Merge pull request #6 from clouddrove/CD-120

Add public option

Author: Nikita Dugar

README.md

@@ -7,7 +7,7 @@
     Terraform AWS Elasticsearch
 </h1>
 
-<p align="center" style="font-size: 1.2rem;"> 
+<p align="center" style="font-size: 1.2rem;">
     Terraform module to create an Elasticsearch resource on AWS.
      </p>
 
@@ -38,7 +38,7 @@
 <hr>
 
 
-We eat, drink, sleep and most importantly love **DevOps**. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy <b>Bigger problems are always solved by breaking them into smaller manageable problems</b>. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller <b>connected yet manageable pieces</b> within the infrastructure. 
+We eat, drink, sleep and most importantly love **DevOps**. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy <b>Bigger problems are always solved by breaking them into smaller manageable problems</b>. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller <b>connected yet manageable pieces</b> within the infrastructure.
 
 This module is basically combination of [Terraform open source](https://www.terraform.io/) and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself.
 
@@ -49,7 +49,7 @@ We have [*fifty plus terraform modules*][terraform_modules]. A few of them are c
 
 ## Prerequisites
 
-This module has a few dependencies: 
+This module has a few dependencies:
 
 - [Terraform 0.13](https://learn.hashicorp.com/terraform/getting-started/install.html)
 - [Go](https://golang.org/doc/install)
@@ -180,8 +180,9 @@ Note: There are some type of instances which not support encryption and EBS opti
 | log\_publishing\_search\_enabled | Specifies whether log publishing option for SEARCH\_SLOW\_LOGS is enabled or not. | `bool` | `false` | no |
 | managedby | ManagedBy, eg 'CloudDrove' or 'AnmolNagpal'. | `string` | `"anmol@clouddrove.com"` | no |
 | name | Name  (e.g. `app` or `cluster`). | `string` | `""` | no |
-| security\_group\_ids | Security Group IDs. | `list(string)` | n/a | yes |
-| subnet\_ids | Subnet IDs. | `list(string)` | n/a | yes |
+| public\_enabled | Enable Elasticsearch cluster is public or not. | `bool` | `false` | no |
+| security\_group\_ids | Security Group IDs. | `list(string)` | `[]` | no |
+| subnet\_ids | Subnet IDs. | `list(string)` | `[]` | no |
 | tags | Additional tags (e.g. map(`BusinessUnit`,`XYZ`). | `map` | `{}` | no |
 | tls\_security\_policy | The name of the TLS security policy that needs to be applied to the HTTPS endpoint. | `any` | `null` | no |
 | ttl | The TTL of the record to add to the DNS zone to complete certificate validation. | `string` | `"300"` | no |
@@ -201,7 +202,7 @@ Note: There are some type of instances which not support encryption and EBS opti
 
 
 ## Testing
-In this module testing is performed with [terratest](https://github.com/gruntwork-io/terratest) and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a [GO environment](https://golang.org/doc/install) in your system. 
+In this module testing is performed with [terratest](https://github.com/gruntwork-io/terratest) and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a [GO environment](https://golang.org/doc/install) in your system.
 
