/terraform-aws-opensearch

Terraform module to provision an OpenSearch cluster with SAML authentication.

Primary LanguageHCLApache License 2.0Apache-2.0

AWS OpenSearch Terraform Module

Terraform module to provision an OpenSearch cluster with SAML authentication.

Prerequisites

Features

Usage

This example is using Azure AD as SAML identity provider.

locals {
  cluster_name      = "opensearch"
  cluster_domain    = "example.com"
  saml_entity_id    = "https://sts.windows.net/XXX-XXX-XXX-XXX-XXX/"
  saml_metadata_url = "https://login.microsoftonline.com/XXX-XXX-XXX-XXX-XXX/federationmetadata/2007-06/federationmetadata.xml?appid=YYY-YYY-YYY-YYY-YYY"
}

data "aws_region" "current" {}

data "http" "saml_metadata" {
  url = local.saml_metadata_url
}

provider "elasticsearch" {
  url                   = "https://${local.cluster_name}.${local.cluster_domain}"
  aws_region            = data.aws_region.current.name
  elasticsearch_version = "7.10.2"
  healthcheck           = false
}

module "opensearch" {
  source = "idealo/opensearch/aws"

  cluster_name    = local.cluster_name
  cluster_domain  = local.cluster_domain
  cluster_version = "1.0"

  saml_entity_id        = local.saml_entity_id
  saml_metadata_content = data.http.saml_metadata.body

  indices = {
    example-index = {
      number_of_shards   = 2
      number_of_replicas = 1
    }
  }
}

Examples

Here is a working example of using this Terraform module:

  • Complete - Create an AWS OpenSearch cluster with all necessary resources.

Requirements

Name Version
terraform >= 1.0.0
aws >= 3.65
elasticsearch >= 1.6.0

Modules

Name Source Version
acm terraform-aws-modules/acm/aws ~> 3.2.0

Resources

Name Type
aws_elasticsearch_domain.opensearch resource
aws_elasticsearch_domain_saml_options.opensearch resource
aws_iam_service_linked_role.es resource
aws_route53_record.opensearch resource
elasticsearch_index.index resource
elasticsearch_index_template.index_template resource
elasticsearch_opendistro_ism_policy.ism_policy resource
elasticsearch_opendistro_role.role resource
elasticsearch_opendistro_roles_mapping.master_user_arn resource
elasticsearch_opendistro_roles_mapping.role_mapping resource
aws_caller_identity.current data source
aws_iam_policy_document.access_policy data source
aws_region.current data source
aws_route53_zone.opensearch data source

Inputs

Name Description Type Default Required
availability_zones The number of availability zones for the OpenSearch cluster. Valid values: 1, 2 or 3. number 3 no
cluster_domain The hosted zone name of the OpenSearch cluster. string n/a yes
cluster_name The name of the OpenSearch cluster. string "opensearch" no
cluster_version The version of OpenSearch to deploy. string "1.0" no
create_service_role Indicates whether to create the service-linked role. See https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html bool true no
encrypt_kms_key_id The KMS key ID to encrypt the OpenSearch cluster with. If not specified, then it defaults to using the AWS OpenSearch Service KMS key. string "" no
hot_instance_count The number of dedicated hot nodes in the cluster. number 3 no
hot_instance_type The type of EC2 instances to run for each hot node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing string "r6gd.4xlarge.elasticsearch" no
index_files A set of all index files to create. set(string) [] no
index_template_files A set of all index template files to create. set(string) [] no
index_templates A map of all index templates to create. map(any) {} no
indices A map of all indices to create. map(any) {} no
ism_policies A map of all ISM policies to create. map(any) {} no
ism_policy_files A set of all ISM policy files to create. set(string) [] no
master_instance_count The number of dedicated master nodes in the cluster. number 3 no
master_instance_enabled Indicates whether dedicated master nodes are enabled for the cluster. bool true no
master_instance_type The type of EC2 instances to run for each master node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing string "r6gd.large.elasticsearch" no
master_user_arn The ARN for the master user of the cluster. If not specified, then it defaults to using the IAM user that is making the request. string "" no
role_files A set of all role files to create. set(string) [] no
role_mapping_files A set of all role mapping files to create. set(string) [] no
role_mappings A map of all role mappings to create. map(any) {} no
roles A map of all roles to create. map(any) {} no
saml_entity_id The unique Entity ID of the application in SAML Identity Provider. string n/a yes
saml_metadata_content The metadata of the SAML application in xml format. string n/a yes
saml_roles_key Element of the SAML assertion to use for backend roles. string "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" no
saml_session_timeout Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440. number 60 no
saml_subject_key Element of the SAML assertion to use for username. string "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" no
tags A map of tags to add to all resources. map(string) {} no
warm_instance_count The number of dedicated warm nodes in the cluster. number 3 no
warm_instance_enabled Indicates whether ultrawarm nodes are enabled for the cluster. bool true no
warm_instance_type The type of EC2 instances to run for each warm node. A list of available instance types can you find at https://aws.amazon.com/en/elasticsearch-service/pricing/#UltraWarm_pricing string "ultrawarm1.large.elasticsearch" no

Outputs

Name Description
cluster_endpoint The endpoint URL of the OpenSearch cluster.
cluster_name The name of the OpenSearch cluster.
cluster_version The version of the OpenSearch cluster.
kibana_endpoint The endpoint URL of Kibana.

License

Apache 2 Licensed. See LICENSE for full details.