`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 |
2 | Apache License
3 | Version 2.0, January 2004
4 | http://www.apache.org/licenses/
5 |
6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7 |
8 | 1. Definitions.
9 |
10 | "License" shall mean the terms and conditions for use, reproduction,
11 | and distribution as defined by Sections 1 through 9 of this document.
12 |
13 | "Licensor" shall mean the copyright owner or entity authorized by
14 | the copyright owner that is granting the License.
15 |
16 | "Legal Entity" shall mean the union of the acting entity and all
17 | other entities that control, are controlled by, or are under common
18 | control with that entity. For the purposes of this definition,
19 | "control" means (i) the power, direct or indirect, to cause the
20 | direction or management of such entity, whether by contract or
21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
22 | outstanding shares, or (iii) beneficial ownership of such entity.
23 |
24 | "You" (or "Your") shall mean an individual or Legal Entity
25 | exercising permissions granted by this License.
26 |
27 | "Source" form shall mean the preferred form for making modifications,
28 | including but not limited to software source code, documentation
29 | source, and configuration files.
30 |
31 | "Object" form shall mean any form resulting from mechanical
32 | transformation or translation of a Source form, including but
33 | not limited to compiled object code, generated documentation,
34 | and conversions to other media types.
35 |
36 | "Work" shall mean the work of authorship, whether in Source or
37 | Object form, made available under the License, as indicated by a
38 | copyright notice that is included in or attached to the work
39 | (an example is provided in the Appendix below).
40 |
41 | "Derivative Works" shall mean any work, whether in Source or Object
42 | form, that is based on (or derived from) the Work and for which the
43 | editorial revisions, annotations, elaborations, or other modifications
44 | represent, as a whole, an original work of authorship. For the purposes
45 | of this License, Derivative Works shall not include works that remain
46 | separable from, or merely link (or bind by name) to the interfaces of,
47 | the Work and Derivative Works thereof.
48 |
49 | "Contribution" shall mean any work of authorship, including
50 | the original version of the Work and any modifications or additions
51 | to that Work or Derivative Works thereof, that is intentionally
52 | submitted to Licensor for inclusion in the Work by the copyright owner
53 | or by an individual or Legal Entity authorized to submit on behalf of
54 | the copyright owner. For the purposes of this definition, "submitted"
55 | means any form of electronic, verbal, or written communication sent
56 | to the Licensor or its representatives, including but not limited to
57 | communication on electronic mailing lists, source code control systems,
58 | and issue tracking systems that are managed by, or on behalf of, the
59 | Licensor for the purpose of discussing and improving the Work, but
60 | excluding communication that is conspicuously marked or otherwise
61 | designated in writing by the copyright owner as "Not a Contribution."
62 |
63 | "Contributor" shall mean Licensor and any individual or Legal Entity
64 | on behalf of whom a Contribution has been received by Licensor and
65 | subsequently incorporated within the Work.
66 |
67 | 2. Grant of Copyright License. Subject to the terms and conditions of
68 | this License, each Contributor hereby grants to You a perpetual,
69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70 | copyright license to reproduce, prepare Derivative Works of,
71 | publicly display, publicly perform, sublicense, and distribute the
72 | Work and such Derivative Works in Source or Object form.
73 |
74 | 3. Grant of Patent License. Subject to the terms and conditions of
75 | this License, each Contributor hereby grants to You a perpetual,
76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77 | (except as stated in this section) patent license to make, have made,
78 | use, offer to sell, sell, import, and otherwise transfer the Work,
79 | where such license applies only to those patent claims licensable
80 | by such Contributor that are necessarily infringed by their
81 | Contribution(s) alone or by combination of their Contribution(s)
82 | with the Work to which such Contribution(s) was submitted. If You
83 | institute patent litigation against any entity (including a
84 | cross-claim or counterclaim in a lawsuit) alleging that the Work
85 | or a Contribution incorporated within the Work constitutes direct
86 | or contributory patent infringement, then any patent licenses
87 | granted to You under this License for that Work shall terminate
88 | as of the date such litigation is filed.
89 |
90 | 4. Redistribution. You may reproduce and distribute copies of the
91 | Work or Derivative Works thereof in any medium, with or without
92 | modifications, and in Source or Object form, provided that You
93 | meet the following conditions:
94 |
95 | (a) You must give any other recipients of the Work or
96 | Derivative Works a copy of this License; and
97 |
98 | (b) You must cause any modified files to carry prominent notices
99 | stating that You changed the files; and
100 |
101 | (c) You must retain, in the Source form of any Derivative Works
102 | that You distribute, all copyright, patent, trademark, and
103 | attribution notices from the Source form of the Work,
104 | excluding those notices that do not pertain to any part of
105 | the Derivative Works; and
106 |
107 | (d) If the Work includes a "NOTICE" text file as part of its
108 | distribution, then any Derivative Works that You distribute must
109 | include a readable copy of the attribution notices contained
110 | within such NOTICE file, excluding those notices that do not
111 | pertain to any part of the Derivative Works, in at least one
112 | of the following places: within a NOTICE text file distributed
113 | as part of the Derivative Works; within the Source form or
114 | documentation, if provided along with the Derivative Works; or,
115 | within a display generated by the Derivative Works, if and
116 | wherever such third-party notices normally appear. The contents
117 | of the NOTICE file are for informational purposes only and
118 | do not modify the License. You may add Your own attribution
119 | notices within Derivative Works that You distribute, alongside
120 | or as an addendum to the NOTICE text from the Work, provided
121 | that such additional attribution notices cannot be construed
122 | as modifying the License.
123 |
124 | You may add Your own copyright statement to Your modifications and
125 | may provide additional or different license terms and conditions
126 | for use, reproduction, or distribution of Your modifications, or
127 | for any such Derivative Works as a whole, provided Your use,
128 | reproduction, and distribution of the Work otherwise complies with
129 | the conditions stated in this License.
130 |
131 | 5. Submission of Contributions. Unless You explicitly state otherwise,
132 | any Contribution intentionally submitted for inclusion in the Work
133 | by You to the Licensor shall be under the terms and conditions of
134 | this License, without any additional terms or conditions.
135 | Notwithstanding the above, nothing herein shall supersede or modify
136 | the terms of any separate license agreement you may have executed
137 | with Licensor regarding such Contributions.
138 |
139 | 6. Trademarks. This License does not grant permission to use the trade
140 | names, trademarks, service marks, or product names of the Licensor,
141 | except as required for reasonable and customary use in describing the
142 | origin of the Work and reproducing the content of the NOTICE file.
143 |
144 | 7. Disclaimer of Warranty. Unless required by applicable law or
145 | agreed to in writing, Licensor provides the Work (and each
146 | Contributor provides its Contributions) on an "AS IS" BASIS,
147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 | implied, including, without limitation, any warranties or conditions
149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 | PARTICULAR PURPOSE. You are solely responsible for determining the
151 | appropriateness of using or redistributing the Work and assume any
152 | risks associated with Your exercise of permissions under this License.
153 |
154 | 8. Limitation of Liability. In no event and under no legal theory,
155 | whether in tort (including negligence), contract, or otherwise,
156 | unless required by applicable law (such as deliberate and grossly
157 | negligent acts) or agreed to in writing, shall any Contributor be
158 | liable to You for damages, including any direct, indirect, special,
159 | incidental, or consequential damages of any character arising as a
160 | result of this License or out of the use or inability to use the
161 | Work (including but not limited to damages for loss of goodwill,
162 | work stoppage, computer failure or malfunction, or any and all
163 | other commercial damages or losses), even if such Contributor
164 | has been advised of the possibility of such damages.
165 |
166 | 9. Accepting Warranty or Additional Liability. While redistributing
167 | the Work or Derivative Works thereof, You may choose to offer,
168 | and charge a fee for, acceptance of support, warranty, indemnity,
169 | or other liability obligations and/or rights consistent with this
170 | License. However, in accepting such obligations, You may act only
171 | on Your own behalf and on Your sole responsibility, not on behalf
172 | of any other Contributor, and only if You agree to indemnify,
173 | defend, and hold each Contributor harmless for any liability
174 | incurred by, or claims asserted against, such Contributor by reason
175 | of your accepting any such warranty or additional liability.