 You need to run the following command in the testing folder:
 ```hcl
@@ -210,7 +211,7 @@ You need to run the following command in the testing folder:
 
 
 
-## Feedback 
+## Feedback
 If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-elasticsearch/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com).
 
 If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-elasticsearch)!

_example/single-node/example.tf

@@ -65,10 +65,13 @@ module "elasticsearch" {
   log_publishing_search_cloudwatch_log_group_arn = true
   log_publishing_index_cloudwatch_log_group_arn  = true
 
-  dns_enabled     = false
-  es_hostname     = "es"
-  kibana_hostname = "kibana"
-  dns_zone_id     = false
+  enforce_https       = true
+  tls_security_policy = "Policy-Min-TLS-1-0-2019-07"
+  public_enabled      = false
+  dns_enabled         = false
+  es_hostname         = "es"
+  kibana_hostname     = "kibana"
+  dns_zone_id         = "Z1XJD7SSBKXLC1"
 
   advanced_options = {
     "rest.action.multi.allow_explicit_index" = "true"

main.tf

@@ -85,7 +85,7 @@ data "aws_iam_policy_document" "elasticsearch-log-publishing-policy" {
 #Module      : Elasticsearch
 #Description : Terraform module to create Elasticsearch resource on AWS.
 resource "aws_elasticsearch_domain" "default" {
-  count                 = var.enabled && var.zone_awareness_enabled ? 1 : 0
+  count                 = var.enabled && var.zone_awareness_enabled && var.public_enabled == false ? 1 : 0
   domain_name           = var.domain_name != "" ? var.domain_name : module.labels.id
   elasticsearch_version = var.elasticsearch_version
 
@@ -157,10 +157,78 @@ resource "aws_elasticsearch_domain" "default" {
   depends_on = [aws_iam_service_linked_role.default]
 }
 
+resource "aws_elasticsearch_domain" "default-public" {
+  count                 = var.enabled && var.zone_awareness_enabled && var.public_enabled ? 1 : 0
+  domain_name           = var.domain_name != "" ? var.domain_name : module.labels.id
+  elasticsearch_version = var.elasticsearch_version
+
+  advanced_options = var.advanced_options
+
+  ebs_options {
+    ebs_enabled = var.volume_size > 0 ? true : false
+    volume_size = var.volume_size
+    volume_type = var.volume_type
+    iops        = var.iops
+  }
+
+  encrypt_at_rest {
+    enabled    = false
+    kms_key_id = var.kms_key_id
+  }
+
+  cluster_config {
+    instance_count           = var.instance_count
+    instance_type            = var.instance_type
+    dedicated_master_enabled = var.dedicated_master_enabled
+    dedicated_master_count   = var.dedicated_master_count
+    dedicated_master_type    = var.dedicated_master_type
+    zone_awareness_enabled   = var.zone_awareness_enabled
+
+    zone_awareness_config {
+      availability_zone_count = var.availability_zone_count
+    }
+  }
+
+  node_to_node_encryption {
+    enabled = var.encryption_enabled
+  }
+
+  snapshot_options {
+    automated_snapshot_start_hour = var.automated_snapshot_start_hour
+  }
+
+  log_publishing_options {
+    enabled                  = var.log_publishing_index_enabled
+    log_type                 = "INDEX_SLOW_LOGS"
+    cloudwatch_log_group_arn = format("%s:*", join("", aws_cloudwatch_log_group.cloudwatch.*.arn))
+  }
+
+  log_publishing_options {
+    enabled                  = var.log_publishing_search_enabled
+    log_type                 = "SEARCH_SLOW_LOGS"
+    cloudwatch_log_group_arn = format("%s:*", join("", aws_cloudwatch_log_group.cloudwatch.*.arn))
+  }
+
+  log_publishing_options {
+    enabled                  = var.log_publishing_application_enabled
+    log_type                 = "ES_APPLICATION_LOGS"
+    cloudwatch_log_group_arn = format("%s:*", join("", aws_cloudwatch_log_group.cloudwatch.*.arn))
+  }
+
+  domain_endpoint_options {
+    enforce_https       = var.enforce_https
+    tls_security_policy = var.tls_security_policy
+  }
+
+  tags = module.labels.tags
+
+  depends_on = [aws_iam_service_linked_role.default]
+}
+
 #Module      : Elasticsearch
 #Description : Terraform module to create Elasticsearch resource on AWS.
 resource "aws_elasticsearch_domain" "single" {
-  count                 = var.enabled && var.zone_awareness_enabled == false ? 1 : 0
+  count                 = var.enabled && var.zone_awareness_enabled == false && var.public_enabled == false ? 1 : 0
   domain_name           = var.domain_name != "" ? var.domain_name : module.labels.id
   elasticsearch_version = var.elasticsearch_version
 
@@ -227,6 +295,69 @@ resource "aws_elasticsearch_domain" "single" {
   depends_on = [aws_iam_service_linked_role.default]
 }
 
+resource "aws_elasticsearch_domain" "single-public" {
+  count                 = var.enabled && var.zone_awareness_enabled == false && var.public_enabled ? 1 : 0
+  domain_name           = var.domain_name != "" ? var.domain_name : module.labels.id
+  elasticsearch_version = var.elasticsearch_version
+
+  advanced_options = var.advanced_options
+
+  ebs_options {
