Skip to content

Commit 11a5591

Browse files
authored
Merge pull request #14 from lgallard/feature/enforce-https
Add domain_endpoint_options domain_endpoint_options
2 parents b3b632d + ec6a275 commit 11a5591

File tree

24 files changed

+560
-4
lines changed

24 files changed

+560
-4
lines changed

CHANGELOG.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,12 @@
1+
## 0.5.0 (September 3, 2020)
2+
3+
ENHANCEMENTS:
4+
5+
* Add `domain_endpoint_options` support
6+
* Update advaced security options examples
7+
* Move advaced security options examples to its own folders
8+
* Add READMEs to each example folder
9+
110
## 0.4.1 (August 24, 2020)
211

312
FIXES:

README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -128,6 +128,9 @@ module "aws_es" {
128128
| cognito\_options\_role\_arn | ARN of the IAM role that has the AmazonESCognitoAccess policy attached | `string` | `""` | no |
129129
| cognito\_options\_user\_pool\_id | ID of the Cognito User Pool to use | `string` | `""` | no |
130130
| create\_service\_link\_role | Create service link role for AWS Elasticsearch Service | `bool` | `true` | no |
131+
| domain\_endpoint\_options | Domain endpoint HTTP(S) related options. | `any` | `{}` | no |
132+
| domain\_endpoint\_options\_enforce\_https | Whether or not to require HTTPS | `bool` | `false` | no |
133+
| domain\_endpoint\_options\_tls\_security\_policy | The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values: `Policy-Min-TLS-1-0-2019-07` and `Policy-Min-TLS-1-2-2019-07` | `string` | `"Policy-Min-TLS-1-2-2019-07"` | no |
131134
| domain\_name | Name of the domain | `string` | n/a | yes |
132135
| ebs\_enabled | Whether EBS volumes are attached to data nodes in the domain | `bool` | `true` | no |
133136
| ebs\_options | EBS related options, may be required based on chosen instance size | `map` | `{}` | no |
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
# AWS Elasticsearch domain with Advanced Security Options using master user ARN example
2+
3+
```
4+
module "aws_es" {
5+
6+
source = "lgallard/elasticsearch/aws"
7+
8+
domain_name = var.es_domain_name
9+
elasticsearch_version = var.es_version
10+
11+
cluster_config = {
12+
dedicated_master_enabled = "true"
13+
instance_count = "3"
14+
instance_type = "r5.large.elasticsearch"
15+
zone_awareness_enabled = "true"
16+
availability_zone_count = "3"
17+
}
18+
19+
advanced_security_options = {
20+
enabled = true
21+
internal_user_database_enabled = true
22+
master_user_options = {
23+
master_user_arn = "arn:aws:iam::123456789101:user/lgallard"
24+
}
25+
}
26+
27+
domain_endpoint_options_enforce_https = true
28+
29+
ebs_options = {
30+
ebs_enabled = "true"
31+
volume_size = "25"
32+
}
33+
34+
encrypt_at_rest = {
35+
enabled = "true"
36+
kms_key_id = "arn:aws:kms:us-east-1:123456789101:key/cccc103b-4ba3-5993-6fc7-b7e538b25fd8"
37+
}
38+
39+
40+
log_publishing_options = {
41+
enabled = "true"
42+
}
43+
44+
advanced_options = {
45+
"rest.action.multi.allow_explicit_index" = "true"
46+
}
47+
48+
access_policies = templatefile("${path.module}/whitelits.tpl", {
49+
region = data.aws_region.current.name,
50+
account = data.aws_caller_identity.current.account_id,
51+
domain_name = var.es_domain_name,
52+
whitelist = "${jsonencode(var.whitelist)}"
53+
})
54+
55+
node_to_node_encryption_enabled = "true"
56+
snapshot_options_automated_snapshot_start_hour = "23"
57+
58+
#timeouts_update = "90m"
59+
60+
tags = {
61+
Owner = "sysops"
62+
env = "dev"
63+
}
64+
}
65+
```

examples/advanced_security_options/master_user_arn/main.tf renamed to examples/advanced_security_options_master_user_arn/main.tf

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,14 +21,16 @@ module "aws_es" {
2121
}
2222
}
2323

24+
domain_endpoint_options_enforce_https = true
25+
2426
ebs_options = {
2527
ebs_enabled = "true"
2628
volume_size = "25"
2729
}
2830

2931
encrypt_at_rest = {
3032
enabled = "true"
31-
kms_key_id = "alias/aws/es"
33+
kms_key_id = "arn:aws:kms:us-east-1:123456789101:key/cccc103b-4ba3-5993-6fc7-b7e538b25fd8"
3234
}
3335

3436

0 commit comments

Comments
 (0)