176 |
177 | END OF TERMS AND CONDITIONS
178 |
179 | APPENDIX: How to apply the Apache License to your work.
180 |
181 | To apply the Apache License to your work, attach the following
182 | boilerplate notice, with the fields enclosed by brackets "[]"
183 | replaced with your own identifying information. (Don't include
184 | the brackets!) The text should be enclosed in the appropriate
185 | comment syntax for the file format. We also recommend that a
186 | file or class name and description of purpose be included on the
187 | same "printed page" as the copyright notice for easier
188 | identification within third-party archives.
189 |
190 | Copyright 2018-2020 Cloud Posse, LLC
191 |
192 | Licensed under the Apache License, Version 2.0 (the "License");
193 | you may not use this file except in compliance with the License.
194 | You may obtain a copy of the License at
195 |
196 | http://www.apache.org/licenses/LICENSE-2.0
197 |
198 | Unless required by applicable law or agreed to in writing, software
199 | distributed under the License is distributed on an "AS IS" BASIS,
200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 | See the License for the specific language governing permissions and
202 | limitations under the License.
203 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "security_groups" {
2 | type = list(string)
3 | default = []
4 | description = "List of security group IDs to be allowed to connect to the cluster or the security group IDs to apply to the cluster when the `create_security_group` variable is set to false."
5 | }
6 |
7 | variable "create_security_group" {
8 | type = bool
9 | default = true
10 | description = "Whether to create a dedicated security group for the Elasticsearch domain. Set it to `false` if you already have security groups that you want to attach to the domain and specify them in the `security_groups` variable."
11 | }
12 |
13 | variable "create_elasticsearch_user_role" {
14 | type = bool
15 | default = true
16 | description = "Whether to create an IAM role for Users/EC2 to assume to access the Elasticsearch domain. Set it to `false` if you already manage access through other means."
17 | }
18 |
19 | variable "ingress_port_range_start" {
20 | type = number
21 | default = 0
22 | description = "Start number for allowed port range. (e.g. `443`)"
23 | }
24 |
25 | variable "ingress_port_range_end" {
26 | type = number
27 | default = 65535
28 | description = "End number for allowed port range. (e.g. `443`)"
29 | }
30 |
31 | variable "allowed_cidr_blocks" {
32 | type = list(string)
33 | default = []
34 | description = "List of CIDR blocks to be allowed to connect to the cluster"
35 | }
36 |
37 | variable "vpc_enabled" {
38 | type = bool
39 | description = "Set to false if ES should be deployed outside of VPC."
40 | default = true
41 | }
42 |
43 | variable "vpc_id" {
44 | type = string
45 | description = "VPC ID"
46 | default = null
47 | }
48 |
49 | variable "subnet_ids" {
50 | type = list(string)
51 | description = "VPC Subnet IDs"
52 | default = []
53 | }
54 |
55 | variable "dns_zone_id" {
56 | type = string
57 | default = ""
58 | description = "Route53 DNS Zone ID to add hostname records for Elasticsearch domain and Kibana"
59 | }
60 |
61 | variable "elasticsearch_version" {
62 | type = string
63 | default = "7.10"
64 | description = "Version of Elasticsearch to deploy (_e.g._ `7.4`, `7.1`, `6.8`, `6.7`, `6.5`, `6.4`, `6.3`, `6.2`, `6.0`, `5.6`, `5.5`, `5.3`, `5.1`, `2.3`, `1.5`"
65 | }
66 |
67 | variable "instance_type" {
68 | type = string
69 | default = "t2.small.elasticsearch"
70 | description = "Elasticsearch instance type for data nodes in the cluster"
71 | }
72 |
73 | variable "instance_count" {
74 | type = number
75 | description = "Number of data nodes in the cluster"
76 | default = 4
77 | }
78 |
79 | variable "warm_enabled" {
80 | type = bool
81 | default = false
82 | description = "Whether AWS UltraWarm is enabled"
83 | }
84 |
85 | variable "warm_count" {
86 | type = number
87 | default = 2
88 | description = "Number of UltraWarm nodes"
89 | }
90 |
91 | variable "warm_type" {
92 | type = string
93 | default = "ultrawarm1.medium.elasticsearch"
94 | description = "Type of UltraWarm nodes"
95 | }
96 |
97 | variable "iam_role_arns" {
98 | type = list(string)
99 | default = []
100 | description = "List of IAM role ARNs to permit access to the Elasticsearch domain"
101 | }
102 |
103 | variable "iam_role_permissions_boundary" {
104 | type = string
105 | default = null
106 | description = "The ARN of the permissions boundary policy which will be attached to the Elasticsearch user role"
107 | }
108 |
109 | variable "iam_authorizing_role_arns" {
110 | type = list(string)
111 | default = []
112 | description = "List of IAM role ARNs to permit to assume the Elasticsearch user role"
113 | }
114 |
115 | variable "iam_actions" {
116 | type = list(string)
117 | default = []
118 | description = "List of actions to allow for the user IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost`"
119 | }
120 |
121 | variable "anonymous_iam_actions" {
122 | type = list(string)
123 | default = []
124 | description = "List of actions to allow for the anonymous (`*`) IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost`"
125 | }
126 |
127 | variable "iam_irsa_openid_connect_provider_arn" {
128 | type = string
129 | default = ""
130 | description = "ARN of the OpenID connect provider to allow usage of IRSA"
131 | }
132 |
133 | variable "iam_irsa_openid_connect_provider_url" {
134 | type = string
135 | default = ""
136 | description = "URL of the OpenID connect provider to allow usage of IRSA"
137 | }
138 |
139 | variable "iam_irsa_service_account" {
140 | type = string
141 | default = "system:serviceaccount:default:*"
142 | description = "Kubernetes ServiceAccount to allow to access the Elastic Domain via IRSA"
143 | }
144 |
145 | variable "iam_irsa_service_accounts" {
146 | type = list(string)
147 | default = []
148 | description = "Kubernetes ServiceAccounts to allow to access the Elastic Domain via IRSA"
149 | }
150 |
151 | variable "zone_awareness_enabled" {
152 | type = bool
153 | default = true
154 | description = "Enable zone awareness for Elasticsearch cluster"
155 | }
156 |
157 | variable "availability_zone_count" {
158 | type = number
159 | default = 2
160 | description = "Number of Availability Zones for the domain to use."
161 |
162 | validation {
163 | condition = contains([2, 3], var.availability_zone_count)
164 | error_message = "The availability zone count must be 2 or 3."
165 | }
166 | }
167 |
168 | variable "multi_az_with_standby_enabled" {
169 | type = bool
170 | default = false
171 | description = "Enable domain with standby for OpenSearch cluster"
172 | }
173 |
174 | variable "ebs_volume_size" {
175 | type = number
176 | description = "EBS volumes for data storage in GB"
177 | default = 0
178 | }
179 |
180 | variable "ebs_volume_type" {
181 | type = string
182 | default = "gp2"
183 | description = "Storage type of EBS volumes"
184 | }
185 |
186 | variable "ebs_iops" {
187 | type = number
188 | default = 0
189 | description = "The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the Provisioned IOPS EBS volume type"
190 | }
191 |
192 | variable "ebs_throughput" {
193 | type = number
194 | default = null
195 | description = "Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. Valid values are between 125 and 1000."
