README.md

AWS OpenSearch Terraform Module

Terraform module to provision an OpenSearch cluster with SAML authentication.

Prerequisites

• A hosted zone to route traffic to your OpenSearch domain
• An entityID and metadata XML from your SAML identity provider (in case saml_enabled = true)

Features

• Create an AWS OpenSearch cluster with SAML authentication
• All node types with local NVMe for high IO performance are supported
• Create or manage various OpenSearch resources:
  • Index templates
  • Indices
  • ISM policies
  • Roles
  • Role mappings

Usage

This example is using Azure AD as SAML identity provider.

locals {
  cluster_name      = "opensearch"
  cluster_domain    = "example.com"
  saml_entity_id    = "https://sts.windows.net/XXX-XXX-XXX-XXX-XXX/"
  saml_metadata_url = "https://login.microsoftonline.com/XXX-XXX-XXX-XXX-XXX/federationmetadata/2007-06/federationmetadata.xml?appid=YYY-YYY-YYY-YYY-YYY"
}

data "aws_region" "current" {}

data "http" "saml_metadata" {
  url = local.saml_metadata_url
}

provider "elasticsearch" {
  url                   = module.opensearch.cluster_endpoint
  aws_region            = data.aws_region.current.name
  healthcheck           = false
}

module "opensearch" {
  source  = "idealo/opensearch/aws"
  version = "~> 1.0"

  cluster_name    = local.cluster_name
  cluster_domain  = local.cluster_domain
  cluster_version = "1.2"

  saml_entity_id        = local.saml_entity_id
  saml_metadata_content = data.http.saml_metadata.body

  indices = {
    example-index = {
      number_of_shards   = 2
      number_of_replicas = 1
    }
  }
}

Examples

Here is a working example of using this Terraform module:

• Complete - Create an AWS OpenSearch cluster with all necessary resources.
• Minimal - Create an empty AWS OpenSearch cluster without saml.

Requirements

Name	Version
terraform	>= 1.0.0
aws	>= 4.12.0
elasticsearch	>= 2.0.0

Modules

Name	Source	Version
acm	terraform-aws-modules/acm/aws	~> 4.3.1

Resources

Name	Type
aws_elasticsearch_domain.opensearch	resource
aws_elasticsearch_domain_saml_options.opensearch	resource
aws_iam_service_linked_role.es	resource
aws_route53_record.opensearch	resource
elasticsearch_index.index	resource
elasticsearch_index_template.index_template	resource
elasticsearch_opensearch_ism_policy.ism_policy	resource
elasticsearch_opensearch_role.role	resource
elasticsearch_opensearch_roles_mapping.master_user_arn	resource
elasticsearch_opensearch_roles_mapping.role_mapping	resource
aws_caller_identity.current	data source
aws_iam_policy_document.access_policy	data source
aws_region.current	data source
aws_route53_zone.opensearch	data source

Inputs

Name	Description	Type	Default	Required
access_policies	IAM policy document specifying the access policies for the domain.	string	null	no
advanced_options	Key-value string pairs to specify advanced configuration options.	map(string)	null	no
advanced_security_options_enabled	Whether advanced security is enabled.	bool	true	no
advanced_security_options_internal_user_database_enabled	Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin	bool	false	no
advanced_security_options_master_user_name	Master user username (applicable if advanced_security_options_internal_user_database_enabled set to true)	string	null	no
advanced_security_options_master_user_password	Master user password (applicable if advanced_security_options_internal_user_database_enabled set to true)	string	null	no
availability_zones	The number of availability zones for the OpenSearch cluster. Valid values: 1, 2 or 3.	number	3	no
cluster_domain	The hosted zone name of the OpenSearch cluster.	string	n/a	yes
cluster_domain_private	Indicates whether to create records in a private (true) or public (false) zone	bool	false	no
cluster_name	The name of the OpenSearch cluster.	string	"opensearch"	no
cluster_version	The version of OpenSearch to deploy.	string	"1.0"	no
cognito_options	Configuration block for authenticating Kibana with Cognito.	map(string)	{}	no
cognito_options_enabled	Whether Amazon Cognito authentication with Kibana is enabled or not.	bool	false	no
create_service_role	Indicates whether to create the service-linked role. See https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html	bool	true	no
custom_endpoint	Fully qualified domain for your custom endpoint. If not specified, then it defaults to <cluster_name>.<cluster_domain>	string	null	no
custom_endpoint_certificate_arn	The ARN of the custom ACM certificate.	string	""	no
ebs_enabled	Indicates whether attach EBS volumes to the data nodes.	bool	false	no
ebs_iops	The baseline input/output (I/O) performance of EBS volumes attached to data nodes.	number	3000	no
ebs_throughput	The throughput (in MiB/s) of the EBS volumes attached to data nodes. Valid values are between 125 and 1000.	number	125	no
ebs_volume_size	The size of EBS volumes attached to data nodes (in GiB).	number	10	no
ebs_volume_type	The type of EBS volumes attached to data nodes.	string	"gp3"	no
encrypt_at_rest_enabled	Configuration block for encrypt at rest options	bool	true	no
encrypt_kms_key_id	The KMS key ID to encrypt the OpenSearch cluster with. If not specified, then it defaults to using the AWS OpenSearch Service KMS key.	string	""	no
hot_instance_count	The number of dedicated hot nodes in the cluster.	number	3	no
hot_instance_type	The type of EC2 instances to run for each hot node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing	string	"r6gd.4xlarge.elasticsearch"	no
index_files	A set of all index files to create.	set(string)	[]	no
index_template_files	A set of all index template files to create.	set(string)	[]	no
index_templates	A map of all index templates to create.	map(any)	{}	no
indices	A map of all indices to create.	map(any)	{}	no
ism_policies	A map of all ISM policies to create.	map(any)	{}	no
ism_policy_files	A set of all ISM policy files to create.	set(string)	[]	no
master_instance_count	The number of dedicated master nodes in the cluster.	number	3	no
master_instance_enabled	Indicates whether dedicated master nodes are enabled for the cluster.	bool	true	no
master_instance_type	The type of EC2 instances to run for each master node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing	string	"r6gd.large.elasticsearch"	no
master_user_arn	The ARN for the master user of the cluster. If not specified, then it defaults to using the IAM user that is making the request.	string	""	no
node_to_node_encryption_enabled	Configuration block for node-to-node encryption options	bool	true	no
role_files	A set of all role files to create.	set(string)	[]	no
role_mapping_files	A set of all role mapping files to create.	set(string)	[]	no
role_mappings	A map of all role mappings to create.	map(any)	{}	no
roles	A map of all roles to create.	map(any)	{}	no
saml_enabled	Indicates whether to configure SAML for the OpenSearch dashboard.	bool	true	no
saml_entity_id	The unique Entity ID of the application in SAML Identity Provider.	string	""	no
saml_master_backend_role	This backend role receives full permissions to the cluster, equivalent to a new master role, but can only use those permissions within Dashboards.	string	null	no
saml_master_user_name	This username receives full permissions to the cluster, equivalent to a new master user, but can only use those permissions within Dashboards.	string	null	no
saml_metadata_content	The metadata of the SAML application in xml format.	string	""	no
saml_roles_key	Element of the SAML assertion to use for backend roles.	string	"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"	no
saml_session_timeout	Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440.	number	60	no
saml_subject_key	Element of the SAML assertion to use for username.	string	"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"	no
security_group_ids	The list of VPC security groups IDs to attach.	list(string)	[]	no
subnet_ids	The list of VPC subnet IDs to use.	list(string)	[]	no
tags	A map of tags to add to all resources.	map(string)	{}	no
vpc_enabled	Indicates whether the cluster is running inside a VPC.	bool	false	no
warm_instance_count	The number of dedicated warm nodes in the cluster.	number	3	no
warm_instance_enabled	Indicates whether ultrawarm nodes are enabled for the cluster.	bool	true	no
warm_instance_type	The type of EC2 instances to run for each warm node. A list of available instance types can you find at https://aws.amazon.com/en/elasticsearch-service/pricing/#UltraWarm_pricing	string	"ultrawarm1.large.elasticsearch"	no

Outputs

Name	Description
cluster_endpoint	The endpoint URL of the OpenSearch cluster.
cluster_name	The name of the OpenSearch cluster.
cluster_version	The version of the OpenSearch cluster.
kibana_endpoint	The endpoint URL of the OpenSearch dashboards.

License

Apache 2 Licensed. See LICENSE for full details.