/terraform-aws-elasticsearch

Terraform module to create Amazon Elasticsearch Service clusters, following the Well-Architected Framework and best AWS practices.

Primary LanguageHCLApache License 2.0Apache-2.0

Terraform

terraform-aws-elasticsearch

Terraform module to create Amazon Elasticsearch Service clusters, following the Well-Architected Framework and best AWS practices.

Amazon Elasticsearch Service is a fully managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the AWS Cloud. Elasticsearch is a popular open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis. With Amazon ES, you get direct access to the Elasticsearch APIs; existing code and applications work seamlessly with the service.

Examples

Check the examples folder where you can see how to configure a public ES cluster, and another example showing how to set it with VPC options.

Usage

You can use this module to create your Amazon ES cluster by defining each parameters blocks as follows:

module "aws_es" {

  source  = "lgallard/elasticsearch/aws"

  domain_name           = "elasticsearch_public"
  elasticsearch_version = "7.1"

  cluster_config = {
    dedicated_master_enabled = true
    instance_count           = 3
    instance_type            = "r5.large.elasticsearch"
    zone_awareness_enabled   = true
    availability_zone_count  = 3
  }

  ebs_options = {
    ebs_enabled = "true"
    volume_size = "25"
  }

  encrypt_at_rest = {
    enabled    = true
    kms_key_id = "arn:aws:kms:us-east-1:123456789101:key/cccc103b-4ba3-5993-6fc7-b7e538b25fd8"
  }

  log_publishing_options = {
    index_slow_logs = {
      enabled                          = true
      cloudwatch_log_group_arn         = "arn:aws:logs:us-east-1:123456789101:log-group:/aws/elasticsearch/index_slow_logs:*"
      log_publishing_options_retention = 90
    }
    search_slow_logs = {
      enabled                  = true
      cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789101:log-group:/aws/elasticsearch/search_slow_logs:*"
    }
    es_application_logs = {
      enabled                   = true
      cloudwatch_log_group_name = "es_application_logs_dev"
    }
    audit_logs = {
      enabled                   = false
      cloudwatch_log_group_name = "audit_logs_dev"
    }
  }

  advanced_options = {
    "rest.action.multi.allow_explicit_index" = true
  }

  domain_endpoint_options = {
    enforce_https                   = true
    custom_endpoint_enabled         = true
    custom_endpoint                 = "lgallardo.com"
    custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:123456789101:certificate/abcd1234-ef11-abcd-1234-abcd1234efef"
  }

  node_to_node_encryption_enabled                = true
  snapshot_options_automated_snapshot_start_hour = 23

  tags = {
    Owner = "sysops"
    env   = "dev"
  }

Note: You can also define the above ElasticSearch cluster using just the module variables. Instead of defining a cluster_config block (list of map), you can set each of the cluster_config_* variables, as shown below:

module "aws_es" {

  source  = "lgallard/elasticsearch/aws"

  domain_name           = "elasticsearch_public"
  elasticsearch_version = "7.1"

  cluster_config_dedicated_master_enabled = true
  cluster_config_instance_count           = 3
  cluster_config_instance_type            = "r5.large.elasticsearch"
  cluster_config_zone_awareness_enabled   = "true"
  cluster_config_availability_zone_count  = 3

  ebs_options_ebs_enabled = true
  ebs_options_volume_size = 25

  encrypt_at_rest_enabled    = true
  encrypt_at_rest_kms_key_id = "alias/aws/es"

  log_publishing_options_enabled  = true
  log_publishing_options_log_type = "INDEX_SLOW_LOGS"

  advanced_options = {
    "rest.action.multi.allow_explicit_index" = true
  }

  node_to_node_encryption_enabled                = true
  snapshot_options_automated_snapshot_start_hour = 23

  tags = {
    Owner = "sysops"
    env   = "dev"
  }

Requirements

Name Version
terraform >= 0.12.9
aws >= 3.35.0
random >=3.1.2

Providers

Name Version
aws 4.6.0
random 3.1.2

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.es_cloudwatch_log_group resource
aws_cloudwatch_log_resource_policy.es_aws_cloudwatch_log_resource_policy resource
aws_elasticsearch_domain.es_domain resource
aws_iam_service_linked_role.es resource
random_password.master_password resource
aws_kms_key.aws_es data source