196 | }
197 |
198 | variable "encrypt_at_rest_enabled" {
199 | type = bool
200 | default = true
201 | description = "Whether to enable encryption at rest"
202 | }
203 |
204 | variable "encrypt_at_rest_kms_key_id" {
205 | type = string
206 | default = ""
207 | description = "The KMS key ID to encrypt the Elasticsearch domain with. If not specified, then it defaults to using the AWS/Elasticsearch service KMS key"
208 | }
209 |
210 | variable "domain_endpoint_options_enforce_https" {
211 | type = bool
212 | default = true
213 | description = "Whether or not to require HTTPS"
214 | }
215 |
216 | variable "domain_endpoint_options_tls_security_policy" {
217 | type = string
218 | default = "Policy-Min-TLS-1-2-2019-07"
219 | description = "The name of the TLS security policy that needs to be applied to the HTTPS endpoint"
220 | }
221 |
222 |
223 | variable "log_publishing_index_enabled" {
224 | type = bool
225 | default = false
226 | description = "Specifies whether log publishing option for INDEX_SLOW_LOGS is enabled or not"
227 | }
228 |
229 | variable "log_publishing_search_enabled" {
230 | type = bool
231 | default = false
232 | description = "Specifies whether log publishing option for SEARCH_SLOW_LOGS is enabled or not"
233 | }
234 |
235 | variable "log_publishing_audit_enabled" {
236 | type = bool
237 | default = false
238 | description = "Specifies whether log publishing option for AUDIT_LOGS is enabled or not"
239 | }
240 |
241 | variable "log_publishing_application_enabled" {
242 | type = bool
243 | default = false
244 | description = "Specifies whether log publishing option for ES_APPLICATION_LOGS is enabled or not"
245 | }
246 |
247 | variable "log_publishing_index_cloudwatch_log_group_arn" {
248 | type = string
249 | default = ""
250 | description = "ARN of the CloudWatch log group to which log for INDEX_SLOW_LOGS needs to be published"
251 | }
252 |
253 | variable "log_publishing_search_cloudwatch_log_group_arn" {
254 | type = string
255 | default = ""
256 | description = "ARN of the CloudWatch log group to which log for SEARCH_SLOW_LOGS needs to be published"
257 | }
258 |
259 | variable "log_publishing_audit_cloudwatch_log_group_arn" {
260 | type = string
261 | default = ""
262 | description = "ARN of the CloudWatch log group to which log for AUDIT_LOGS needs to be published"
263 | }
264 |
265 | variable "log_publishing_application_cloudwatch_log_group_arn" {
266 | type = string
267 | default = ""
268 | description = "ARN of the CloudWatch log group to which log for ES_APPLICATION_LOGS needs to be published"
269 | }
270 |
271 | variable "automated_snapshot_start_hour" {
272 | type = number
273 | description = "Hour at which automated snapshots are taken, in UTC"
274 | default = 0
275 | }
276 |
277 | variable "dedicated_master_enabled" {
278 | type = bool
279 | default = false
280 | description = "Indicates whether dedicated master nodes are enabled for the cluster"
281 | }
282 |
283 | variable "dedicated_master_count" {
284 | type = number
285 | description = "Number of dedicated master nodes in the cluster"
286 | default = 0
287 | }
288 |
289 | variable "dedicated_master_type" {
290 | type = string
291 | default = "t2.small.elasticsearch"
292 | description = "Instance type of the dedicated master nodes in the cluster"
293 | }
294 |
295 | variable "advanced_options" {
296 | type = map(string)
297 | default = {}
298 | description = "Key-value string pairs to specify advanced configuration options"
299 | }
300 |
301 | variable "elasticsearch_domain_name" {
302 | type = string
303 | default = ""
304 | description = "The name of the Elasticsearch domain. Must be at least 3 and no more than 28 characters long. Valid characters are a-z (lowercase letters), 0-9, and - (hyphen)."
305 |
306 | validation {
307 | condition = var.elasticsearch_domain_name == "" || (length(var.elasticsearch_domain_name) >= 3 && length(var.elasticsearch_domain_name) <= 28)
308 | error_message = "The elasticsearch_domain_name must meet following conditions: 1) be empty string or 2) must start with a lowercase alphabet and be at least 3 and no more than 28 characters long. Valid characters are a-z (lowercase letters), 0-9, and - (hyphen)."
309 | }
310 |
311 | validation {
312 | condition = var.elasticsearch_domain_name == "" || can(regex("^[a-z][a-z0-9-]*$", var.elasticsearch_domain_name))
313 | error_message = "The elasticsearch_domain_name must meet following conditions: 1) be empty string or 2) must start with a lowercase alphabet and be at least 3 and no more than 28 characters long. Valid characters are a-z (lowercase letters), 0-9, and - (hyphen)."
314 | }
315 | }
316 |
317 | variable "elasticsearch_subdomain_name" {
318 | type = string
319 | default = ""
320 | description = "The name of the subdomain for Elasticsearch in the DNS zone (_e.g._ `elasticsearch`, `ui`, `ui-es`, `search-ui`)"
321 | }
322 |
323 | variable "kibana_subdomain_name" {
324 | type = string
325 | default = ""
326 | description = "The name of the subdomain for Kibana in the DNS zone (_e.g._ `kibana`, `ui`, `ui-es`, `search-ui`, `kibana.elasticsearch`)"
327 | }
328 |
329 | variable "create_iam_service_linked_role" {
330 | type = bool
331 | default = true
332 | description = "Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info"
333 | }
334 |
335 | variable "node_to_node_encryption_enabled" {
336 | type = bool
337 | default = false
338 | description = "Whether to enable node-to-node encryption"
339 | }
340 |
341 | variable "iam_role_max_session_duration" {
342 | type = number
343 | default = 3600
344 | description = "The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours"
345 | }
346 |
347 | variable "cognito_authentication_enabled" {
348 | type = bool
349 | default = false
350 | description = "Whether to enable Amazon Cognito authentication with Kibana"
351 | }
352 |
353 | variable "cognito_user_pool_id" {
354 | type = string
355 | default = ""
356 | description = "The ID of the Cognito User Pool to use"
357 | }
358 |
359 | variable "cognito_identity_pool_id" {
360 | type = string
361 | default = ""
362 | description = "The ID of the Cognito Identity Pool to use"
363 | }
364 |
365 | variable "cognito_iam_role_arn" {
366 | type = string
367 | default = ""
368 | description = "ARN of the IAM role that has the AmazonESCognitoAccess policy attached"
369 | }
370 |
371 | variable "aws_ec2_service_name" {
372 | type = list(string)
373 | default = ["ec2.amazonaws.com"]
374 | description = "AWS EC2 Service Name"
375 | }
376 |
377 | variable "domain_hostname_enabled" {
378 | type = bool
379 | description = "Explicit flag to enable creating a DNS hostname for ES. If `true`, then `var.dns_zone_id` is required."
380 | default = false
381 | }
382 |
383 | variable "kibana_hostname_enabled" {
384 | type = bool
385 | description = "Explicit flag to enable creating a DNS hostname for Kibana. If `true`, then `var.dns_zone_id` is required."
386 | default = false
387 | }
388 |
389 | variable "advanced_security_options_enabled" {
390 | type = bool
391 | default = false
392 | description = "AWS Elasticsearch Kibana enchanced security plugin enabling (forces new resource)"
393 | }
394 |
395 | variable "advanced_security_options_internal_user_database_enabled" {
396 | type = bool
397 | default = false
398 | description = "Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin"
399 | }
400 |
401 | variable "advanced_security_options_master_user_arn" {
402 | type = string
403 | default = ""
404 | description = "ARN of IAM user who is to be mapped to be Kibana master user (applicable if advanced_security_options_internal_user_database_enabled set to false)"
405 | }
406 |
407 | variable "advanced_security_options_master_user_name" {
408 | type = string
409 | default = ""
410 | description = "Master user username (applicable if advanced_security_options_internal_user_database_enabled set to true)"
411 | }
412 |
413 | variable "advanced_security_options_master_user_password" {
414 | type = string
415 | default = ""
416 | description = "Master user password (applicable if advanced_security_options_internal_user_database_enabled set to true)"
417 | }
418 |
419 | variable "custom_endpoint_enabled" {
420 | type = bool
421 | description = "Whether to enable custom endpoint for the Elasticsearch domain."
422 | default = false
423 | }
424 |
425 | variable "custom_endpoint" {
426 | type = string
427 | description = "Fully qualified domain for custom endpoint."
428 | default = ""
429 | }
430 |
431 | variable "custom_endpoint_certificate_arn" {
432 | type = string
433 | description = "ACM certificate ARN for custom endpoint."
434 | default = ""
435 | }
436 |
437 | variable "aws_service_type" {
438 | type = string
439 | description = "The type of AWS service to deploy (`elasticsearch` or `opensearch`)."
