AWS OpenSearch Terraform Module

Terraform module to provision an OpenSearch cluster with SAML authentication.

Prerequisites

A hosted zone to route traffic to your OpenSearch domain
An entityID and metadata XML from your SAML identity provider (in case saml_enabled = true)

Features

Create an AWS OpenSearch cluster with SAML authentication
All node types with local NVMe for high IO performance are supported
Create or manage various OpenSearch resources:

Usage

This example is using Azure AD as SAML identity provider.

locals {
  cluster_name      = "opensearch"
  cluster_domain    = "example.com"
  saml_entity_id    = "https://sts.windows.net/XXX-XXX-XXX-XXX-XXX/"
  saml_metadata_url = "https://login.microsoftonline.com/XXX-XXX-XXX-XXX-XXX/federationmetadata/2007-06/federationmetadata.xml?appid=YYY-YYY-YYY-YYY-YYY"
}

data "aws_region" "current" {}

data "http" "saml_metadata" {
  url = local.saml_metadata_url
}

provider "elasticsearch" {
  url                   = module.opensearch.cluster_endpoint
  aws_region            = data.aws_region.current.name
  healthcheck           = false
}

module "opensearch" {
  source  = "idealo/opensearch/aws"
  version = "~> 1.0"

  cluster_name    = local.cluster_name
  cluster_domain  = local.cluster_domain
  cluster_version = "1.2"

  saml_entity_id        = local.saml_entity_id
  saml_metadata_content = data.http.saml_metadata.body

  indices = {
    example-index = {
      number_of_shards   = 2
      number_of_replicas = 1
    }
  }
}

Examples

Here is a working example of using this Terraform module:

Complete - Create an AWS OpenSearch cluster with all necessary resources.
Minimal - Create an empty AWS OpenSearch cluster without saml.

Requirements

Name	Version
terraform	>= 1.0.0
aws	>= 4.12.0
elasticsearch	>= 2.0.0

Modules

Name	Source	Version
acm	terraform-aws-modules/acm/aws	~> 4.3.1

Resources

Name	Type
aws_elasticsearch_domain.opensearch	resource
aws_elasticsearch_domain_saml_options.opensearch	resource
aws_iam_service_linked_role.es	resource
aws_route53_record.opensearch	resource
elasticsearch_index.index	resource
elasticsearch_index_template.index_template	resource
elasticsearch_opensearch_ism_policy.ism_policy	resource
elasticsearch_opensearch_role.role	resource
elasticsearch_opensearch_roles_mapping.master_user_arn	resource
elasticsearch_opensearch_roles_mapping.role_mapping	resource
aws_caller_identity.current	data source
aws_iam_policy_document.access_policy	data source
aws_region.current	data source
aws_route53_zone.opensearch	data source

