HHS · coilysiren · Oct 10, 2024 · Apr 19, 2024 · Apr 22, 2024 · Apr 22, 2024
@@ -10,6 +10,16 @@ module "dev_config" {
   database_max_capacity           = 16
   database_min_capacity           = 2
 
+  has_opensearch                           = true
+  opensearch_multi_az_with_standby_enabled = false
+  opensearch_zone_awareness_enabled        = false
+  opensearch_dedicated_master_enabled      = false
+  opensearch_dedicated_master_count        = 1
+  opensearch_dedicated_master_type         = "m6g.large.search"
+  opensearch_instance_count                = 1
+  opensearch_instance_type                 = "or1.medium.search"
+  opensearch_availability_zone_count       = 3
+
   # Runs, but with everything disabled.
   # See api/src/data_migration/command/load_transform.py for argument specifications.
   load_transform_args = [

@@ -1,3 +1,16 @@
+output "opensearch_config" {
+  value = var.has_opensearch ? {
+    multi_az_with_standby_enabled = var.opensearch_multi_az_with_standby_enabled
+    zone_awareness_enabled        = var.opensearch_zone_awareness_enabled
+    dedicated_master_enabled      = var.opensearch_dedicated_master_enabled
+    instance_count                = var.opensearch_instance_count
+    instance_type                 = var.opensearch_instance_type
+    dedicated_master_count        = var.opensearch_dedicated_master_count
+    dedicated_master_type         = var.opensearch_dedicated_master_type
+    availability_zone_count       = var.opensearch_availability_zone_count
+  } : null
+}
+
 output "database_config" {
   value = var.has_database ? {
     region                      = var.default_region

@@ -12,6 +12,42 @@ variable "default_region" {
   type        = string
 }
 
+variable "has_opensearch" {
+  type = bool
+}
+
+variable "opensearch_multi_az_with_standby_enabled" {
+  type = bool
+}
+
+variable "opensearch_zone_awareness_enabled" {
+  type = bool
+}
+
+variable "opensearch_dedicated_master_enabled" {
+  type = bool
+}
+
+variable "opensearch_dedicated_master_count" {
+  type = number
+}
+
+variable "opensearch_dedicated_master_type" {
+  type = string
+}
+
+variable "opensearch_instance_count" {
+  type = number
+}
+
+variable "opensearch_instance_type" {
+  type = string
+}
+
+variable "opensearch_availability_zone_count" {
+  type = number
+}
+
 variable "has_database" {
   type = bool
 }

@@ -11,6 +11,16 @@ module "prod_config" {
   database_max_capacity           = 32
   database_min_capacity           = 2
 
+  has_opensearch                           = true
+  opensearch_multi_az_with_standby_enabled = true
+  opensearch_zone_awareness_enabled        = true
+  opensearch_dedicated_master_enabled      = true
+  opensearch_instance_count                = 3
+  opensearch_instance_type                 = "or1.medium.search"
+  opensearch_dedicated_master_count        = 3
+  opensearch_dedicated_master_type         = "m6g.large.search"
+  opensearch_availability_zone_count       = 3
+
   # See api/src/data_migration/command/load_transform.py for argument specifications.
   load_transform_args = [
     "poetry",

@@ -10,6 +10,16 @@ module "staging_config" {
   database_max_capacity           = 16
   database_min_capacity           = 2
 
+  has_opensearch                           = true
+  opensearch_multi_az_with_standby_enabled = false
+  opensearch_zone_awareness_enabled        = false
+  opensearch_dedicated_master_enabled      = false
+  opensearch_dedicated_master_count        = 1
+  opensearch_dedicated_master_type         = "m6g.large.search"
+  opensearch_instance_count                = 1
+  opensearch_instance_type                 = "or1.medium.search"
+  opensearch_availability_zone_count       = 3
+
   # See api/src/data_migration/command/load_transform.py for argument specifications.
   load_transform_args = [
     "poetry",

diff --git a/infra/api/database/.terraform.lock.hcl b/infra/api/database/.terraform.lock.hcl
diff --git a/infra/api/database/main.tf b/infra/api/database/main.tf
@@ -33,6 +33,7 @@ locals {
 
   environment_config = module.app_config.environment_configs[var.environment_name]
   database_config    = local.environment_config.database_config
+  opensearch_config  = local.environment_config.opensearch_config
 }
 
 terraform {
@@ -77,6 +78,26 @@ data "aws_security_groups" "aws_services" {
   }
 }
 