440 | # For backwards comptibility we default to elasticsearch
441 | default = "elasticsearch"
442 |
443 | validation {
444 | condition = contains(["elasticsearch", "opensearch"], var.aws_service_type)
445 | error_message = "Value can only be one of `elasticsearch` or `opensearch`."
446 | }
447 | }
448 |
449 | variable "cold_storage_enabled" {
450 | type = bool
451 | description = "Enables cold storage support."
452 | default = false
453 | }
454 |
455 | variable "auto_tune" {
456 | type = object({
457 | enabled = bool
458 | rollback_on_disable = string
459 | starting_time = string
460 | cron_schedule = string
461 | duration = number
462 | })
463 |
464 | default = {
465 | enabled = false
466 | rollback_on_disable = "NO_ROLLBACK"
467 | starting_time = null
468 | cron_schedule = null
469 | duration = null
470 | }
471 |
472 | description = <<-EOT
473 | This object represents the auto_tune configuration. It contains the following filed:
474 | - enabled - Whether to enable autotune.
475 | - rollback_on_disable - Whether to roll back to default Auto-Tune settings when disabling Auto-Tune.
476 | - starting_time - Date and time at which to start the Auto-Tune maintenance schedule in RFC3339 format. Time should be in the future.
477 | - cron_schedule - A cron expression specifying the recurrence pattern for an Auto-Tune maintenance schedule.
478 | - duration - Autotune maintanance window duration time in hours.
479 | EOT
480 |
481 | validation {
482 | condition = var.auto_tune.enabled == false || var.auto_tune.cron_schedule != null
483 | error_message = "Variable auto_tune.cron_schedule should be set if var.auto_tune.enabled == true."
484 | }
485 |
486 | validation {
487 | condition = var.auto_tune.enabled == false || var.auto_tune.duration != null
488 | error_message = "Variable auto_tune.duration should be set if var.auto_tune.enabled == true."
489 | }
490 |
491 | validation {
492 | condition = contains(["DEFAULT_ROLLBACK", "NO_ROLLBACK"], var.auto_tune.rollback_on_disable)
493 | error_message = "Variable auto_tune.rollback_on_disable valid values: DEFAULT_ROLLBACK or NO_ROLLBACK."
494 | }
495 | }
496 |
497 | variable "advanced_security_options_anonymous_auth_enabled" {
498 | type = bool
499 | default = false
500 | description = "Whether Anonymous auth is enabled. Enables fine-grained access control on an existing domain"
501 | }
502 |
503 | variable "access_policies" {
504 | description = "JSON string for the IAM policy document specifying the access policies for the domain."
505 | type = string
506 | default = ""
507 | validation {
508 | condition = var.access_policies == "" || try(jsondecode(var.access_policies), null) != null
509 | error_message = "The access_policies JSON string is not valid."
510 | }
511 | }
512 |
--------------------------------------------------------------------------------
/examples/docs/terraform.md:
--------------------------------------------------------------------------------
1 |
2 | ## Requirements
3 |
4 | | Name | Version |
5 | |------|---------|
6 | | terraform | >= 0.12.0 |
7 | | aws | >= 2.0 |
8 | | null | >= 2.0 |
9 | | template | >= 2.0 |
10 |
11 | ## Providers
12 |
13 | | Name | Version |
14 | |------|---------|
15 | | aws | >= 2.0 |
16 |
17 | ## Inputs
18 |
19 | | Name | Description | Type | Default | Required |
20 | |------|-------------|------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------:|
21 | | additional\_tag\_map | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
22 | | advanced\_options | Key-value string pairs to specify advanced configuration options | `map(string)` | `{}` | no |
23 | | advanced\_security\_options\_enabled | AWS Elasticsearch Kibana enchanced security plugin enabling (forces new resource) | `bool` | `false` | no |
24 | | advanced\_security\_options\_internal\_user\_database\_enabled | Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin | `bool` | `false` | no |
25 | | advanced\_security\_options\_master\_user\_arn | ARN of IAM user who is to be mapped to be Kibana master user (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to false) | `string` | `""` | no |
26 | | advanced\_security\_options\_master\_user\_name | Master user username (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to true) | `string` | `""` | no |
27 | | advanced\_security\_options\_master\_user\_password | Master user password (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to true) | `string` | `""` | no |
28 | | allowed\_cidr\_blocks | List of CIDR blocks to be allowed to connect to the cluster | `list(string)` | `[]` | no |
29 | | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
30 | | automated\_snapshot\_start\_hour | Hour at which automated snapshots are taken, in UTC | `number` | `0` | no |
31 | | availability\_zone\_count | Number of Availability Zones for the domain to use. | `number` | `2` | no |
32 | | aws\_ec2\_service\_name | AWS EC2 Service Name | `list(string)` | [
"ec2.amazonaws.com"
]
| no |
33 | | cognito\_authentication\_enabled | Whether to enable Amazon Cognito authentication with Kibana | `bool` | `false` | no |
34 | | cognito\_iam\_role\_arn | ARN of the IAM role that has the AmazonESCognitoAccess policy attached | `string` | `""` | no |
35 | | cognito\_identity\_pool\_id | The ID of the Cognito Identity Pool to use | `string` | `""` | no |
36 | | cognito\_user\_pool\_id | The ID of the Cognito User Pool to use | `string` | `""` | no |
37 | | context | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
}) | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
} | no |
38 | | create\_iam\_service\_linked\_role | Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info | `bool` | `true` | no |
39 | | dedicated\_master\_count | Number of dedicated master nodes in the cluster | `number` | `0` | no |
40 | | dedicated\_master\_enabled | Indicates whether dedicated master nodes are enabled for the cluster | `bool` | `false` | no |
41 | | dedicated\_master\_type | Instance type of the dedicated master nodes in the cluster | `string` | `"t2.small.elasticsearch"` | no |
42 | | delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
43 | | dns\_zone\_id | Route53 DNS Zone ID to add hostname records for Elasticsearch domain and Kibana | `string` | `""` | no |
44 | | domain\_endpoint\_options\_enforce\_https | Whether or not to require HTTPS | `bool` | `false` | no |
45 | | domain\_endpoint\_options\_tls\_security\_policy | The name of the TLS security policy that needs to be applied to the HTTPS endpoint | `string` | `"Policy-Min-TLS-1-2-2019-07"` | no |
46 | | domain\_hostname\_enabled | Explicit flag to enable creating a DNS hostname for ES. If `true`, then `var.dns_zone_id` is required. | `bool` | `false` | no |
47 | | ebs\_iops | The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the Provisioned IOPS EBS volume type | `number` | `0` | no |
48 | | ebs\_volume\_size | EBS volumes for data storage in GB | `number` | `0` | no |
49 | | ebs\_volume\_type | Storage type of EBS volumes | `string` | `"gp2"` | no |
50 | | elasticsearch\_subdomain\_name | The name of the subdomain for Elasticsearch in the DNS zone (\_e.g.\_ `elasticsearch`, `ui`, `ui-es`, `search-ui`) | `string` | `""` | no |
51 | | elasticsearch\_version | Version of Elasticsearch to deploy (\_e.g.\_ `7.4`, `7.1`, `6.8`, `6.7`, `6.5`, `6.4`, `6.3`, `6.2`, `6.0`, `5.6`, `5.5`, `5.3`, `5.1`, `2.3`, `1.5` | `string` | `"7.4"` | no |
52 | | enabled | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
53 | | encrypt\_at\_rest\_enabled | Whether to enable encryption at rest | `bool` | `true` | no |
54 | | encrypt\_at\_rest\_kms\_key\_id | The KMS key ID to encrypt the Elasticsearch domain with. If not specified, then it defaults to using the AWS/Elasticsearch service KMS key | `string` | `""` | no |
55 | | environment | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
56 | | iam\_actions | List of actions to allow for the IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost` | `list(string)` | `[]` | no |