+    ebs_enabled = var.volume_size > 0 ? true : false
+    volume_size = var.volume_size
+    volume_type = var.volume_type
+    iops        = var.iops
+  }
+
+  encrypt_at_rest {
+    enabled    = false
+    kms_key_id = var.kms_key_id
+  }
+
+  cluster_config {
+    instance_count           = var.instance_count
+    instance_type            = var.instance_type
+    dedicated_master_enabled = var.dedicated_master_enabled
+    dedicated_master_count   = var.dedicated_master_count
+    dedicated_master_type    = var.dedicated_master_type
+  }
+
+  node_to_node_encryption {
+    enabled = var.encryption_enabled
+  }
+
+  snapshot_options {
+    automated_snapshot_start_hour = var.automated_snapshot_start_hour
+  }
+
+  log_publishing_options {
+    enabled                  = var.log_publishing_index_enabled
+    log_type                 = "INDEX_SLOW_LOGS"
+    cloudwatch_log_group_arn = format("%s:*", join("", aws_cloudwatch_log_group.cloudwatch.*.arn))
+  }
+
+  log_publishing_options {
+    enabled                  = var.log_publishing_search_enabled
+    log_type                 = "SEARCH_SLOW_LOGS"
+    cloudwatch_log_group_arn = format("%s:*", join("", aws_cloudwatch_log_group.cloudwatch.*.arn))
+  }
+
+  log_publishing_options {
+    enabled                  = var.log_publishing_application_enabled
+    log_type                 = "ES_APPLICATION_LOGS"
+    cloudwatch_log_group_arn = format("%s:*", join("", aws_cloudwatch_log_group.cloudwatch.*.arn))
+  }
+
+  domain_endpoint_options {
+    enforce_https       = var.enforce_https
+    tls_security_policy = var.tls_security_policy
+  }
+
+  tags = module.labels.tags
+
+  depends_on = [aws_iam_service_linked_role.default]
+}
+
 #Module      : Elasticsearch Role Policy
 #Description : Terraform module to create Elasticsearch resource on AWS.
 data "aws_iam_policy_document" "default" {
@@ -236,8 +367,8 @@ data "aws_iam_policy_document" "default" {
     actions = distinct(compact(var.iam_actions))
 
     resources = [
-      var.zone_awareness_enabled ? join("", aws_elasticsearch_domain.default.*.arn) : join("", aws_elasticsearch_domain.single.*.arn),
-      var.zone_awareness_enabled ? format("%s/*", join("", aws_elasticsearch_domain.default.*.arn)) : format("%s/*", join("", aws_elasticsearch_domain.single.*.arn))
+      var.zone_awareness_enabled ? (var.public_enabled ? join("", aws_elasticsearch_domain.default-public.*.arn) : join("", aws_elasticsearch_domain.default.*.arn)) : (var.public_enabled ? join("", aws_elasticsearch_domain.single-public.*.arn) : join("", aws_elasticsearch_domain.single.*.arn)),
+      var.zone_awareness_enabled ? (var.public_enabled ? format("%s/*", join("", aws_elasticsearch_domain.default-public.*.arn)) : format("%s/*", join("", aws_elasticsearch_domain.default.*.arn))) : (var.public_enabled ? format("%s/*", join("", aws_elasticsearch_domain.single-public.*.arn)) : format("%s/*", join("", aws_elasticsearch_domain.single.*.arn)))
     ]
 
     principals {
@@ -264,7 +395,7 @@ module "es_dns" {
   name           = var.es_hostname
   type           = var.type
   ttl            = var.ttl
-  values         = var.zone_awareness_enabled ? join("", aws_elasticsearch_domain.default.*.endpoint) : join("", aws_elasticsearch_domain.single.*.endpoint)
+  values         = var.zone_awareness_enabled ? (var.public_enabled ? join("", aws_elasticsearch_domain.default-public.*.endpoint) : join("", aws_elasticsearch_domain.default.*.endpoint)) : (var.public_enabled ? join("", aws_elasticsearch_domain.single-public.*.endpoint) : join("", aws_elasticsearch_domain.single.*.endpoint))
 }
 #Module      : ROUTE53
 #Description : Provides a Route53 record resource.
@@ -275,5 +406,5 @@ module "kibana_dns" {
   name           = var.kibana_hostname
   type           = var.type
   ttl            = var.ttl
-  values         = var.zone_awareness_enabled ? join("", aws_elasticsearch_domain.default.*.kibana_endpoint) : join("", aws_elasticsearch_domain.single.*.kibana_endpoint)
+  values         = var.zone_awareness_enabled ? (var.public_enabled ? join("", aws_elasticsearch_domain.default-public.*.endpoint) : join("", aws_elasticsearch_domain.default.*.endpoint)) : (var.public_enabled ? join("", aws_elasticsearch_domain.single-public.*.endpoint) : join("", aws_elasticsearch_domain.single.*.endpoint))
 }

variables.tf

@@ -104,6 +104,12 @@ variable "zone_awareness_enabled" {
   description = "Enable zone awareness for Elasticsearch cluster."
 }
 
+variable "public_enabled" {
+  type        = bool
+  default     = false
+  description = "Enable Elasticsearch cluster is public or not."
+}
+
 variable "availability_zone_count" {
   type        = number
   default     = 2
@@ -214,11 +220,13 @@ variable "encryption_enabled" {
 
 variable "subnet_ids" {
   type        = list(string)
+  default     = []
   description = "Subnet IDs."
 }
 
 variable "security_group_ids" {
   type        = list(string)
+  default     = []
   description = "Security Group IDs."
 }