+module "opensearch" {
+  count = local.opensearch_config != null ? 1 : 0
+
+  source = "../../modules/opensearch"
+
+  name                          = "${local.prefix}${var.environment_name}"
+  cidr_block                    = data.aws_vpc.network.cidr_block
+  environment_name              = var.environment_name
+  multi_az_with_standby_enabled = local.opensearch_config.multi_az_with_standby_enabled
+  zone_awareness_enabled        = local.opensearch_config.zone_awareness_enabled
+  dedicated_master_enabled      = local.opensearch_config.dedicated_master_enabled
+  dedicated_master_count        = local.opensearch_config.dedicated_master_count
+  dedicated_master_type         = local.opensearch_config.dedicated_master_type
+  instance_count                = local.opensearch_config.instance_count
+  instance_type                 = local.opensearch_config.instance_type
+  availability_zone_count       = local.opensearch_config.availability_zone_count
+  subnet_ids                    = slice(data.aws_subnets.database.ids, 0, local.opensearch_config.dedicated_master_count)
+  vpc_id                        = data.aws_vpc.network.id
+}
+
 module "database" {
   source = "../../modules/database"
 

diff --git a/infra/modules/opensearch/authentication.tf b/infra/modules/opensearch/authentication.tf
@@ -0,0 +1,72 @@
+resource "random_password" "opensearch_username" {
+  length           = 16
+  min_lower        = 1
+  min_upper        = 1
+  min_numeric      = 1
+  special          = true
+  override_special = "-"
+}
+
+# The master password must be generated 5 ~ 10 times before you can get a master password that meets the requirements.
+# This is because the master password cannot be fully configured to meet opensearch requirements. The error message
+# you'll get is:
+#
+#   ValidationException: The master user password must contain at least one uppercase letter, one lowercase letter,
+#   one number, and one special character.
+#
+# The password generated is supposed to meet these requirements, but for some reason it often doesn't.
+# Thusly, we generate the password multiple times until we get one that meets the requirements.
+# You can regenerate the password by running:
+#
+#   terraform state rm "module.opensearch[0].random_password.opensearch_password"
+resource "random_password" "opensearch_password" {
+  length           = 16
+  min_lower        = 1
+  min_upper        = 1
+  min_numeric      = 1
+  special          = true
+  override_special = "-"
+}
+
+resource "aws_ssm_parameter" "opensearch_username" {
+  name        = "/opensearch/${var.environment_name}/username"
+  description = "The username for the OpenSearch domain"
+  type        = "SecureString"
+  value       = random_password.opensearch_username.result
+
+}
+
+resource "aws_ssm_parameter" "opensearch_password" {
+  name        = "/opensearch/${var.environment_name}/password"
+  description = "The password for the OpenSearch domain"
+  type        = "SecureString"
+  value       = random_password.opensearch_password.result
+}
+
+data "aws_iam_policy_document" "opensearch_access" {
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::315341936575:root"]
+    }
+    effect    = "Allow"
+    actions   = ["es:*"]
+    resources = ["arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.environment_name}/*"]
+  }
+}
+
+data "aws_iam_policy_document" "opensearch_cloudwatch" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["es.amazonaws.com"]
+    }
+    actions = [
+      "logs:PutLogEvents",
+      "logs:PutLogEventsBatch",
+      "logs:CreateLogStream",
+    ]
+    resources = ["arn:aws:logs:*"]
+  }
+}