Skip to content

Latest commit

 

History

History
145 lines (127 loc) · 17.4 KB

README.md

File metadata and controls

145 lines (127 loc) · 17.4 KB
Raw

AWS OpenSearch Domain Terraform Module

This Terraform module creates and manages an AWS OpenSearch domain. The module is designed to be integrated with an existing EKS cluster or VPC for seamless setup and management. Below is a detailed explanation of the module's configuration options and usage.

Usage

Below is a simple example configuration that demonstrates how to use this module. Adjust the values as needed for your specific setup.

module "opensearch_domain" {
  source = "github.com/camunda/camunda-tf-eks-module/modules/opensearch"

  domain_name     = "my-opensearch-domain"
  engine_version  = "2.15"
  subnet_ids      = module.eks_cluster.private_subnet_ids
  vpc_id          = module.eks_cluster.vpc_id
  cidr_blocks      = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks)

  instance_type   = "t3.small.search"
  instance_count  = 3
  ebs_volume_size = 100

  advanced_security_enabled = true
  advanced_security_internal_user_database_enabled = true
  advanced_security_master_user_name = "admin"
  advanced_security_master_user_password = "password"

  access_policies = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "es:*",
      "Resource": "arn:aws:es:region:account-id:domain/domain-name/*"
    }
  ]
}
EOF
}

Features

  • VPC integration: Deploy OpenSearch within your existing VPC, ensuring network isolation and better security.
  • Advanced Security Options: Optional advanced security features, including internal user database and fine-grained access control.
  • EBS Volume Support: Attach scalable EBS volumes to the OpenSearch data nodes.
  • Zone Awareness: Deploy the domain across multiple availability zones for better redundancy.
  • Node-to-Node Encryption: Ensure secure communication between OpenSearch nodes.
  • Cold and Warm Storage: Support for cold and warm storage tiers for cost-effective long-term data storage.

Best Practices

  • Enable automated snapshots to ensure daily backups of your data.
  • Use advanced security options for production environments to enforce access controls.
  • Adjust instance types and EBS volumes based on the expected workload and data size.

This module integrates seamlessly with existing AWS EKS clusters or standalone VPCs, allowing for flexible configurations of your OpenSearch domain.

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.log_group resource
aws_cloudwatch_log_resource_policy.log_policy resource
aws_iam_policy.access_policies resource
aws_iam_role.roles resource
aws_iam_role_policy_attachment.attach_policies resource
aws_kms_key.kms resource
aws_opensearch_domain.opensearch_cluster resource
aws_security_group.this resource
aws_security_group_rule.allow_egress resource
aws_security_group_rule.allow_ingress resource
aws_iam_policy_document.log_policy_document data source