57 | | iam\_authorizing\_role\_arns | List of IAM role ARNs to permit to assume the Elasticsearch user role | `list(string)` | `[]` | no |
58 | | iam\_role\_arns | List of IAM role ARNs to permit access to the Elasticsearch domain | `list(string)` | `[]` | no |
59 | | iam\_role\_max\_session\_duration | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | `number` | `3600` | no |
60 | | id\_length\_limit | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no |
61 | | ingress\_port\_range\_end | End number for allowed port range. (e.g. `443`) | `number` | `65535` | no |
62 | | ingress\_port\_range\_start | Start number for allowed port range. (e.g. `443`) | `number` | `0` | no |
63 | | instance\_count | Number of data nodes in the cluster | `number` | `4` | no |
64 | | instance\_type | Elasticsearch instance type for data nodes in the cluster | `string` | `"t2.small.elasticsearch"` | no |
65 | | kibana\_hostname\_enabled | Explicit flag to enable creating a DNS hostname for Kibana. If `true`, then `var.dns_zone_id` is required. | `bool` | `false` | no |
66 | | kibana\_subdomain\_name | The name of the subdomain for Kibana in the DNS zone (\_e.g.\_ `kibana`, `ui`, `ui-es`, `search-ui`, `kibana.elasticsearch`) | `string` | n/a | yes |
67 | | label\_order | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |
68 | | log\_publishing\_application\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for ES\_APPLICATION\_LOGS needs to be published | `string` | `""` | no |
69 | | log\_publishing\_application\_enabled | Specifies whether log publishing option for ES\_APPLICATION\_LOGS is enabled or not | `bool` | `false` | no |
70 | | log\_publishing\_audit\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for AUDIT\_LOGS needs to be published | `string` | `""` | no |
71 | | log\_publishing\_audit\_enabled | Specifies whether log publishing option for AUDIT\_LOGS is enabled or not | `bool` | `false` | no |
72 | | log\_publishing\_index\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for INDEX\_SLOW\_LOGS needs to be published | `string` | `""` | no |
73 | | log\_publishing\_index\_enabled | Specifies whether log publishing option for INDEX\_SLOW\_LOGS is enabled or not | `bool` | `false` | no |
74 | | log\_publishing\_search\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for SEARCH\_SLOW\_LOGS needs to be published | `string` | `""` | no |
75 | | log\_publishing\_search\_enabled | Specifies whether log publishing option for SEARCH\_SLOW\_LOGS is enabled or not | `bool` | `false` | no |
76 | | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
77 | | namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
78 | | node\_to\_node\_encryption\_enabled | Whether to enable node-to-node encryption | `bool` | `false` | no |
79 | | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
80 | | security\_groups | List of security group IDs to be allowed to connect to the cluster | `list(string)` | `[]` | no |
81 | | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
82 | | subnet\_ids | VPC Subnet IDs | `list(string)` | `[]` | no |
83 | | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
84 | | vpc\_enabled | Set to false if ES should be deployed outside of VPC. | `bool` | `true` | no |
85 | | vpc\_id | VPC ID | `string` | `null` | no |
86 | | warm\_count | Number of UltraWarm nodes | `number` | `2` | no |
87 | | warm\_enabled | Whether AWS UltraWarm is enabled | `bool` | `false` | no |
88 | | warm\_type | Type of UltraWarm nodes | `string` | `"ultrawarm1.medium.elasticsearch"` | no |
89 | | zone\_awareness\_enabled | Enable zone awareness for Elasticsearch cluster | `bool` | `true` | no |
90 |
91 | ## Outputs
92 |
93 | | Name | Description |
94 | |------|-------------|
95 | | domain\_arn | ARN of the Elasticsearch domain |
96 | | domain\_endpoint | Domain-specific endpoint used to submit index, search, and data upload requests |
97 | | domain\_hostname | Elasticsearch domain hostname to submit index, search, and data upload requests |
98 | | domain\_id | Unique identifier for the Elasticsearch domain |
99 | | domain\_name | Name of the Elasticsearch domain |
100 | | elasticsearch\_user\_iam\_role\_arn | The ARN of the IAM role to allow access to Elasticsearch cluster |
101 | | elasticsearch\_user\_iam\_role\_name | The name of the IAM role to allow access to Elasticsearch cluster |
102 | | kibana\_endpoint | Domain-specific endpoint for Kibana without https scheme |
103 | | kibana\_hostname | Kibana hostname |
104 | | security\_group\_id | Security Group ID to control access to the Elasticsearch domain |
105 |
106 |
107 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 
5 |
6 |
7 | 
8 |
9 |
10 |
11 |
12 |
32 |
33 | Terraform module to provision an [`Elasticsearch`](https://aws.amazon.com/elasticsearch-service/) cluster with built-in integrations with [Kibana](https://aws.amazon.com/elasticsearch-service/kibana/) and [Logstash](https://aws.amazon.com/elasticsearch-service/logstash/).
34 |
35 |
36 | > [!TIP]
37 | > #### 👽 Use Atmos with Terraform
38 | > Cloud Posse uses [`atmos`](https://atmos.tools) to easily orchestrate multiple environments using Terraform.
39 | > Works with [Github Actions](https://atmos.tools/integrations/github-actions/), [Atlantis](https://atmos.tools/integrations/atlantis), or [Spacelift](https://atmos.tools/integrations/spacelift).
40 | >
41 | >
42 | > Watch demo of using Atmos with Terraform
43 | > 
44 | > Example of running atmos to manage infrastructure from our Quick Start tutorial.
45 | >
46 |
47 |
48 | ## Introduction
49 |
50 | This module will create:
51 | - Elasticsearch cluster with the specified node count in the provided subnets in a VPC
52 | - Elasticsearch domain policy that accepts a list of IAM role ARNs from which to permit management traffic to the cluster
53 | - Security Group to control access to the Elasticsearch domain (inputs to the Security Group are other Security Groups or CIDRs blocks to be allowed to connect to the cluster)
54 | - DNS hostname record for Elasticsearch cluster (if DNS Zone ID is provided)
55 | - DNS hostname record for Kibana (if DNS Zone ID is provided)
56 |
57 | __NOTE:__ To enable [zone awareness](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains.html#es-managedomains-zoneawareness) to deploy Elasticsearch nodes into two different Availability Zones, you need to set `zone_awareness_enabled` to `true` and provide two different subnets in `subnet_ids`.
58 | If you enable zone awareness for your domain, Amazon ES places an endpoint into two subnets.
59 | The subnets must be in different Availability Zones in the same region.
60 | If you don't enable zone awareness, Amazon ES places an endpoint into only one subnet. You also need to set `availability_zone_count` to `1`.
61 |
62 |
63 |
64 |
65 | ## Usage
66 |
67 |
68 | ```hcl
69 | module "elasticsearch" {
70 | source = "cloudposse/elasticsearch/aws"
71 | # Cloud Posse recommends pinning every module to a specific version
72 | # version = "x.x.x"
73 | namespace = "eg"
74 | stage = "dev"
75 | name = "es"
76 | dns_zone_id = "Z14EN2YD427LRQ"
77 | security_groups = ["sg-XXXXXXXXX", "sg-YYYYYYYY"]
78 | vpc_id = "vpc-XXXXXXXXX"
79 | subnet_ids = ["subnet-XXXXXXXXX", "subnet-YYYYYYYY"]
80 | zone_awareness_enabled = true
81 | elasticsearch_version = "6.5"
82 | instance_type = "t2.small.elasticsearch"
83 | instance_count = 4
84 | ebs_volume_size = 10
85 | iam_role_arns = ["arn:aws:iam::XXXXXXXXX:role/ops", "arn:aws:iam::XXXXXXXXX:role/dev"]
86 | iam_actions = ["es:ESHttpGet", "es:ESHttpPut", "es:ESHttpPost"]
87 | encrypt_at_rest_enabled = true
88 | kibana_subdomain_name = "kibana-es"
89 |
90 | advanced_options = {
91 | "rest.action.multi.allow_explicit_index" = "true"
92 | }
93 | }
94 | ```
95 |
96 | > [!IMPORTANT]
97 | > In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation
98 | > and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version
99 | > you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic
100 | > approach for updating versions to avoid unexpected changes.
