Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/paybilldev/terraform-aws-opensearch

Provisions and manages an Amazon OpenSearch domain along with all the supporting infrastructure required to run it securely and at scale.
https://github.com/paybilldev/terraform-aws-opensearch

aws opensearch terraform

Last synced: 5 months ago
JSON representation

Provisions and manages an Amazon OpenSearch domain along with all the supporting infrastructure required to run it securely and at scale.

Awesome Lists containing this project

README 

          


  

    

      Banner

    

  




# Amazon OpenSearch Setup



This Terraform module provisions and manages an **Amazon OpenSearch domain** along with all the supporting infrastructure required to run it securely and at scale. In summary, it:



### **1. Creates and configures the OpenSearch cluster**



* Deploys an OpenSearch/Amazon Elasticsearch domain using the CloudPosse module.

* Allows configuration of instance type, count, storage, AZ distribution, encryption settings, and version.

* Optionally enables custom domain endpoints and Cognito authentication for Kibana/OpenSearch Dashboards.



### **2. Manages access and security**



* Creates two IAM roles:



  * **Admin role** with full OpenSearch permissions.

  * **Read-only role** with restricted access.

* Supports attaching additional IAM roles and fine-grained IAM access control.

* Generates or accepts a custom admin password for OpenSearch.

* Stores admin credentials in **AWS SSM Parameter Store** (username + password, password stored as SecureString).



### **3. Exposes important outputs**



* Cluster details: endpoint, hostname, ARN, domain ID.

* Kibana/OpenSearch Dashboard endpoints.

* IAM role information and Security Group IDs for access control.



## Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.3.0 |

|  [aws](#requirement\_aws) | >= 5.0.0 |

|  [null](#requirement\_null) | >= 3.2 |

|  [random](#requirement\_random) | >= 3.4 |



## Providers



| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 5.0.0 |

|  [random](#provider\_random) | >= 3.4 |



## Modules



| Name | Source | Version |

|------|--------|---------|

|  [opensearch](#module\_opensearch) | git::https://github.com/cloudposse/terraform-aws-elasticsearch | 0.44.0 |



## Resources



| Name | Type |

|------|------|

| [aws_iam_role.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

| [aws_iam_role.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

| [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_ssm_parameter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |

| [random_password.admin_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [additional\_iam\_role\_arns](#input\_additional\_iam\_role\_arns) | List of additional IAM role ARNs to permit access to the Elasticsearch domain | `list(string)` | `[]` | no |

|  [admin\_username](#input\_admin\_username) | Admin username when fine grained access control | `string` | `"os_admin"` | no |

|  [advanced\_options](#input\_advanced\_options) | Key-value string pairs to specify advanced configuration options | `map(any)` | 
{
  "override_main_response_version": false,
  "rest.action.multi.allow_explicit_index": "true"
}
 | no |

|  [advanced\_security\_options\_enabled](#input\_advanced\_security\_options\_enabled) | AWS Elasticsearch Kibana enchanced security plugin enabling (forces new resource) | `bool` | `true` | no |

|  [advanced\_security\_options\_internal\_user\_database\_enabled](#input\_advanced\_security\_options\_internal\_user\_database\_enabled) | Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin | `bool` | `true` | no |

|  [availability\_zones](#input\_availability\_zones) | List of availability zones to deploy the cluster in. | `list(string)` | 
[
  "us-east-1a",
  "us-east-1b"
]
 | no |

|  [cognito\_authentication\_enabled](#input\_cognito\_authentication\_enabled) | Whether to enable Amazon Cognito authentication with Kibana | `bool` | `false` | no |

|  [cognito\_iam\_role\_arn](#input\_cognito\_iam\_role\_arn) | ARN of the IAM role that has the AmazonESCognitoAccess policy attached | `string` | `""` | no |

|  [cognito\_identity\_pool\_id](#input\_cognito\_identity\_pool\_id) | The ID of the Cognito Identity Pool to use | `string` | `""` | no |

|  [cognito\_user\_pool\_id](#input\_cognito\_user\_pool\_id) | The ID of the Cognito User Pool to use | `string` | `""` | no |

|  [create\_iam\_service\_linked\_role](#input\_create\_iam\_service\_linked\_role) | Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info | `bool` | `true` | no |

|  [custom\_endpoint](#input\_custom\_endpoint) | Fully qualified domain for custom endpoint. | `string` | `""` | no |

|  [custom\_endpoint\_certificate\_arn](#input\_custom\_endpoint\_certificate\_arn) | ACM certificate ARN for custom endpoint. | `string` | `""` | no |