Inputs

Name Description Type Default Required
access_policies IAM policy document specifying the access policies for the domain. string "{}" no
advanced_options Key-value string pairs to specify advanced configuration options. map(any) 
{
  "rest.action.multi.allow_explicit_index": true
}
 no
advanced_security_anonymous_auth_enabled Whether the anonymous auth is enabled. bool false no
advanced_security_enabled Whether advanced security is enabled. bool false no
advanced_security_internal_user_database_enabled Whether the internal user database is enabled. bool false no
advanced_security_master_user_arn ARN for the main user. Only specify if advanced_security_internal_user_database_enabled is set to false. string "" no
advanced_security_master_user_name Main user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if advanced_security_internal_user_database_enabled is set to true. string "opensearch-admin" no
advanced_security_master_user_password Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if advanced_security_internal_user_database_enabled is set to true. string "" no
auto_software_update_enabled Software update auto for the domain. bool false no
auto_tune_options Configuration block for the Auto-Tune options of the domain any 
{
  "desired_state": "DISABLED",
  "rollback_on_disable": "NO_ROLLBACK"
}
 no
automated_snapshot_start_hour Hour during which the service takes an automated daily snapshot of the indices in the domain. number 0 no
cidr_blocks The CIDR blocks to allow access from and to. list(string) n/a yes
cold_storage_enabled Indicates cold storage is enabled. bool false no
create_timeout How much time to wait for the creation before timing out. string "2h" no
dedicated_master_count Number of dedicated master nodes in the cluster. number 3 no
dedicated_master_enabled Indicates whether dedicated master nodes are enabled for the cluster. bool true no
dedicated_master_type Instance type of the dedicated master nodes in the cluster. string "m4.large.search" no
domain_endpoint_options Configuration block for domain endpoint HTTP(S) related options any 
{
  "enforce_https": true,
  "tls_security_policy": "Policy-Min-TLS-1-2-2019-07"
}
 no
domain_name Name of the domain. string n/a yes
ebs_enabled Whether EBS volumes are attached to data nodes in the domain. bool true no
ebs_iops Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types. number 3000 no
ebs_throughput (Required if ebs_volume_type is set to gp3) Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. number 125 no
ebs_volume_size Size of EBS volumes attached to data nodes. number 64 no
ebs_volume_type Type of EBS volumes attached to data nodes. string "gp3" no
enable_access_policy Determines whether an access policy will be applied to the domain bool true no
engine_version OpenSearch version for the domain. string "2.15" no
iam_roles_with_policies List of roles with their trust and access policies 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    # Example:
    #   [
    #     {
    #     role_name      = "OpenSearchRole"
    #     trust_policy   =
    # {
    #   "Version": "2012-10-17",
    #   "Statement": [
    #     {
    #       "Effect": "Allow",
    #       "Principal": {
    #         "Federated": "arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/"
    #       },
    #       "Action": "sts:AssumeRoleWithWebIdentity",
    #       "Condition": {
    #         "StringEquals": {
    #           "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::"
    #         }
    #       }
    #     }
    #   ]
    # }
    #
    #     access_policy  =
    # {
    #   "Version": "2012-10-17",
    #   "Statement": [
    #     {
    #       "Effect": "Allow",
    #       "Action": [
    #         "es:DescribeElasticsearchDomains",
    #         "es:DescribeElasticsearchInstanceTypeLimits",
    #         "es:DescribeReservedElasticsearchInstanceOfferings",
    #         "es:DescribeReservedElasticsearchInstances",
    #         "es:GetCompatibleElasticsearchVersions",
    #         "es:ListDomainNames",
    #         "es:ListElasticsearchInstanceTypes",
    #         "es:ListElasticsearchVersions",
    #         "es:DescribeElasticsearchDomain",
    #         "es:DescribeElasticsearchDomainConfig",
    #         "es:ESHttpGet",
    #         "es:ESHttpHead",
    #         "es:GetUpgradeHistory",
    #         "es:GetUpgradeStatus",
    #         "es:ListTags",
    #         "es:AddTags",
    #         "es:RemoveTags",
    #         "es:ESHttpDelete",
    #         "es:ESHttpPost",
    #         "es:ESHttpPut"
    #       ],
    #       "Resource": "arn:aws:es:::domain//*"
    #     }
    #   ]
    # }
    #
    #   }
    #   ]
    access_policy = string
  }))
 [] no
instance_count Number of instances in the cluster. number 3 no
instance_type Instance type of data nodes in the cluster. string "t3.small.search" no
ip_address_type The IP address type for the endpoint. Valid values are ipv4 and dualstack string "ipv4" no
kms_key_delete_window_in_days The number of days before the KMS key is deleted after being disabled. number 7 no
kms_key_enable_key_rotation Specifies whether automatic key rotation is enabled for the KMS key. bool true no
kms_key_tags The tags to associate with the KMS key. map(string) {} no
log_types The types of logs to publish to CloudWatch Logs. Example: [SEARCH_SLOW_LOGS, INDEX_SLOW_LOGS, ES_APPLICATION_LOGS] list(string) [] no
multi_az_with_standby_enabled Whether a multi-AZ domain is turned on with a standby AZ. bool false no
node_to_node_encryption_enabled Whether node to node encryption is enabled. bool true no
off_peak_window_enabled Whether to enable off peak update bool true no
security_group_ids Additional security groups used by the domain. list(string) [] no
subnet_ids The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module. list(string) n/a yes
tags Tags assigned to the domain. map(string) {} no
vpc_id VPC used by the domain. string n/a yes
warm_count Number of warm nodes in the cluster. number 2 no
warm_enabled Warm storage is enabled. bool false no
warm_type Instance type for the OpenSearch cluster's warm nodes. string "ultrawarm1.medium.search" no
zone_awareness_availability_zone_count Number of availability zones used. number 3 no
zone_awareness_enabled Indicates whether zone awareness is enabled. bool true no

Outputs

Name Description
kms_key_arn The ARN of the KMS key used to encrypt the OpenSearch domain
kms_key_id The ID of the KMS key used for OpenSearch domain encryption
opensearch_cluster OpenSearch cluster output
opensearch_domain_arn The ARN of the OpenSearch domain
opensearch_domain_endpoint The endpoint of the OpenSearch domain
opensearch_domain_id The ID of the OpenSearch domain
opensearch_iam_role_access_policy_arns Map of IAM role names to their access policy ARNs
opensearch_iam_role_arns Map of IAM role names to their ARNs
security_group_id The ID of the security group used by OpenSearch
security_group_rule_egress Egress rule information for OpenSearch security group
security_group_rule_ingress Ingress rule information for OpenSearch security group