101 |
102 |
103 |
104 |
105 |
106 | ## Examples
107 |
108 | Here is a working example of using this module:
109 | - [`examples/complete`](examples/complete)
110 |
111 | Here are automated tests for the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest) (which tests and deploys the example on AWS):
112 | - [`test`](test)
113 |
114 |
115 |
116 |
117 |
118 | ## Requirements
119 |
120 | | Name | Version |
121 | |------|---------|
122 | | [terraform](#requirement\_terraform) | >= 1.3 |
123 | | [aws](#requirement\_aws) | >= 5.15.0 |
124 |
125 | ## Providers
126 |
127 | | Name | Version |
128 | |------|---------|
129 | | [aws](#provider\_aws) | >= 5.15.0 |
130 |
131 | ## Modules
132 |
133 | | Name | Source | Version |
134 | |------|--------|---------|
135 | | [domain\_hostname](#module\_domain\_hostname) | cloudposse/route53-cluster-hostname/aws | 0.13.0 |
136 | | [kibana\_hostname](#module\_kibana\_hostname) | cloudposse/route53-cluster-hostname/aws | 0.13.0 |
137 | | [kibana\_label](#module\_kibana\_label) | cloudposse/label/null | 0.25.0 |
138 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 |
139 | | [user\_label](#module\_user\_label) | cloudposse/label/null | 0.25.0 |
140 |
141 | ## Resources
142 |
143 | | Name | Type |
144 | |------|------|
145 | | [aws_elasticsearch_domain.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) | resource |
146 | | [aws_elasticsearch_domain_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain_policy) | resource |
147 | | [aws_iam_role.elasticsearch_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
148 | | [aws_iam_service_linked_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource |
149 | | [aws_opensearch_domain.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain) | resource |
150 | | [aws_opensearch_domain_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain_policy) | resource |
151 | | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
152 | | [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
153 | | [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
154 | | [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
155 | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
156 | | [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
157 |
158 | ## Inputs
159 |
160 | | Name | Description | Type | Default | Required |
161 | |------|-------------|------|---------|:--------:|
162 | | [access\_policies](#input\_access\_policies) | JSON string for the IAM policy document specifying the access policies for the domain. | `string` | `""` | no |
163 | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
164 | | [advanced\_options](#input\_advanced\_options) | Key-value string pairs to specify advanced configuration options | `map(string)` | `{}` | no |
165 | | [advanced\_security\_options\_anonymous\_auth\_enabled](#input\_advanced\_security\_options\_anonymous\_auth\_enabled) | Whether Anonymous auth is enabled. Enables fine-grained access control on an existing domain | `bool` | `false` | no |
166 | | [advanced\_security\_options\_enabled](#input\_advanced\_security\_options\_enabled) | AWS Elasticsearch Kibana enchanced security plugin enabling (forces new resource) | `bool` | `false` | no |
167 | | [advanced\_security\_options\_internal\_user\_database\_enabled](#input\_advanced\_security\_options\_internal\_user\_database\_enabled) | Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin | `bool` | `false` | no |
168 | | [advanced\_security\_options\_master\_user\_arn](#input\_advanced\_security\_options\_master\_user\_arn) | ARN of IAM user who is to be mapped to be Kibana master user (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to false) | `string` | `""` | no |
169 | | [advanced\_security\_options\_master\_user\_name](#input\_advanced\_security\_options\_master\_user\_name) | Master user username (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to true) | `string` | `""` | no |
170 | | [advanced\_security\_options\_master\_user\_password](#input\_advanced\_security\_options\_master\_user\_password) | Master user password (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to true) | `string` | `""` | no |
171 | | [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks to be allowed to connect to the cluster | `list(string)` | `[]` | no |
172 | | [anonymous\_iam\_actions](#input\_anonymous\_iam\_actions) | List of actions to allow for the anonymous (`*`) IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost` | `list(string)` | `[]` | no |
173 | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
174 | | [auto\_tune](#input\_auto\_tune) | This object represents the auto\_tune configuration. It contains the following filed:
- enabled - Whether to enable autotune.
- rollback\_on\_disable - Whether to roll back to default Auto-Tune settings when disabling Auto-Tune.
- starting\_time - Date and time at which to start the Auto-Tune maintenance schedule in RFC3339 format. Time should be in the future.
- cron\_schedule - A cron expression specifying the recurrence pattern for an Auto-Tune maintenance schedule.
- duration - Autotune maintanance window duration time in hours. | object({
enabled = bool
rollback_on_disable = string
starting_time = string
cron_schedule = string
duration = number
}) | {
"cron_schedule": null,
"duration": null,
"enabled": false,
"rollback_on_disable": "NO_ROLLBACK",
"starting_time": null
} | no |
175 | | [automated\_snapshot\_start\_hour](#input\_automated\_snapshot\_start\_hour) | Hour at which automated snapshots are taken, in UTC | `number` | `0` | no |
176 | | [availability\_zone\_count](#input\_availability\_zone\_count) | Number of Availability Zones for the domain to use. | `number` | `2` | no |
177 | | [aws\_ec2\_service\_name](#input\_aws\_ec2\_service\_name) | AWS EC2 Service Name | `list(string)` | [
"ec2.amazonaws.com"
]
| no |
178 | | [aws\_service\_type](#input\_aws\_service\_type) | The type of AWS service to deploy (`elasticsearch` or `opensearch`). | `string` | `"elasticsearch"` | no |
179 | | [cognito\_authentication\_enabled](#input\_cognito\_authentication\_enabled) | Whether to enable Amazon Cognito authentication with Kibana | `bool` | `false` | no |
180 | | [cognito\_iam\_role\_arn](#input\_cognito\_iam\_role\_arn) | ARN of the IAM role that has the AmazonESCognitoAccess policy attached | `string` | `""` | no |
181 | | [cognito\_identity\_pool\_id](#input\_cognito\_identity\_pool\_id) | The ID of the Cognito Identity Pool to use | `string` | `""` | no |
182 | | [cognito\_user\_pool\_id](#input\_cognito\_user\_pool\_id) | The ID of the Cognito User Pool to use | `string` | `""` | no |
183 | | [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Enables cold storage support. | `bool` | `false` | no |
184 | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
185 | | [create\_elasticsearch\_user\_role](#input\_create\_elasticsearch\_user\_role) | Whether to create an IAM role for Users/EC2 to assume to access the Elasticsearch domain. Set it to `false` if you already manage access through other means. | `bool` | `true` | no |
186 | | [create\_iam\_service\_linked\_role](#input\_create\_iam\_service\_linked\_role) | Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info | `bool` | `true` | no |
187 | | [create\_security\_group](#input\_create\_security\_group) | Whether to create a dedicated security group for the Elasticsearch domain. Set it to `false` if you already have security groups that you want to attach to the domain and specify them in the `security_groups` variable. | `bool` | `true` | no |
188 | | [custom\_endpoint](#input\_custom\_endpoint) | Fully qualified domain for custom endpoint. | `string` | `""` | no |
189 | | [custom\_endpoint\_certificate\_arn](#input\_custom\_endpoint\_certificate\_arn) | ACM certificate ARN for custom endpoint. | `string` | `""` | no |
190 | | [custom\_endpoint\_enabled](#input\_custom\_endpoint\_enabled) | Whether to enable custom endpoint for the Elasticsearch domain. | `bool` | `false` | no |
191 | | [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster | `number` | `0` | no |
192 | | [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster | `bool` | `false` | no |
193 | | [dedicated\_master\_type](#input\_dedicated\_master\_type) | Instance type of the dedicated master nodes in the cluster | `string` | `"t2.small.elasticsearch"` | no |
194 | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
195 | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
196 | | [dns\_zone\_id](#input\_dns\_zone\_id) | Route53 DNS Zone ID to add hostname records for Elasticsearch domain and Kibana | `string` | `""` | no |
197 | | [domain\_endpoint\_options\_enforce\_https](#input\_domain\_endpoint\_options\_enforce\_https) | Whether or not to require HTTPS | `bool` | `true` | no |
198 | | [domain\_endpoint\_options\_tls\_security\_policy](#input\_domain\_endpoint\_options\_tls\_security\_policy) | The name of the TLS security policy that needs to be applied to the HTTPS endpoint | `string` | `"Policy-Min-TLS-1-2-2019-07"` | no |
199 | | [domain\_hostname\_enabled](#input\_domain\_hostname\_enabled) | Explicit flag to enable creating a DNS hostname for ES. If `true`, then `var.dns_zone_id` is required. | `bool` | `false` | no |
200 | | [ebs\_iops](#input\_ebs\_iops) | The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the Provisioned IOPS EBS volume type | `number` | `0` | no |
201 | | [ebs\_throughput](#input\_ebs\_throughput) | Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. Valid values are between 125 and 1000. | `number` | `null` | no |
202 | | [ebs\_volume\_size](#input\_ebs\_volume\_size) | EBS volumes for data storage in GB | `number` | `0` | no |
203 | | [ebs\_volume\_type](#input\_ebs\_volume\_type) | Storage type of EBS volumes | `string` | `"gp2"` | no |
204 | | [elasticsearch\_domain\_name](#input\_elasticsearch\_domain\_name) | The name of the Elasticsearch domain. Must be at least 3 and no more than 28 characters long. Valid characters are a-z (lowercase letters), 0-9, and - (hyphen). | `string` | `""` | no |
205 | | [elasticsearch\_subdomain\_name](#input\_elasticsearch\_subdomain\_name) | The name of the subdomain for Elasticsearch in the DNS zone (\_e.g.\_ `elasticsearch`, `ui`, `ui-es`, `search-ui`) | `string` | `""` | no |
206 | | [elasticsearch\_version](#input\_elasticsearch\_version) | Version of Elasticsearch to deploy (\_e.g.\_ `7.4`, `7.1`, `6.8`, `6.7`, `6.5`, `6.4`, `6.3`, `6.2`, `6.0`, `5.6`, `5.5`, `5.3`, `5.1`, `2.3`, `1.5` | `string` | `"7.10"` | no |
207 | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
208 | | [encrypt\_at\_rest\_enabled](#input\_encrypt\_at\_rest\_enabled) | Whether to enable encryption at rest | `bool` | `true` | no |
209 | | [encrypt\_at\_rest\_kms\_key\_id](#input\_encrypt\_at\_rest\_kms\_key\_id) | The KMS key ID to encrypt the Elasticsearch domain with. If not specified, then it defaults to using the AWS/Elasticsearch service KMS key | `string` | `""` | no |
210 | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
211 | | [iam\_actions](#input\_iam\_actions) | List of actions to allow for the user IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost` | `list(string)` | `[]` | no |
212 | | [iam\_authorizing\_role\_arns](#input\_iam\_authorizing\_role\_arns) | List of IAM role ARNs to permit to assume the Elasticsearch user role | `list(string)` | `[]` | no |
213 | | [iam\_irsa\_openid\_connect\_provider\_arn](#input\_iam\_irsa\_openid\_connect\_provider\_arn) | ARN of the OpenID connect provider to allow usage of IRSA | `string` | `""` | no |
214 | | [iam\_irsa\_openid\_connect\_provider\_url](#input\_iam\_irsa\_openid\_connect\_provider\_url) | URL of the OpenID connect provider to allow usage of IRSA | `string` | `""` | no |
215 | | [iam\_irsa\_service\_account](#input\_iam\_irsa\_service\_account) | Kubernetes ServiceAccount to allow to access the Elastic Domain via IRSA | `string` | `"system:serviceaccount:default:*"` | no |
216 | | [iam\_irsa\_service\_accounts](#input\_iam\_irsa\_service\_accounts) | Kubernetes ServiceAccounts to allow to access the Elastic Domain via IRSA | `list(string)` | `[]` | no |
217 | | [iam\_role\_arns](#input\_iam\_role\_arns) | List of IAM role ARNs to permit access to the Elasticsearch domain | `list(string)` | `[]` | no |
218 | | [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | `number` | `3600` | no |
219 | | [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | The ARN of the permissions boundary policy which will be attached to the Elasticsearch user role | `string` | `null` | no |
220 | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
221 | | [ingress\_port\_range\_end](#input\_ingress\_port\_range\_end) | End number for allowed port range. (e.g. `443`) | `number` | `65535` | no |
222 | | [ingress\_port\_range\_start](#input\_ingress\_port\_range\_start) | Start number for allowed port range. (e.g. `443`) | `number` | `0` | no |
223 | | [instance\_count](#input\_instance\_count) | Number of data nodes in the cluster | `number` | `4` | no |
224 | | [instance\_type](#input\_instance\_type) | Elasticsearch instance type for data nodes in the cluster | `string` | `"t2.small.elasticsearch"` | no |
225 | | [kibana\_hostname\_enabled](#input\_kibana\_hostname\_enabled) | Explicit flag to enable creating a DNS hostname for Kibana. If `true`, then `var.dns_zone_id` is required. | `bool` | `false` | no |
226 | | [kibana\_subdomain\_name](#input\_kibana\_subdomain\_name) | The name of the subdomain for Kibana in the DNS zone (\_e.g.\_ `kibana`, `ui`, `ui-es`, `search-ui`, `kibana.elasticsearch`) | `string` | `""` | no |
227 | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
228 | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
229 | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
230 | | [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | [
"default"
]
| no |
231 | | [log\_publishing\_application\_cloudwatch\_log\_group\_arn](#input\_log\_publishing\_application\_cloudwatch\_log\_group\_arn) | ARN of the CloudWatch log group to which log for ES\_APPLICATION\_LOGS needs to be published | `string` | `""` | no |
232 | | [log\_publishing\_application\_enabled](#input\_log\_publishing\_application\_enabled) | Specifies whether log publishing option for ES\_APPLICATION\_LOGS is enabled or not | `bool` | `false` | no |
233 | | [log\_publishing\_audit\_cloudwatch\_log\_group\_arn](#input\_log\_publishing\_audit\_cloudwatch\_log\_group\_arn) | ARN of the CloudWatch log group to which log for AUDIT\_LOGS needs to be published | `string` | `""` | no |
234 | | [log\_publishing\_audit\_enabled](#input\_log\_publishing\_audit\_enabled) | Specifies whether log publishing option for AUDIT\_LOGS is enabled or not | `bool` | `false` | no |
235 | | [log\_publishing\_index\_cloudwatch\_log\_group\_arn](#input\_log\_publishing\_index\_cloudwatch\_log\_group\_arn) | ARN of the CloudWatch log group to which log for INDEX\_SLOW\_LOGS needs to be published | `string` | `""` | no |
236 | | [log\_publishing\_index\_enabled](#input\_log\_publishing\_index\_enabled) | Specifies whether log publishing option for INDEX\_SLOW\_LOGS is enabled or not | `bool` | `false` | no |
237 | | [log\_publishing\_search\_cloudwatch\_log\_group\_arn](#input\_log\_publishing\_search\_cloudwatch\_log\_group\_arn) | ARN of the CloudWatch log group to which log for SEARCH\_SLOW\_LOGS needs to be published | `string` | `""` | no |
238 | | [log\_publishing\_search\_enabled](#input\_log\_publishing\_search\_enabled) | Specifies whether log publishing option for SEARCH\_SLOW\_LOGS is enabled or not | `bool` | `false` | no |
239 | | [multi\_az\_with\_standby\_enabled](#input\_multi\_az\_with\_standby\_enabled) | Enable domain with standby for OpenSearch cluster | `bool` | `false` | no |
240 | | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
241 | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
242 | | [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether to enable node-to-node encryption | `bool` | `false` | no |
243 | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
244 | | [security\_groups](#input\_security\_groups) | List of security group IDs to be allowed to connect to the cluster or the security group IDs to apply to the cluster when the `create_security_group` variable is set to false. | `list(string)` | `[]` | no |
245 | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
246 | | [subnet\_ids](#input\_subnet\_ids) | VPC Subnet IDs | `list(string)` | `[]` | no |
247 | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
248 | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
249 | | [vpc\_enabled](#input\_vpc\_enabled) | Set to false if ES should be deployed outside of VPC. | `bool` | `true` | no |
250 | | [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | `null` | no |
251 | | [warm\_count](#input\_warm\_count) | Number of UltraWarm nodes | `number` | `2` | no |
252 | | [warm\_enabled](#input\_warm\_enabled) | Whether AWS UltraWarm is enabled | `bool` | `false` | no |
253 | | [warm\_type](#input\_warm\_type) | Type of UltraWarm nodes | `string` | `"ultrawarm1.medium.elasticsearch"` | no |
254 | | [zone\_awareness\_enabled](#input\_zone\_awareness\_enabled) | Enable zone awareness for Elasticsearch cluster | `bool` | `true` | no |
255 |
256 | ## Outputs
257 |
258 | | Name | Description |
259 | |------|-------------|
260 | | [domain\_arn](#output\_domain\_arn) | ARN of the Elasticsearch domain |
261 | | [domain\_endpoint](#output\_domain\_endpoint) | Domain-specific endpoint used to submit index, search, and data upload requests |
262 | | [domain\_hostname](#output\_domain\_hostname) | Elasticsearch domain hostname to submit index, search, and data upload requests |
263 | | [domain\_id](#output\_domain\_id) | Unique identifier for the Elasticsearch domain |
264 | | [domain\_name](#output\_domain\_name) | Name of the Elasticsearch domain |
265 | | [elasticsearch\_user\_iam\_role\_arn](#output\_elasticsearch\_user\_iam\_role\_arn) | The ARN of the IAM role to allow access to Elasticsearch cluster |
266 | | [elasticsearch\_user\_iam\_role\_name](#output\_elasticsearch\_user\_iam\_role\_name) | The name of the IAM role to allow access to Elasticsearch cluster |
267 | | [kibana\_endpoint](#output\_kibana\_endpoint) | Domain-specific endpoint for Kibana without https scheme |
268 | | [kibana\_hostname](#output\_kibana\_hostname) | Kibana hostname |
269 | | [security\_group\_id](#output\_security\_group\_id) | Security Group ID to control access to the Elasticsearch domain |
270 |
271 |
272 |
273 |
274 |
275 |
276 |
277 |
278 |
279 |
280 | ## References
281 |
282 | For additional context, refer to some of these links.