|  [custom\_endpoint\_enabled](#input\_custom\_endpoint\_enabled) | Whether to enable custom endpoint for the Elasticsearch domain. | `bool` | `false` | no |

|  [custom\_opensearch\_password](#input\_custom\_opensearch\_password) | Custom Administrator password to be assigned to `var.admin_username`. If undefined, it will be a randomly generated password. Does not work if `var.generate_random_password` is `true`. | `string` | `""` | no |

|  [ebs\_volume\_size](#input\_ebs\_volume\_size) | EBS volumes for data storage in GB | `number` | `10` | no |

|  [elasticsearch\_version](#input\_elasticsearch\_version) | Version of ElasticSearch or OpenSearch to deploy (\_e.g.\_ OpenSearch\_2.3, OpenSearch\_1.3, OpenSearch\_1.2, OpenSearch\_1.1, OpenSearch\_1.0, 7.4, 7.1, etc. | `string` | `"OpenSearch_2.3"` | no |

|  [encrypt\_at\_rest\_enabled](#input\_encrypt\_at\_rest\_enabled) | Whether to enable encryption at rest | `bool` | `true` | no |

|  [environment](#input\_environment) | Name of the environment, i.e. dev, stage, prod | `string` | n/a | yes |

|  [generate\_random\_password](#input\_generate\_random\_password) | Generate a random password for the OpenSearch Administrator.
If this value is `true` and `var.custom_opensearch_password` is defined, `var.custom_opensearch_password` will be ignored. | `bool` | `true` | no |

|  [iam\_actions](#input\_iam\_actions) | List of actions to allow for the IAM roles, e.g. es:ESHttpGet, es:ESHttpPut, es:ESHttpPost | `list(string)` | `[]` | no |

|  [instance\_count](#input\_instance\_count) | Number of data nodes in the cluster. | `number` | `2` | no |

|  [instance\_type](#input\_instance\_type) | ElasticSearch or OpenSearch instance type for data nodes in the cluster | `string` | `"t3.small.elasticsearch"` | no |

|  [kibana\_subdomain\_name](#input\_kibana\_subdomain\_name) | The name of the subdomain for Kibana in the DNS zone (\_e.g.\_ kibana, ui, ui-es, search-ui, kibana.elasticsearch) | `string` | `""` | no |

|  [name](#input\_name) | Name of the OpenSearch resource | `string` | n/a | yes |

|  [namespace](#input\_namespace) | Namespace of the project | `string` | n/a | yes |

|  [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether to enable node-to-node encryption | `bool` | `true` | no |

|  [security\_group\_ids](#input\_security\_group\_ids) | List of security groups to assign OpenSearch | `list(string)` | `[]` | no |

|  [subnet\_ids](#input\_subnet\_ids) | List of Subnet IDs to assign OpenSearch | `list(string)` | n/a | yes |

|  [tags](#input\_tags) | Default tags to apply to every resource | `map(string)` | n/a | yes |

|  [vpc\_id](#input\_vpc\_id) | ID of the VPC where resources will be deployed to | `string` | n/a | yes |

|  [zone\_awareness\_enabled](#input\_zone\_awareness\_enabled) | Enable zone awareness for Elasticsearch cluster | `bool` | `true` | no |



## Outputs



| Name | Description |

|------|-------------|

|  [domain\_arn](#output\_domain\_arn) | ARN of the OpenSearch domain |

|  [domain\_endpoint](#output\_domain\_endpoint) | Domain-specific endpoint used to submit index, search, and data upload requests |

|  [domain\_hostname](#output\_domain\_hostname) | OpenSearch domain hostname to submit index, search, and data upload requests |

|  [domain\_id](#output\_domain\_id) | Unique identifier for the OpenSearch domain |

|  [kibana\_endpoint](#output\_kibana\_endpoint) | Domain-specific endpoint for Kibana without https scheme |

|  [kibana\_hostname](#output\_kibana\_hostname) | Kibana hostname |

|  [opensearch\_user\_iam\_role\_arn](#output\_opensearch\_user\_iam\_role\_arn) | The ARN of the IAM role to allow access to OpenSearch cluster |

|  [opensearch\_user\_iam\_role\_name](#output\_opensearch\_user\_iam\_role\_name) | The name of the IAM role to allow access to OpenSearch cluster |

|  [security\_group\_id](#output\_security\_group\_id) | Security Group ID to control access to the OpenSearch domain |