Terraform module to provision an OpenSearch cluster with SAML authentication.
- A hosted zone to route traffic to your OpenSearch domain
- An entityID and metadata XML from your SAML identity provider
- Create an AWS OpenSearch cluster with SAML authentication
- All node types with local NVMe for high IO performance are supported
- Create or manage various OpenSearch resources:
This example is using Azure AD as SAML identity provider.
locals {
cluster_name = "opensearch"
cluster_domain = "example.com"
saml_entity_id = "https://sts.windows.net/XXX-XXX-XXX-XXX-XXX/"
saml_metadata_url = "https://login.microsoftonline.com/XXX-XXX-XXX-XXX-XXX/federationmetadata/2007-06/federationmetadata.xml?appid=YYY-YYY-YYY-YYY-YYY"
}
data "aws_region" "current" {}
data "http" "saml_metadata" {
url = local.saml_metadata_url
}
provider "elasticsearch" {
url = module.opensearch.cluster_endpoint
aws_region = data.aws_region.current.name
healthcheck = false
}
module "opensearch" {
source = "idealo/opensearch/aws"
version = "~> 1.0"
cluster_name = local.cluster_name
cluster_domain = local.cluster_domain
cluster_version = "1.2"
saml_entity_id = local.saml_entity_id
saml_metadata_content = data.http.saml_metadata.body
indices = {
example-index = {
number_of_shards = 2
number_of_replicas = 1
}
}
}Here is a working example of using this Terraform module:
- Complete - Create an AWS OpenSearch cluster with all necessary resources.
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.12.0 |
| elasticsearch | >= 2.0.0 |
| Name | Source | Version |
|---|---|---|
| acm | terraform-aws-modules/acm/aws | ~> 4.0.1 |
| Name | Type |
|---|---|
| aws_elasticsearch_domain.opensearch | resource |
| aws_elasticsearch_domain_saml_options.opensearch | resource |
| aws_iam_service_linked_role.es | resource |
| aws_route53_record.opensearch | resource |
| elasticsearch_index.index | resource |
| elasticsearch_index_template.index_template | resource |
| elasticsearch_opensearch_ism_policy.ism_policy | resource |
| elasticsearch_opensearch_role.role | resource |
| elasticsearch_opensearch_roles_mapping.master_user_arn | resource |
| elasticsearch_opensearch_roles_mapping.role_mapping | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.access_policy | data source |
| aws_region.current | data source |
| aws_route53_zone.opensearch | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| availability_zones | The number of availability zones for the OpenSearch cluster. Valid values: 1, 2 or 3. | number |
3 |
no |
| cluster_domain | The hosted zone name of the OpenSearch cluster. | string |
n/a | yes |
| cluster_name | The name of the OpenSearch cluster. | string |
"opensearch" |
no |
| cluster_version | The version of OpenSearch to deploy. | string |
"1.0" |
no |
| create_service_role | Indicates whether to create the service-linked role. See https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html | bool |
true |
no |
| encrypt_kms_key_id | The KMS key ID to encrypt the OpenSearch cluster with. If not specified, then it defaults to using the AWS OpenSearch Service KMS key. | string |
"" |
no |
| hot_instance_count | The number of dedicated hot nodes in the cluster. | number |
3 |
no |
| hot_instance_type | The type of EC2 instances to run for each hot node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing | string |
"r6gd.4xlarge.elasticsearch" |
no |
| index_files | A set of all index files to create. | set(string) |
[] |
no |
| index_template_files | A set of all index template files to create. | set(string) |
[] |
no |
| index_templates | A map of all index templates to create. | map(any) |
{} |
no |
| indices | A map of all indices to create. | map(any) |
{} |
no |
| ism_policies | A map of all ISM policies to create. | map(any) |
{} |
no |
| ism_policy_files | A set of all ISM policy files to create. | set(string) |
[] |
no |
| master_instance_count | The number of dedicated master nodes in the cluster. | number |
3 |
no |
| master_instance_enabled | Indicates whether dedicated master nodes are enabled for the cluster. | bool |
true |
no |
| master_instance_type | The type of EC2 instances to run for each master node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing | string |
"r6gd.large.elasticsearch" |
no |
| master_user_arn | The ARN for the master user of the cluster. If not specified, then it defaults to using the IAM user that is making the request. | string |
"" |
no |
| role_files | A set of all role files to create. | set(string) |
[] |
no |
| role_mapping_files | A set of all role mapping files to create. | set(string) |
[] |
no |
| role_mappings | A map of all role mappings to create. | map(any) |
{} |
no |
| roles | A map of all roles to create. | map(any) |
{} |
no |
| saml_entity_id | The unique Entity ID of the application in SAML Identity Provider. | string |
n/a | yes |
| saml_master_backend_role | This backend role receives full permissions to the cluster, equivalent to a new master role, but can only use those permissions within Dashboards. | string |
null |
no |
| saml_master_user_name | This username receives full permissions to the cluster, equivalent to a new master user, but can only use those permissions within Dashboards. | string |
null |
no |
| saml_metadata_content | The metadata of the SAML application in xml format. | string |
n/a | yes |
| saml_roles_key | Element of the SAML assertion to use for backend roles. | string |
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role" |
no |
| saml_session_timeout | Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440. | number |
60 |
no |
| saml_subject_key | Element of the SAML assertion to use for username. | string |
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" |
no |
| tags | A map of tags to add to all resources. | map(string) |
{} |
no |
| warm_instance_count | The number of dedicated warm nodes in the cluster. | number |
3 |
no |
| warm_instance_enabled | Indicates whether ultrawarm nodes are enabled for the cluster. | bool |
true |
no |
| warm_instance_type | The type of EC2 instances to run for each warm node. A list of available instance types can you find at https://aws.amazon.com/en/elasticsearch-service/pricing/#UltraWarm_pricing | string |
"ultrawarm1.large.elasticsearch" |
no |
| Name | Description |
|---|---|
| cluster_endpoint | The endpoint URL of the OpenSearch cluster. |
| cluster_name | The name of the OpenSearch cluster. |
| cluster_version | The version of the OpenSearch cluster. |
| kibana_endpoint | The endpoint URL of the OpenSearch dashboards. |
Apache 2 Licensed. See LICENSE for full details.