Inputs

Name Description Type Default Required
access_policies IAM policy document specifying the access policies for the domain string "" no
advanced_options Key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply map(string) {} no
advanced_security_options Options for fine-grained access control any {} no
advanced_security_options_create_random_master_password Whether to create random master password for Elasticsearch master user bool false no
advanced_security_options_enabled Whether advanced security is enabled (Forces new resource) bool false no
advanced_security_options_internal_user_database_enabled Whether the internal user database is enabled. If not set, defaults to false by the AWS API. bool false no
advanced_security_options_master_user_arn ARN for the master user. Only specify if internal_user_database_enabled is not set or set to false) string null no
advanced_security_options_master_user_password The master user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if internal_user_database_enabled is set to true. string null no
advanced_security_options_master_user_username The master user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if internal_user_database_enabled is set to true. string null no
advanced_security_options_random_master_password_length Length of random master password to create number 16 no
cloudwatch_log_enabled Change to false to avoid deploying any Cloudwatch Logs resources bool true no
cluster_config Cluster configuration of the domain any {} no
cluster_config_availability_zone_count Number of Availability Zones for the domain to use with number 3 no
cluster_config_dedicated_master_count Number of dedicated master nodes in the cluster number 3 no
cluster_config_dedicated_master_enabled Indicates whether dedicated master nodes are enabled for the cluster bool true no
cluster_config_dedicated_master_type Instance type of the dedicated master nodes in the cluster string "r5.large.elasticsearch" no
cluster_config_instance_count Number of instances in the cluster number 3 no
cluster_config_instance_type Instance type of data nodes in the cluster string "r5.large.elasticsearch" no
cluster_config_warm_count The number of warm nodes in the cluster number null no
cluster_config_warm_enabled Indicates whether to enable warm storage bool false no
cluster_config_warm_type The instance type for the Elasticsearch cluster's warm nodes string null no
cluster_config_zone_awareness_enabled Indicates whether zone awareness is enabled. To enable awareness with three Availability Zones bool false no
cognito_options Options for Amazon Cognito Authentication for Kibana any {} no
cognito_options_enabled Specifies whether Amazon Cognito authentication with Kibana is enabled or not bool false no
cognito_options_identity_pool_id ID of the Cognito Identity Pool to use string "" no
cognito_options_role_arn ARN of the IAM role that has the AmazonESCognitoAccess policy attached string "" no
cognito_options_user_pool_id ID of the Cognito User Pool to use string "" no
create_service_link_role Create service link role for AWS Elasticsearch Service bool true no
domain_endpoint_options Domain endpoint HTTP(S) related options. any {} no
domain_endpoint_options_custom_endpoint Fully qualified domain for your custom endpoint string null no
domain_endpoint_options_custom_endpoint_certificate_arn ACM certificate ARN for your custom endpoint string null no
domain_endpoint_options_custom_endpoint_enabled Whether to enable custom endpoint for the Elasticsearch domain bool false no
domain_endpoint_options_enforce_https Whether or not to require HTTPS bool false no
domain_endpoint_options_tls_security_policy The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values: Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07 string "Policy-Min-TLS-1-2-2019-07" no
domain_name Name of the domain string n/a yes
ebs_enabled Whether EBS volumes are attached to data nodes in the domain bool true no
ebs_options EBS related options, may be required based on chosen instance size any {} no
ebs_options_iops The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the Provisioned IOPS EBS volume type number 0 no
ebs_options_volume_size The size of EBS volumes attached to data nodes (in GB). Required if ebs_enabled is set to true number 10 no
ebs_options_volume_type The type of EBS volumes attached to data nodes string "gp2" no
elasticsearch_version The version of Elasticsearch to deploy. string "7.1" no
enabled Change to false to avoid deploying any AWS ElasticSearch resources bool true no
encrypt_at_rest Encrypt at rest options. Only available for certain instance types any {} no
encrypt_at_rest_enabled Whether to enable encryption at rest bool true no
encrypt_at_rest_kms_key_id The KMS key id to encrypt the Elasticsearch domain with. If not specified then it defaults to using the aws/es service KMS key string "alias/aws/es" no
log_publishing_options Options for publishing slow logs to CloudWatch Logs any {} no
log_publishing_options_retention Retention in days for the created Cloudwatch log group number 90 no
node_to_node_encryption Node-to-node encryption options any {} no
node_to_node_encryption_enabled Whether to enable node-to-node encryption bool true no
snapshot_options Snapshot related options any {} no
snapshot_options_automated_snapshot_start_hour Hour during which the service takes an automated daily snapshot of the indices in the domain number 0 no
tags A mapping of tags to assign to the resource map(any) {} no
timeouts Timeouts map. map(any) {} no
timeouts_update How long to wait for updates. string null no
vpc_options VPC related options, see below. Adding or removing this configuration forces a new resource any {} no
vpc_options_security_group_ids List of VPC Security Group IDs to be applied to the Elasticsearch domain endpoints. If omitted, the default Security Group for the VPC will be used list(any) [] no
vpc_options_subnet_ids List of VPC Subnet IDs for the Elasticsearch domain endpoints to be created in list(any) [] no

Outputs

Name Description
arn Amazon Resource Name (ARN) of the domain
domain_id Unique identifier for the domain
endpoint Domain-specific endpoint used to submit index, search, and data upload requests
kibana_endpoint Domain-specific endpoint for kibana without https scheme
master_password Master password
master_username Master username
vpc_options_availability_zones If the domain was created inside a VPC, the names of the availability zones the configured subnet_ids were created inside
vpc_options_vpc_id If the domain was created inside a VPC, the ID of the VPC