `null` | no | | [vpc\_options\_security\_group\_whitelist\_cidr](#input\_vpc\_options\_security\_group\_whitelist\_cidr) | The list of security group cidr blocks to whitelist in ingress | `list(string)` |
[
"0.0.0.0/0"
]
| no | diff --git a/modules/elastic-search/main.tf b/modules/elastic-search/main.tf index a1bd94bf..981c949a 100644 --- a/modules/elastic-search/main.tf +++ b/modules/elastic-search/main.tf @@ -42,12 +42,12 @@ module "elastic_search" { advanced_security_options_enabled = var.advanced_security_options_enabled - advanced_security_options_internal_user_database_enabled = var.advanced_security_options_internal_user_database_enabled - advanced_security_options_master_user_arn = var.advanced_security_options_master_user_arn - advanced_security_options_master_user_username = var.advanced_security_options_master_user_username - advanced_security_options_master_user_password = var.advanced_security_options_master_user_password - advanced_security_options_create_random_master_password = var.advanced_security_options_create_random_master_password - advanced_security_options_random_master_password_length = var.advanced_security_options_random_master_password_length + advanced_security_options_internal_user_database_enabled = var.internal_user_database_enabled + advanced_security_options_master_user_arn = var.master_user_arn + advanced_security_options_master_user_username = var.master_user_username + advanced_security_options_master_user_password = var.master_user_password + advanced_security_options_create_random_master_password = var.create_random_master_password + advanced_security_options_random_master_password_length = var.random_master_password_length } diff --git a/modules/elastic-search/tests/basic/1-example.tf b/modules/elastic-search/tests/basic/1-example.tf index 3043246b..0f73feac 100644 --- a/modules/elastic-search/tests/basic/1-example.tf +++ b/modules/elastic-search/tests/basic/1-example.tf @@ -7,10 +7,10 @@ module "this" { vpc_options_security_group_whitelist_cidr = ["10.16.0.0/16"] ebs_options_volume_size = 10 - encrypt_at_rest_enabled = true - advanced_security_options_enabled = true - advanced_security_options_internal_user_database_enabled = true - advanced_security_options_master_user_username = "admin" - advanced_security_options_create_random_master_password = true - // Or you can use advanced_security_options_master_user_password variable + encrypt_at_rest_enabled = true + advanced_security_options_enabled = true + internal_user_database_enabled = true + master_user_username = "admin" + create_random_master_password = true + // Or you can use master_user_password variable } diff --git a/modules/elastic-search/variables.tf b/modules/elastic-search/variables.tf index da780ee1..6963a768 100644 --- a/modules/elastic-search/variables.tf +++ b/modules/elastic-search/variables.tf @@ -117,37 +117,37 @@ variable "advanced_security_options_enabled" { default = false } -variable "advanced_security_options_internal_user_database_enabled" { +variable "internal_user_database_enabled" { description = "Whether the internal user database is enabled. If not set, defaults to false by the AWS API." type = bool default = false } -variable "advanced_security_options_master_user_arn" { +variable "master_user_arn" { description = "ARN for the master user. Only specify if `internal_user_database_enabled` is not set or set to `false`)" type = string default = null } -variable "advanced_security_options_master_user_username" { +variable "master_user_username" { description = "The master user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`." type = string default = null } -variable "advanced_security_options_master_user_password" { +variable "master_user_password" { description = "The master user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`." type = string default = null } -variable "advanced_security_options_create_random_master_password" { +variable "create_random_master_password" { description = "Whether to create random master password for Elasticsearch master user" type = bool default = false } -variable "advanced_security_options_random_master_password_length" { +variable "random_master_password_length" { description = "Length of random master password to create" type = number default = 16 From 36e20591d6f1ca12aa0c458782642a5b87356599 Mon Sep 17 00:00:00 2001 From: Julieta Aghamyan Date: Mon, 2 Oct 2023 16:09:10 +0400 Subject: [PATCH 4/4] feat(DMVP-elasticsearch): enable encryption --- modules/elastic-search/README.md | 1 + modules/elastic-search/main.tf | 2 +- modules/elastic-search/tests/basic/1-example.tf | 11 ++++++----- modules/elastic-search/variables.tf | 6 ++++++ 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/modules/elastic-search/README.md b/modules/elastic-search/README.md index 08cfb5ec..25bcea90 100644 --- a/modules/elastic-search/README.md +++ b/modules/elastic-search/README.md @@ -55,6 +55,7 @@ module "elastic-search" { | [create\_random\_master\_password](#input\_create\_random\_master\_password) | Whether to create random master password for Elasticsearch master user | `bool` | `false` | no | | [create\_service\_link\_role](#input\_create\_service\_link\_role) | Create service link role for AWS Elasticsearch Service | `bool` | `true` | no | | [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Have dedicated master or not for ES | `bool` | `false` | no | +| [domain\_endpoint\_options\_enforce\_https](#input\_domain\_endpoint\_options\_enforce\_https) | Whether or not to require HTTPS | `bool` | `false` | no | | [domain\_name](#input\_domain\_name) | The domain name of ES | `string` | n/a | yes | | [ebs\_options\_ebs\_enabled](#input\_ebs\_options\_ebs\_enabled) | Whether enable EBS for ES | `bool` | `true` | no | | [ebs\_options\_volume\_size](#input\_ebs\_options\_volume\_size) | Storage volume size in GB | `number` | `10` | no | diff --git a/modules/elastic-search/main.tf b/modules/elastic-search/main.tf index 981c949a..8e97a87a 100644 --- a/modules/elastic-search/main.tf +++ b/modules/elastic-search/main.tf @@ -48,7 +48,7 @@ module "elastic_search" { advanced_security_options_master_user_password = var.master_user_password advanced_security_options_create_random_master_password = var.create_random_master_password advanced_security_options_random_master_password_length = var.random_master_password_length - + domain_endpoint_options_enforce_https = var.domain_endpoint_options_enforce_https } diff --git a/modules/elastic-search/tests/basic/1-example.tf b/modules/elastic-search/tests/basic/1-example.tf index 0f73feac..54ec99dd 100644 --- a/modules/elastic-search/tests/basic/1-example.tf +++ b/modules/elastic-search/tests/basic/1-example.tf @@ -7,10 +7,11 @@ module "this" { vpc_options_security_group_whitelist_cidr = ["10.16.0.0/16"] ebs_options_volume_size = 10 - encrypt_at_rest_enabled = true - advanced_security_options_enabled = true - internal_user_database_enabled = true - master_user_username = "admin" - create_random_master_password = true + encrypt_at_rest_enabled = true + advanced_security_options_enabled = true + internal_user_database_enabled = true + master_user_username = "admin" + create_random_master_password = true + domain_endpoint_options_enforce_https = true // Or you can use master_user_password variable } diff --git a/modules/elastic-search/variables.tf b/modules/elastic-search/variables.tf index 6963a768..04225e0a 100644 --- a/modules/elastic-search/variables.tf +++ b/modules/elastic-search/variables.tf @@ -129,6 +129,12 @@ variable "master_user_arn" { default = null } +variable "domain_endpoint_options_enforce_https" { + description = "Whether or not to require HTTPS" + type = bool + default = false +} + variable "master_user_username" { description = "The master user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `internal_user_database_enabled` is set to `true`." type = string