Inputs

Name	Description	Type	Default	Required
access_policies	IAM policy document specifying the access policies for the domain.	`string`	`null`	no
advanced_options	Key-value string pairs to specify advanced configuration options.	`map(string)`	`null`	no
advanced_security_options_enabled	Whether advanced security is enabled.	`bool`	`true`	no
advanced_security_options_internal_user_database_enabled	Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin	`bool`	`false`	no
advanced_security_options_master_user_name	Master user username (applicable if advanced_security_options_internal_user_database_enabled set to true)	`string`	`null`	no
advanced_security_options_master_user_password	Master user password (applicable if advanced_security_options_internal_user_database_enabled set to true)	`string`	`null`	no
availability_zones	The number of availability zones for the OpenSearch cluster. Valid values: 1, 2 or 3.	`number`	`3`	no
cluster_domain	The hosted zone name of the OpenSearch cluster.	`string`	n/a	yes
cluster_domain_private	Indicates whether to create records in a private (true) or public (false) zone	`bool`	`false`	no
cluster_name	The name of the OpenSearch cluster.	`string`	`"opensearch"`	no
cluster_version	The version of OpenSearch to deploy.	`string`	`"1.0"`	no
cognito_options	Configuration block for authenticating Kibana with Cognito.	`map(string)`	`{}`	no
cognito_options_enabled	Whether Amazon Cognito authentication with Kibana is enabled or not.	`bool`	`false`	no
create_service_role	Indicates whether to create the service-linked role. See https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html	`bool`	`true`	no
custom_endpoint	Fully qualified domain for your custom endpoint. If not specified, then it defaults to <cluster_name>.<cluster_domain>	`string`	`null`	no
custom_endpoint_certificate_arn	The ARN of the custom ACM certificate.	`string`	`""`	no
ebs_enabled	Indicates whether attach EBS volumes to the data nodes.	`bool`	`false`	no
ebs_iops	The baseline input/output (I/O) performance of EBS volumes attached to data nodes.	`number`	`3000`	no
ebs_throughput	The throughput (in MiB/s) of the EBS volumes attached to data nodes. Valid values are between 125 and 1000.	`number`	`125`	no
ebs_volume_size	The size of EBS volumes attached to data nodes (in GiB).	`number`	`10`	no
ebs_volume_type	The type of EBS volumes attached to data nodes.	`string`	`"gp3"`	no
encrypt_at_rest_enabled	Configuration block for encrypt at rest options	`bool`	`true`	no
encrypt_kms_key_id	The KMS key ID to encrypt the OpenSearch cluster with. If not specified, then it defaults to using the AWS OpenSearch Service KMS key.	`string`	`""`	no
hot_instance_count	The number of dedicated hot nodes in the cluster.	`number`	`3`	no
hot_instance_type	The type of EC2 instances to run for each hot node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing	`string`	`"r6gd.4xlarge.elasticsearch"`	no
index_files	A set of all index files to create.	`set(string)`	`[]`	no
index_template_files	A set of all index template files to create.	`set(string)`	`[]`	no
index_templates	A map of all index templates to create.	`map(any)`	`{}`	no
indices	A map of all indices to create.	`map(any)`	`{}`	no
ism_policies	A map of all ISM policies to create.	`map(any)`	`{}`	no
ism_policy_files	A set of all ISM policy files to create.	`set(string)`	`[]`	no
master_instance_count	The number of dedicated master nodes in the cluster.	`number`	`3`	no
master_instance_enabled	Indicates whether dedicated master nodes are enabled for the cluster.	`bool`	`true`	no
master_instance_type	The type of EC2 instances to run for each master node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing	`string`	`"r6gd.large.elasticsearch"`	no
master_user_arn	The ARN for the master user of the cluster. If not specified, then it defaults to using the IAM user that is making the request.	`string`	`""`	no
node_to_node_encryption_enabled	Configuration block for node-to-node encryption options	`bool`	`true`	no
role_files	A set of all role files to create.	`set(string)`	`[]`	no
role_mapping_files	A set of all role mapping files to create.	`set(string)`	`[]`	no
role_mappings	A map of all role mappings to create.	`map(any)`	`{}`	no
roles	A map of all roles to create.	`map(any)`	`{}`	no
saml_enabled	Indicates whether to configure SAML for the OpenSearch dashboard.	`bool`	`true`	no
saml_entity_id	The unique Entity ID of the application in SAML Identity Provider.	`string`	`""`	no
saml_master_backend_role	This backend role receives full permissions to the cluster, equivalent to a new master role, but can only use those permissions within Dashboards.	`string`	`null`	no
saml_master_user_name	This username receives full permissions to the cluster, equivalent to a new master user, but can only use those permissions within Dashboards.	`string`	`null`	no
saml_metadata_content	The metadata of the SAML application in xml format.	`string`	`""`	no
saml_roles_key	Element of the SAML assertion to use for backend roles.	`string`	`"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"`	no
saml_session_timeout	Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440.	`number`	`60`	no
saml_subject_key	Element of the SAML assertion to use for username.	`string`	`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"`	no
security_group_ids	The list of VPC security groups IDs to attach.	`list(string)`	`[]`	no
subnet_ids	The list of VPC subnet IDs to use.	`list(string)`	`[]`	no
tags	A map of tags to add to all resources.	`map(string)`	`{}`	no
vpc_enabled	Indicates whether the cluster is running inside a VPC.	`bool`	`false`	no
warm_instance_count	The number of dedicated warm nodes in the cluster.	`number`	`3`	no
warm_instance_enabled	Indicates whether ultrawarm nodes are enabled for the cluster.	`bool`	`true`	no
warm_instance_type	The type of EC2 instances to run for each warm node. A list of available instance types can you find at https://aws.amazon.com/en/elasticsearch-service/pricing/#UltraWarm_pricing	`string`	`"ultrawarm1.large.elasticsearch"`	no

Outputs

Name	Description
cluster_endpoint	The endpoint URL of the OpenSearch cluster.
cluster_name	The name of the OpenSearch cluster.
cluster_version	The version of the OpenSearch cluster.
kibana_endpoint	The endpoint URL of the OpenSearch dashboards.

License

Apache 2 Licensed. See LICENSE for full details.

lotusflare / fork-terraform-aws-opensearch Goto Github PK

fork-terraform-aws-opensearch's Introduction

AWS OpenSearch Terraform Module

Prerequisites

Features

Usage

Examples

Requirements

Modules

Resources

Inputs

Outputs

License

fork-terraform-aws-opensearch's People

Contributors

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs