{"id":49461592,"url":"https://github.com/cloudandthings/terraform-aws-open-metadata","last_synced_at":"2026-04-30T10:40:32.930Z","repository":{"id":353546200,"uuid":"1193783168","full_name":"cloudandthings/terraform-aws-open-metadata","owner":"cloudandthings","description":"Terraform module to deploy OpenMetadata (open-metadata.org) on AWS","archived":false,"fork":false,"pushed_at":"2026-04-24T11:13:22.000Z","size":107,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-24T12:15:19.245Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudandthings.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-27T15:19:55.000Z","updated_at":"2026-04-24T11:13:15.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/cloudandthings/terraform-aws-open-metadata","commit_stats":null,"previous_names":["cloudandthings/terraform-aws-open-metadata"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/cloudandthings/terraform-aws-open-metadata","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudandthings%2Fterraform-aws-open-metadata","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudandthings%2Fterraform-aws-open-metadata/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudandthings%2Fterraform-aws-open-metadata/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudandthings%2Fterraform-aws-open-metadata/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudandthings","download_url":"https://codeload.github.com/cloudandthings/terraform-aws-open-metadata/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudandthings%2Fterraform-aws-open-metadata/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32462304,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T22:27:22.272Z","status":"online","status_checked_at":"2026-04-30T02:00:05.929Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-30T10:40:27.140Z","updated_at":"2026-04-30T10:40:32.923Z","avatar_url":"https://github.com/cloudandthings.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform AWS OpenMetadata Module\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Terraform](https://img.shields.io/badge/Terraform-%3E%3D%201.5-623CE4?logo=terraform)](https://www.terraform.io)\n[![OpenTofu](https://img.shields.io/badge/OpenTofu-%3E%3D%201.6-FFDA18?logo=opentofu)](https://opentofu.org)\n[![AWS Provider](https://img.shields.io/badge/AWS%20Provider-%3E%3D%205%2C%20%3C%207-FF9900?logo=amazon-aws)](https://registry.terraform.io/providers/hashicorp/aws/latest)\n[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)\n[![Tests](https://img.shields.io/badge/tests-tofu%20test-623CE4)](./tests)\n\n## Description\n\nReusable Terraform / OpenTofu module for deploying [OpenMetadata](https://open-metadata.org) on AWS.\n\nOpenMetadata is an open-source data catalog and metadata governance platform. This module provisions a production-ready OpenMetadata installation backed by managed AWS services:\n\n| AWS Service | Role |\n| --- | --- |\n| Amazon EKS | Kubernetes cluster running the OpenMetadata application |\n| Amazon RDS (PostgreSQL) | OpenMetadata metadata store |\n| Amazon OpenSearch | Full-text search and indexing |\n| AWS Secrets Manager | Credential storage for RDS and OpenSearch |\n| AWS KMS | Encryption at rest for all data-plane services |\n| AWS ALB (via Load Balancer Controller) | Ingress / HTTP(S) access to the UI |\n| Amazon Route 53 | Optional DNS record pointing to the ALB |\n| AWS ACM (Private CA) | Optional TLS certificate for the ingress |\n\n### Submodules\n\nEach concern is separated into an independently toggle-able submodule:\n\n| Submodule | What it creates |\n| --- | --- |\n| `cluster` | EKS cluster, managed node group, KMS encryption for K8s secrets |\n| `addons` | AWS Load Balancer Controller and External Secrets Operator (Helm releases + IRSA) |\n| `data` | RDS PostgreSQL instance, OpenSearch domain, and Secrets Manager secrets for both |\n| `app` | OpenMetadata Helm release, K8s namespace, IRSA role, ALB ingress, optional TLS |\n| `access` | EKS access entries for CI/CD pipelines or human operators |\n| `dns` | Route 53 CNAME record pointing to the ALB |\n\n----\n## Prerequisites\n\nBefore using this module you need:\n\n- **VPC** with at least two **private subnets** across different AZs (used by EKS, RDS, and OpenSearch).\n- **KMS key** — a customer-managed key used to encrypt EKS secrets, RDS, OpenSearch, and Secrets Manager secrets.\n- **IAM permissions boundary ARN** — required by the module for every IAM role it creates.\n- **Approved EKS node AMI ID** — the managed node group requires an explicit AMI ID. Use `AL2023_ARM_64_STANDARD` for Graviton (`m7g.*`) instances or `AL2023_x86_64_STANDARD` for x86.\n- **AWS credentials** configured locally (e.g. via `AWS_PROFILE` or environment variables).\n\n\u003e **Note**: If you already have an EKS cluster, RDS instance, or OpenSearch domain, you can reuse them — see [Bring Your Own Resources](#bring-your-own-resources) below.\n\n----\n## Usage\n\n```hcl\nmodule \"openmetadata\" {\n  source  = \"cloudandthings/open-metadata/aws\"\n  version = \"~\u003e 1.0\"\n\n  # Naming\n  name        = \"my-openmetadata\"\n  name_prefix = \"myom\"          # Short prefix — OpenSearch domain names are limited to 28 chars\n\n  # AWS context\n  region     = \"us-east-1\"\n  account_id = \"123456789012\"\n  tags       = { Environment = \"production\" }\n\n  # Security\n  iam_role_permissions_boundary = \"arn:aws:iam::123456789012:policy/my-boundary\"\n  kms_key_id                    = \"arn:aws:kms:us-east-1:123456789012:key/...\"\n\n  # Networking\n  vpc_id             = \"vpc-0abc1234\"\n  private_subnet_ids = [\"subnet-0aaa\", \"subnet-0bbb\", \"subnet-0ccc\"]\n\n  # EKS\n  kubernetes_version     = \"1.32\"\n  eks_node_instance_type = \"m7g.xlarge\"   # Graviton — matches AL2023_ARM_64_STANDARD\n  eks_node_ami_id        = \"ami-0abc1234\"\n  eks_node_desired_size  = 2\n  eks_node_min_size      = 1\n  eks_node_max_size      = 4\n\n  # Database (RDS PostgreSQL)\n  database_name           = \"openmetadata\"\n  database_username       = \"openmetadata\"\n  rds_instance_class      = \"db.t3.medium\"\n  rds_engine_version      = \"16.3\"\n  rds_family              = \"postgres16\"\n  rds_allocated_storage   = 50\n  rds_multi_az            = true\n  rds_deletion_protection = true\n  rds_skip_final_snapshot = false\n\n  # OpenSearch\n  opensearch_engine_version  = \"OpenSearch_2.17\"\n  opensearch_instance_type   = \"m6g.large.search\"\n  opensearch_instance_count  = 1\n  opensearch_ebs_volume_size = 50\n  opensearch_master_username = \"openmetadata\"\n\n  # Kubernetes namespace\n  namespace = \"openmetadata\"\n}\n```\n\nSee [examples/basic/](./examples/basic/) for a complete working example.\n\n### Bring Your Own Resources\n\nEach major component can be disabled when you already have that resource. Supply the corresponding `existing_*` inputs in its place:\n\n```hcl\n# Use an existing EKS cluster instead of creating one\ncreate_cluster               = false\nexisting_cluster_name        = \"my-existing-cluster\"\nexisting_cluster_endpoint    = \"https://...\"\nexisting_cluster_ca_data     = \"...\"\nexisting_oidc_provider_arn   = \"arn:aws:iam::...\"\nexisting_cluster_security_group_id = \"sg-...\"\nexisting_node_security_group_id    = \"sg-...\"\n\n# Use an existing PostgreSQL database\ncreate_rds                   = false\nexisting_database_endpoint   = \"my-db.cluster-xyz.us-east-1.rds.amazonaws.com\"\nexisting_database_secret_arn = \"arn:aws:secretsmanager:...\"\n\n# Use an existing OpenSearch domain\ncreate_opensearch              = false\nexisting_opensearch_endpoint   = \"search-my-domain-xyz.us-east-1.es.amazonaws.com\"\nexisting_opensearch_secret_arn = \"arn:aws:secretsmanager:...\"\n```\n\n### Optional DNS and TLS\n\n```hcl\n# Create a Route 53 CNAME record\nroute53_zone_name = \"internal.example.com\"\nsubdomain         = \"openmetadata\"           # resolves to openmetadata.internal.example.com\n\n# Enable TLS via AWS Private CA\nenable_tls        = true\nacm_private_ca_arn = \"arn:aws:acm-pca:...\"\n```\n\n### Granting EKS Access\n\n```hcl\n# Give a CI/CD role full cluster admin\ncluster_access_principals = {\n  ci = {\n    principal_arn = \"arn:aws:iam::123456789012:role/my-ci-role\"\n  }\n}\n\n# Give a team namespace-scoped access\nnamespace_access_principals = {\n  data-team = {\n    principal_arn = \"arn:aws:iam::123456789012:role/data-team-role\"\n    namespaces    = [\"openmetadata\"]\n  }\n}\n```\n\n----\n## Notes\n\n- **Credential flow**: RDS and OpenSearch passwords are generated randomly by Terraform, stored in AWS Secrets Manager, and synced into Kubernetes as `Secret` objects via the External Secrets Operator. OpenMetadata reads them from there at startup.\n- **IRSA**: The OpenMetadata pod runs under a Kubernetes service account bound to an IAM role (IRSA) with permissions to read Glue and S3 — the minimum required for data discovery integrations.\n- **ALB security group**: The ALB security group is owned by the `app` submodule rather than the `cluster` submodule because its ingress rules are tightly coupled to the `ingress_cidr_blocks` variable.\n- **Encryption**: All data-plane services (EKS secrets, RDS, OpenSearch, Secrets Manager) are encrypted with the customer-managed KMS key passed via `kms_key_id`. A separate `secrets_kms_key_id` can be used for Secrets Manager if needed.\n- **OpenTofu / Terraform**: The module is compatible with both. The primary development binary is `tofu` (OpenTofu ≥ 1.6). Terraform ≥ 1.5 is also supported.\n\n----\n## Known issues\n\nNone at this time.\n\n----\n## Contributing\n\nDirect contributions are welcome.\n\nSee [`CONTRIBUTING.md`](./.github/CONTRIBUTING.md) for further information.\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n----\n## Documentation\n\n----\n### Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_account_id\"\u003e\u003c/a\u003e [account\\_id](#input\\_account\\_id) | AWS account ID for OpenSearch access policy rendering. | `string` | n/a | yes |\n| \u003ca name=\"input_acm_private_ca_arn\"\u003e\u003c/a\u003e [acm\\_private\\_ca\\_arn](#input\\_acm\\_private\\_ca\\_arn) | Private CA ARN used to issue the OpenMetadata certificate. | `string` | `null` | no |\n| \u003ca name=\"input_aws_lb_controller_chart_version\"\u003e\u003c/a\u003e [aws\\_lb\\_controller\\_chart\\_version](#input\\_aws\\_lb\\_controller\\_chart\\_version) | Helm chart version for the AWS Load Balancer Controller. | `string` | `\"3.1.0\"` | no |\n| \u003ca name=\"input_cluster_access_principals\"\u003e\u003c/a\u003e [cluster\\_access\\_principals](#input\\_cluster\\_access\\_principals) | Keyed map of principals that should get cluster-scoped access. | \u003cpre\u003emap(object({\u003cbr/\u003e    principal_arn = string\u003cbr/\u003e    policy_arn    = optional(string, \"arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy\")\u003cbr/\u003e  }))\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_cluster_api_ingress_cidr_blocks\"\u003e\u003c/a\u003e [cluster\\_api\\_ingress\\_cidr\\_blocks](#input\\_cluster\\_api\\_ingress\\_cidr\\_blocks) | CIDR ranges allowed to reach the private EKS API endpoint. | `list(string)` | \u003cpre\u003e[\u003cbr/\u003e  \"10.0.0.0/8\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_create\"\u003e\u003c/a\u003e [create](#input\\_create) | Global create toggle for the module. | `bool` | `true` | no |\n| \u003ca name=\"input_create_access\"\u003e\u003c/a\u003e [create\\_access](#input\\_create\\_access) | Whether to manage EKS access entries. | `bool` | `true` | no |\n| \u003ca name=\"input_create_addons\"\u003e\u003c/a\u003e [create\\_addons](#input\\_create\\_addons) | Whether to create cluster-wide addon resources. | `bool` | `true` | no |\n| \u003ca name=\"input_create_app\"\u003e\u003c/a\u003e [create\\_app](#input\\_create\\_app) | Whether to create the OpenMetadata application resources. | `bool` | `true` | no |\n| \u003ca name=\"input_create_aws_load_balancer_controller\"\u003e\u003c/a\u003e [create\\_aws\\_load\\_balancer\\_controller](#input\\_create\\_aws\\_load\\_balancer\\_controller) | Whether to install the AWS Load Balancer Controller addon. | `bool` | `true` | no |\n| \u003ca name=\"input_create_cluster\"\u003e\u003c/a\u003e [create\\_cluster](#input\\_create\\_cluster) | Whether to create the EKS cluster resources. | `bool` | `true` | no |\n| \u003ca name=\"input_create_data\"\u003e\u003c/a\u003e [create\\_data](#input\\_create\\_data) | Whether to create OpenMetadata data-plane resources. | `bool` | `true` | no |\n| \u003ca name=\"input_create_external_secrets_operator\"\u003e\u003c/a\u003e [create\\_external\\_secrets\\_operator](#input\\_create\\_external\\_secrets\\_operator) | Whether to install the External Secrets Operator addon. | `bool` | `true` | no |\n| \u003ca name=\"input_create_ingress\"\u003e\u003c/a\u003e [create\\_ingress](#input\\_create\\_ingress) | Whether to