283 |
284 | - [What is Amazon Elasticsearch Service](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/what-is-amazon-elasticsearch-service.html) - Complete description of Amazon Elasticsearch Service
285 | - [Amazon Elasticsearch Service Access Control](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html) - Describes several ways of controlling access to Elasticsearch domains
286 | - [VPC Support for Amazon Elasticsearch Service Domains](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html) - Describes Elasticsearch Service VPC Support and VPC architectures with and without zone awareness
287 | - [Creating and Configuring Amazon Elasticsearch Service Domains](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html) - Provides a complete description on how to create and configure Amazon Elasticsearch Service (Amazon ES) domains
288 | - [Kibana and Logstash](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-kibana.html) - Describes some considerations for using Kibana and Logstash with Amazon Elasticsearch Service
289 | - [Amazon Cognito Authentication for Kibana](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html) - Amazon Elasticsearch Service uses Amazon Cognito to offer user name and password protection for Kibana
290 | - [Control Access to Amazon Elasticsearch Service Domain](https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/) - Describes how to Control Access to Amazon Elasticsearch Service Domain
291 | - [elasticsearch_domain](https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain.html) - Terraform reference documentation for the `elasticsearch_domain` resource
292 | - [elasticsearch_domain_policy](https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain_policy.html) - Terraform reference documentation for the `elasticsearch_domain_policy` resource
293 | - [AWS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) - Associate an IAM role with a Kubernetes service account
294 |
295 |
296 |
297 | > [!TIP]
298 | > #### Use Terraform Reference Architectures for AWS
299 | >
300 | > Use Cloud Posse's ready-to-go [terraform architecture blueprints](https://cloudposse.com/reference-architecture/) for AWS to get up and running quickly.
301 | >
302 | > ✅ We build it together with your team.
303 | > ✅ Your team owns everything.
304 | > ✅ 100% Open Source and backed by fanatical support.
305 | >
306 | > 
307 | > 📚 Learn More
308 | >
309 | >
310 | >
311 | > Cloud Posse is the leading [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticsearch&utm_content=commercial_support) for funded startups and enterprises.
312 | >
313 | > *Your team can operate like a pro today.*
314 | >
315 | > Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.
316 | > #### Day-0: Your Foundation for Success
317 | > - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code.
318 | > - **Deployment Strategy.** Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
319 | > - **Site Reliability Engineering.** Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
320 | > - **Security Baseline.** Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
321 | > - **GitOps.** Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.
322 | >
323 | >
324 | >
325 | > #### Day-2: Your Operational Mastery
326 | > - **Training.** Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
327 | > - **Support.** Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
328 | > - **Troubleshooting.** Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
329 | > - **Code Reviews.** Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
330 | > - **Bug Fixes.** Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
331 | > - **Migration Assistance.** Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
332 | > - **Customer Workshops.** Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.
333 | >
334 | >
335 | >
336 | 
348 |
349 |
350 | For 🐛 bug reports & feature requests, please use the [issue tracker](https://github.com/cloudposse/terraform-aws-elasticsearch/issues).
351 |
352 | In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
353 | 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-elasticsearch/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md).
354 | 2. **Fork** the repo on GitHub
355 | 3. **Clone** the project to your own machine
356 | 4. **Commit** changes to your own branch
357 | 5. **Push** your work back up to your fork
358 | 6. Submit a **Pull Request** so that we can review your changes
359 |
360 | **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request!
361 |
362 |
363 | ## Running Terraform Tests
364 |
365 | We use [Atmos](https://atmos.tools) to streamline how Terraform tests are run. It centralizes configuration and wraps common test workflows with easy-to-use commands.
366 |
367 | All tests are located in the [`test/`](test) folder.
368 |
369 | Under the hood, tests are powered by Terratest together with our internal [Test Helpers](https://github.com/cloudposse/test-helpers) library, providing robust infrastructure validation.
370 |
371 | Setup dependencies:
372 | - Install Atmos ([installation guide](https://atmos.tools/install/))
373 | - Install Go [1.24+ or newer](https://go.dev/doc/install)
374 | - Install Terraform or OpenTofu
375 |
376 | To run tests:
377 |
378 | - Run all tests:
379 | ```sh
380 | atmos test run
381 | ```
382 | - Clean up test artifacts:
383 | ```sh
384 | atmos test clean
385 | ```
386 | - Explore additional test options:
387 | ```sh
388 | atmos test --help
389 | ```
390 | The configuration for test commands is centrally managed. To review what's being imported, see the [`atmos.yaml`](https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml) file.
391 |
392 | Learn more about our [automated testing in our documentation](https://docs.cloudposse.com/community/contribute/automated-testing/) or implementing [custom commands](https://atmos.tools/core-concepts/custom-commands/) with atmos.
393 |
394 | ### 🌎 Slack Community
395 |
396 | Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticsearch&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.
397 |
398 | ### 📰 Newsletter
399 |
400 | Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticsearch&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know.
401 | Dropped straight into your Inbox every week — and usually a 5-minute read.
402 |
403 | ### 📆 Office Hours 
404 |
405 | [Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticsearch&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else.
406 | It's **FREE** for everyone!
407 | ## License
408 |
409 | 
410 |
411 |
412 | Preamble to the Apache License, Version 2.0
413 |
414 |
415 |
416 | Complete license is available in the [`LICENSE`](LICENSE) file.
417 |
418 | ```text
419 | Licensed to the Apache Software Foundation (ASF) under one
420 | or more contributor license agreements. See the NOTICE file
421 | distributed with this work for additional information
422 | regarding copyright ownership. The ASF licenses this file
423 | to you under the Apache License, Version 2.0 (the
424 | "License"); you may not use this file except in compliance
425 | with the License. You may obtain a copy of the License at
426 |
427 | https://www.apache.org/licenses/LICENSE-2.0
428 |
429 | Unless required by applicable law or agreed to in writing,
430 | software distributed under the License is distributed on an
431 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
432 | KIND, either express or implied. See the License for the
433 | specific language governing permissions and limitations
434 | under the License.
435 | ```
436 |
437 |
438 | ## Trademarks
439 |
440 | All other trademarks referenced herein are the property of their respective owners.
441 |
442 |
443 | ---
444 | Copyright © 2017-2025 [Cloud Posse, LLC](https://cpco.io/copyright)
445 |
446 |
447 | 
448 |
449 | 
450 |
--------------------------------------------------------------------------------