create the OpenMetadata ingress resources. | `bool` | `true` | no |\n| \u003ca name=\"input_create_namespace\"\u003e\u003c/a\u003e [create\\_namespace](#input\\_create\\_namespace) | Whether to create the Kubernetes namespace. | `bool` | `true` | no |\n| \u003ca name=\"input_create_node_group\"\u003e\u003c/a\u003e [create\\_node\\_group](#input\\_create\\_node\\_group) | Whether to create the default EKS managed node group. | `bool` | `true` | no |\n| \u003ca name=\"input_create_openmetadata_release\"\u003e\u003c/a\u003e [create\\_openmetadata\\_release](#input\\_create\\_openmetadata\\_release) | Whether to install the OpenMetadata Helm release. | `bool` | `true` | no |\n| \u003ca name=\"input_create_opensearch\"\u003e\u003c/a\u003e [create\\_opensearch](#input\\_create\\_opensearch) | Whether to create the OpenSearch domain. | `bool` | `true` | no |\n| \u003ca name=\"input_create_opensearch_secret\"\u003e\u003c/a\u003e [create\\_opensearch\\_secret](#input\\_create\\_opensearch\\_secret) | Whether to create the OpenSearch credentials secret. | `bool` | `true` | no |\n| \u003ca name=\"input_create_rds\"\u003e\u003c/a\u003e [create\\_rds](#input\\_create\\_rds) | Whether to create the PostgreSQL database. When false, provide existing\\_database\\_endpoint and existing\\_database\\_secret\\_arn for any path that needs database connectivity. | `bool` | `true` | no |\n| \u003ca name=\"input_create_rds_secret\"\u003e\u003c/a\u003e [create\\_rds\\_secret](#input\\_create\\_rds\\_secret) | Whether to create the RDS credentials secret when create\\_rds is true. Managed RDS currently requires this to remain true. | `bool` | `true` | no |\n| \u003ca name=\"input_database_name\"\u003e\u003c/a\u003e [database\\_name](#input\\_database\\_name) | OpenMetadata database name. Used as the managed RDS database name when create\\_rds is true. When create\\_rds is false, this database must already exist on existing\\_database\\_endpoint. | `string` | `\"openmetadata\"` | no |\n| \u003ca name=\"input_database_secret_property\"\u003e\u003c/a\u003e [database\\_secret\\_property](#input\\_database\\_secret\\_property) | Optional JSON property to extract from the database secret value. Leave null for plain string secrets. Defaults to password only when this module creates the database secret (create\\_data, create\\_rds, and create\\_rds\\_secret are all true). | `string` | `null` | no |\n| \u003ca name=\"input_database_username\"\u003e\u003c/a\u003e [database\\_username](#input\\_database\\_username) | OpenMetadata database username. Used as the managed RDS username when create\\_rds is true. When create\\_rds is false, this user must already exist and have access to database\\_name. | `string` | `\"openmetadata\"` | no |\n| \u003ca name=\"input_eks_node_ami_id\"\u003e\u003c/a\u003e [eks\\_node\\_ami\\_id](#input\\_eks\\_node\\_ami\\_id) | Approved AMI ID for the EKS managed node group. | `string` | n/a | yes |\n| \u003ca name=\"input_eks_node_ami_type\"\u003e\u003c/a\u003e [eks\\_node\\_ami\\_type](#input\\_eks\\_node\\_ami\\_type) | AMI type for the EKS managed node group. | `string` | `\"AL2023_ARM_64_STANDARD\"` | no |\n| \u003ca name=\"input_eks_node_desired_size\"\u003e\u003c/a\u003e [eks\\_node\\_desired\\_size](#input\\_eks\\_node\\_desired\\_size) | Desired node count for the default EKS managed node group. | `number` | `2` | no |\n| \u003ca name=\"input_eks_node_iam_role_policy_json\"\u003e\u003c/a\u003e [eks\\_node\\_iam\\_role\\_policy\\_json](#input\\_eks\\_node\\_iam\\_role\\_policy\\_json) | Optional JSON IAM policy document to attach to the default node role. | `string` | `null` | no |\n| \u003ca name=\"input_eks_node_instance_type\"\u003e\u003c/a\u003e [eks\\_node\\_instance\\_type](#input\\_eks\\_node\\_instance\\_type) | Instance type for the default EKS managed node group. | `string` | `\"m7g.large\"` | no |\n| \u003ca name=\"input_eks_node_max_size\"\u003e\u003c/a\u003e [eks\\_node\\_max\\_size](#input\\_eks\\_node\\_max\\_size) | Maximum node count for the default EKS managed node group. | `number` | `4` | no |\n| \u003ca name=\"input_eks_node_min_size\"\u003e\u003c/a\u003e [eks\\_node\\_min\\_size](#input\\_eks\\_node\\_min\\_size) | Minimum node count for the default EKS managed node group. | `number` | `1` | no |\n| \u003ca name=\"input_eks_node_startup_script\"\u003e\u003c/a\u003e [eks\\_node\\_startup\\_script](#input\\_eks\\_node\\_startup\\_script) | Optional shell script to run on EKS node startup. | `string` | `null` | no |\n| \u003ca name=\"input_enable_tls\"\u003e\u003c/a\u003e [enable\\_tls](#input\\_enable\\_tls) | Whether to enable TLS for the OpenMetadata ingress. | `bool` | `false` | no |\n| \u003ca name=\"input_existing_cluster_ca_data\"\u003e\u003c/a\u003e [existing\\_cluster\\_ca\\_data](#input\\_existing\\_cluster\\_ca\\_data) | Existing cluster certificate authority data used when create\\_cluster is false. | `string` | `null` | no |\n| \u003ca name=\"input_existing_cluster_endpoint\"\u003e\u003c/a\u003e [existing\\_cluster\\_endpoint](#input\\_existing\\_cluster\\_endpoint) | Existing cluster API endpoint used when create\\_cluster is false. | `string` | `null` | no |\n| \u003ca name=\"input_existing_cluster_name\"\u003e\u003c/a\u003e [existing\\_cluster\\_name](#input\\_existing\\_cluster\\_name) | Existing cluster name used when create\\_cluster is false. | `string` | `null` | no |\n| \u003ca name=\"input_existing_cluster_security_group_id\"\u003e\u003c/a\u003e [existing\\_cluster\\_security\\_group\\_id](#input\\_existing\\_cluster\\_security\\_group\\_id) | Existing cluster security group ID used when create\\_cluster is false. | `string` | `null` | no |\n| \u003ca name=\"input_existing_database_endpoint\"\u003e\u003c/a\u003e [existing\\_database\\_endpoint](#input\\_existing\\_database\\_endpoint) | Endpoint (host or host:port) of an existing PostgreSQL database. Required when create\\_rds is false and managed data resources are used, and also required when create\\_data is false while create\\_app and create\\_openmetadata\\_release are true. | `string` | `null` | no |\n| \u003ca name=\"input_existing_database_secret_arn\"\u003e\u003c/a\u003e [existing\\_database\\_secret\\_arn](#input\\_existing\\_database\\_secret\\_arn) | Secrets Manager ARN for the existing database password (or JSON field selected by database\\_secret\\_property). Required in existing-database mode whenever the OpenMetadata release needs database credentials. | `string` | `null` | no |\n| \u003ca name=\"input_existing_node_security_group_id\"\u003e\u003c/a\u003e [existing\\_node\\_security\\_group\\_id](#input\\_existing\\_node\\_security\\_group\\_id) | Existing node security group ID used when create\\_cluster is false. | `string` | `null` | no |\n| \u003ca name=\"input_existing_oidc_provider_arn\"\u003e\u003c/a\u003e [existing\\_oidc\\_provider\\_arn](#input\\_existing\\_oidc\\_provider\\_arn) | Existing OIDC provider ARN used when create\\_cluster is false. | `string` | `null` | no |\n| \u003ca name=\"input_existing_opensearch_endpoint\"\u003e\u003c/a\u003e [existing\\_opensearch\\_endpoint](#input\\_existing\\_opensearch\\_endpoint) | Existing OpenSearch endpoint used when create\\_opensearch is false. Also required when create\\_data is false while create\\_app and create\\_openmetadata\\_release are true. | `string` | `null` | no |\n| \u003ca name=\"input_existing_opensearch_secret_arn\"\u003e\u003c/a\u003e [existing\\_opensearch\\_secret\\_arn](#input\\_existing\\_opensearch\\_secret\\_arn) | Secrets Manager ARN for the existing OpenSearch password (or JSON field selected by opensearch\\_secret\\_property). Required in existing-OpenSearch mode whenever the OpenMetadata release needs OpenSearch credentials. | `string` | `null` | no |\n| \u003ca name=\"input_external_secrets_chart_version\"\u003e\u003c/a\u003e [external\\_secrets\\_chart\\_version](#input\\_external\\_secrets\\_chart\\_version) | Helm chart version for the External Secrets Operator. | `string` | `\"2.2.0\"` | no |\n| \u003ca name=\"input_iam_role_path\"\u003e\u003c/a\u003e [iam\\_role\\_path](#input\\_iam\\_role\\_path) | Path of the IAM role. If not specified then the default of '/' is used. | `string` | `\"/\"` | no |\n| \u003ca name=\"input_iam_role_permissions_boundary\"\u003e\u003c/a\u003e [iam\\_role\\_permissions\\_boundary](#input\\_iam\\_role\\_permissions\\_boundary) | Permissions boundary ARN for IAM roles created by this module. | `string` | n/a | yes |\n| \u003ca name=\"input_ingress_cidr_blocks\"\u003e\u003c/a\u003e [ingress\\_cidr\\_blocks](#input\\_ingress\\_cidr\\_blocks) | CIDR ranges allowed inbound to the OpenMetadata ALB. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_kms_key_id\"\u003e\u003c/a\u003e [kms\\_key\\_id](#input\\_kms\\_key\\_id) | KMS key ID or ARN used for data-plane encryption (EKS, RDS, OpenSearch). | `string` | n/a | yes |\n| \u003ca name=\"input_kubernetes_version\"\u003e\u003c/a\u003e [kubernetes\\_version](#input\\_kubernetes\\_version) | Kubernetes version for the EKS cluster. | `string` | `\"1.35\"` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | Base name prefix used for named resources. | `string` | n/a | yes |\n| \u003ca name=\"input_name_prefix\"\u003e\u003c/a\u003e [name\\_prefix](#input\\_name\\_prefix) | Short prefix for resources with stricter name limits (e.g. OpenSearch 28-char domain limit). | `string` | n/a | yes |\n| \u003ca name=\"input_namespace\"\u003e\u003c/a\u003e [namespace](#input\\_namespace) | Kubernetes namespace for OpenMetadata. | `string` | `\"openmetadata\"` | no |\n| \u003ca name=\"input_namespace_access_principals\"\u003e\u003c/a\u003e [namespace\\_access\\_principals](#input\\_namespace\\_access\\_principals) | Keyed map of principals that should get namespace-scoped access. | \u003cpre\u003emap(object({\u003cbr/\u003e    principal_arn = string\u003cbr/\u003e    namespaces    = list(string)\u003cbr/\u003e    policy_arn    = optional(string, \"arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy\")\u003cbr/\u003e  }))\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_oidc_thumbprints\"\u003e\u003c/a\u003e [oidc\\_thumbprints](#input\\_oidc\\_thumbprints) | Custom OIDC root CA thumbprints for the EKS module. This module configures include\\_oidc\\_root\\_ca\\_thumbprint = false, so supply any required root CA thumbprints here. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_openmetadata_chart_version\"\u003e\u003c/a\u003e [openmetadata\\_chart\\_version](#input\\_openmetadata\\_chart\\_version) | OpenMetadata Helm chart version. | `string` | `\"1.12.3\"` | no |\n| \u003ca name=\"input_openmetadata_external_secret_kms_key_arns\"\u003e\u003c/a\u003e [openmetadata\\_external\\_secret\\_kms\\_key\\_arns](#input\\_openmetadata\\_external\\_secret\\_kms\\_key\\_arns) | Optional list of KMS key ARNs to allow decrypt for synced Secrets Manager values when customer-managed KMS keys are used. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_openmetadata_external_secret_store_name\"\u003e\u003c/a\u003e [openmetadata\\_external\\_secret\\_store\\_name](#input\\_openmetadata\\_external\\_secret\\_store\\_name) | SecretStore name used by ExternalSecret resources. | `string` | `\"aws-secrets\"` | no |\n| \u003ca name=\"input_openmetadata_external_secrets\"\u003e\u003c/a\u003e [openmetadata\\_external\\_secrets](#input\\_openmetadata\\_external\\_secrets) | Additional ExternalSecret entries keyed by Kubernetes Secret name. secret\\_arn is the AWS source secret, secret\\_key is the key written inside the Kubernetes Secret, and optional secret\\_property selects a JSON field from the AWS secret value. | \u003cpre\u003emap(object({\u003cbr/\u003e    secret_arn      = string\u003cbr/\u003e    secret_key      = optional(string, \"value\")\u003cbr/\u003e    secret_property = optional(string, null)\u003cbr/\u003e  }))\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_openmetadata_fqdn\"\u003e\u003c/a\u003e [openmetadata\\_fqdn](#input\\_openmetadata\\_fqdn) | Precomputed OpenMetadata FQDN used for ACM and Route53 resources. | `string` | `null` | no |\n| \u003ca name=\"input_openmetadata_heap_opts\"\u003e\u003c/a\u003e [openmetadata\\_heap\\_opts](#input\\_openmetadata\\_heap\\_opts) | JVM heap options passed to OpenMetadata via OPENMETADATA\\_HEAP\\_OPTS. | `string` | `\"-Xmx2G -Xms2G\"` | no |\n| \u003ca name=\"input_openmetadata_helm_set_sensitive_values\"\u003e\u003c/a\u003e [openmetadata\\_helm\\_set\\_sensitive\\_values](#input\\_openmetadata\\_helm\\_set\\_sensitive\\_values) | Generic sensitive Helm set values applied directly to the OpenMetadata chart via set\\_sensitive. | `map(string)` | `{}` | no |\n| \u003ca name=\"input_openmetadata_helm_set_values\"\u003e\u003c/a\u003e [openmetadata\\_helm\\_set\\_values](#input\\_openmetadata\\_helm\\_set\\_values) | Generic Helm set values applied directly to the OpenMetadata chart. Key is Helm path (for example openmetadata.config.authentication.provider), value is converted to string. | `map(any)` | `{}` | no |\n| \u003ca name=\"input_opensearch_ebs_volume_size\"\u003e\u003c/a\u003e [opensearch\\_ebs\\_volume\\_size](#input\\_opensearch\\_ebs\\_volume\\_size) | OpenSearch EBS volume size in GB. | `number` | `20` | no |\n| \u003ca name=\"input_opensearch_engine_version\"\u003e\u003c/a\u003e [opensearch\\_engine\\_version](#input\\_opensearch\\_engine\\_version) | OpenSearch engine version. | `string` | `\"OpenSearch_3.3\"` | no |\n| \u003ca name=\"input_opensearch_instance_count\"\u003e\u003c/a\u003e [opensearch\\_instance\\_count](#input\\_opensearch\\_instance\\_count) | OpenSearch data node count. | `number` | `2` | no |\n| \u003ca name=\"input_opensearch_instance_type\"\u003e\u003c/a\u003e [opensearch\\_instance\\_type](#input\\_opensearch\\_instance\\_type) | OpenSearch node instance type. | `string` | `\"m6g.large.search\"` | no |\n| \u003ca name=\"input_opensearch_master_username\"\u003e\u003c/a\u003e [opensearch\\_master\\_username](#input\\_opensearch\\_master\\_username) | OpenSearch master username. | `string` | `\"openmetadata\"` | no |\n| \u003ca name=\"input_opensearch_secret_property\"\u003e\u003c/a\u003e [opensearch\\_secret\\_property](#input\\_opensearch\\_secret\\_property) | Optional JSON property to extract from the OpenSearch secret value. Leave null for plain string secrets. Defaults to password only when this module creates the OpenSearch secret (create\\_data, create\\_opensearch, and create\\_opensearch\\_secret are all true). | `string` | `null` | no |\n| \u003ca name=\"input_private_subnet_ids\"\u003e\u003c/a\u003e [private\\_subnet\\_ids](#input\\_private\\_subnet\\_ids) | Private subnet IDs used by EKS and data-plane services. | `list(string)` | n/a | yes |\n| \u003ca name=\"input_rds_allocated_storage\"\u003e\u003c/a\u003e [rds\\_allocated\\_storage](#input\\_rds\\_allocated\\_storage) | Allocated RDS storage in GB to create. | `number` | `20` | no |\n| \u003ca name=\"input_rds_backup_retention_period\"\u003e\u003c/a\u003e [rds\\_backup\\_retention\\_period](#input\\_rds\\_backup\\_retention\\_period) | Number of days to retain RDS automated backups for the created RDS. Set to 0 to disable backups. | `number` | `7` | no |\n| \u003ca name=\"input_rds_deletion_protection\"\u003e\u003c/a\u003e [rds\\_deletion\\_protection](#input\\_rds\\_deletion\\_protection) | Whether to enable RDS deletion protection on the created RDS. | `bool` | n/a | yes |\n| \u003ca name=\"input_rds_engine_version\"\u003e\u003c/a\u003e [rds\\_engine\\_version](#input\\_rds\\_engine\\_version) | PostgreSQL engine version to create. | `string` | `\"18.3\"` | no |\n| \u003ca name=\"input_rds_family\"\u003e\u003c/a\u003e [rds\\_family](#input\\_rds\\_family) | Parameter group family for PostgreSQL to create. | `string` | `\"postgres18\"` | no |\n| \u003ca name=\"input_rds_ingress_cidr_blocks\"\u003e\u003c/a\u003e [rds\\_ingress\\_cidr\\_blocks](#input\\_rds\\_ingress\\_cidr\\_blocks) | Additional CIDR blocks allowed to reach the RDS instance on port 5432. Useful for direct database access from a bastion or developer machine. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_rds_instance_class\"\u003e\u003c/a\u003e [rds\\_instance\\_class](#input\\_rds\\_instance\\_class) | RDS instance class to create. | `string` | `\"db.t3.medium\"` | no |\n| \u003ca name=\"input_rds_multi_az\"\u003e\u003c/a\u003e [rds\\_multi\\_az](#input\\_rds\\_multi\\_az) | Whether to enable Multi-AZ on the created RDS. | `bool` | n/a | yes |\n| \u003ca name=\"input_rds_skip_final_snapshot\"\u003e\u003c/a\u003e [rds\\_skip\\_final\\_snapshot](#input\\_rds\\_skip\\_final\\_snapshot) | Whether to skip the final snapshot on RDS deletion. | `bool` | n/a | yes |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | AWS region for the deployment. | `string` | n/a | yes |\n| \u003ca name=\"input_route53_zone_name\"\u003e\u003c/a\u003e [route53\\_zone\\_name](#input\\_route53\\_zone\\_name) | Private Route53 hosted zone used for the OpenMetadata record. | `string` | `null` | no |\n| \u003ca name=\"input_secrets_kms_key_id\"\u003e\u003c/a\u003e [secrets\\_kms\\_key\\_id](#input\\_secrets\\_kms\\_key\\_id) | KMS key ID or ARN used to encrypt AWS Secrets Manager secrets. | `string` | `null` | no |\n| \u003ca name=\"input_subdomain\"\u003e\u003c/a\u003e [subdomain](#input\\_subdomain) | Subdomain used for the OpenMetadata DNS name. | `string` | `\"open-metadata\"` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Tags to apply to supported resources. | `map(string)` | `{}` | no |\n| \u003ca name=\"input_vpc_id\"\u003e\u003c/a\u003e [vpc\\_id](#input\\_vpc\\_id) | VPC ID used by the cluster and data plane. | `string` | n/a | yes |\n\n----\n### Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_access\"\u003e\u003c/a\u003e [access](#module\\_access) | ./modules/access | n/a |\n| \u003ca name=\"module_addons\"\u003e\u003c/a\u003e [addons](#module\\_addons) | ./modules/addons | n/a |\n| \u003ca name=\"module_app\"\u003e\u003c/a\u003e [app](#module\\_app) | ./modules/app | n/a |\n| \u003ca name=\"module_cluster\"\u003e\u003c/a\u003e [cluster](#module\\_cluster) | ./modules/cluster | n/a |\n| \u003ca name=\"module_data\"\u003e\u003c/a\u003e [data](#module\\_data) | ./modules/data | n/a |\n| \u003ca name=\"module_dns\"\u003e\u003c/a\u003e [dns](#module\\_dns) | ./modules/dns | n/a |\n\n----\n### Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_access_entry_ids\"\u003e\u003c/a\u003e [access\\_entry\\_ids](#output\\_access\\_entry\\_ids) | IDs of EKS access resources created for the cluster. |\n| \u003ca name=\"output_cluster_ca_data\"\u003e\u003c/a\u003e [cluster\\_ca\\_data](#output\\_cluster\\_ca\\_data) | Base64-encoded certificate authority data for the EKS cluster. |\n| \u003ca name=\"output_cluster_endpoint\"\u003e\u003c/a\u003e [cluster\\_endpoint](#output\\_cluster\\_endpoint) | Endpoint for the EKS cluster API server. |\n| \u003ca name=\"output_cluster_name\"\u003e\u003c/a\u003e [cluster\\_name](#output\\_cluster\\_name) | Name of the EKS cluster. |\n| \u003ca name=\"output_cluster_security_group_id\"\u003e\u003c/a\u003e [cluster\\_security\\_group\\_id](#output\\_cluster\\_security\\_group\\_id) | Cluster security group ID for the EKS cluster. |\n| \u003ca name=\"output_database_endpoint\"\u003e\u003c/a\u003e [database\\_endpoint](#output\\_database\\_endpoint) | Endpoint for the PostgreSQL database instance. |\n| \u003ca name=\"output_node_security_group_id\"\u003e\u003c/a\u003e [node\\_security\\_group\\_id](#output\\_node\\_security\\_group\\_id) | Node security group ID for the EKS managed node group. |\n| \u003ca name=\"output_oidc_provider_arn\"\u003e\u003c/a\u003e [oidc\\_provider\\_arn](#output\\_oidc\\_provider\\_arn) | OIDC provider ARN used for IRSA. |\n| \u003ca name=\"output_openmetadata_alb_dns\"\u003e\u003c/a\u003e [openmetadata\\_alb\\_dns](#output\\_openmetadata\\_alb\\_dns) | DNS name of the ALB provisioned for OpenMetadata. |\n| \u003ca name=\"output_openmetadata_fqdn\"\u003e\u003c/a\u003e [openmetadata\\_fqdn](#output\\_openmetadata\\_fqdn) | Route53 record FQDN pointing to the OpenMetadata ALB. |\n| \u003ca name=\"output_openmetadata_irsa_role_arn\"\u003e\u003c/a\u003e [openmetadata\\_irsa\\_role\\_arn](#output\\_openmetadata\\_irsa\\_role\\_arn) | IAM role ARN for the OpenMetadata service account. |\n| \u003ca name=\"output_opensearch_endpoint\"\u003e\u003c/a\u003e [opensearch\\_endpoint](#output\\_opensearch\\_endpoint) | Endpoint for the OpenSearch domain. |\n\n----\n### Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 5, \u003c 7 |\n\n----\n### Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.5.7, \u003c 2.0.0 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 5, \u003c 7 |\n| \u003ca name=\"requirement_helm\"\u003e\u003c/a\u003e [helm](#requirement\\_helm) | ~\u003e 2.17 |\n| \u003ca name=\"requirement_kubernetes\"\u003e\u003c/a\u003e [kubernetes](#requirement\\_kubernetes) | ~\u003e 2.35 |\n| \u003ca name=\"requirement_random\"\u003e\u003c/a\u003e [random](#requirement\\_random) | ~\u003e 3.6 |\n\n----\n### Resources\n\n| Name | Type |\n|------|------|\n| [aws_kms_key.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |\n\n----\n\u003c!-- END_TF_DOCS --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudandthings%2Fterraform-aws-open-metadata","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudandthings%2Fterraform-aws-open-metadata","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudandthings%2Fterraform-aws-open-metadata/lists"}