Merge pull request #14 from lgallard/feature/enforce-https

Add domain_endpoint_options domain_endpoint_options

Author: lgallard

CHANGELOG.md

@@ -1,3 +1,12 @@
+## 0.5.0 (September 3, 2020)
+
+ENHANCEMENTS:
+
+* Add `domain_endpoint_options` support
+* Update advaced security options examples
+* Move advaced security options examples to its own folders
+* Add READMEs to each example folder
+
 ## 0.4.1 (August 24, 2020)
 
 FIXES:

README.md

@@ -128,6 +128,9 @@ module "aws_es" {
 | cognito\_options\_role\_arn | ARN of the IAM role that has the AmazonESCognitoAccess policy attached | `string` | `""` | no |
 | cognito\_options\_user\_pool\_id | ID of the Cognito User Pool to use | `string` | `""` | no |
 | create\_service\_link\_role | Create service link role for AWS Elasticsearch Service | `bool` | `true` | no |
+| domain\_endpoint\_options | Domain endpoint HTTP(S) related options. | `any` | `{}` | no |
+| domain\_endpoint\_options\_enforce\_https | Whether or not to require HTTPS | `bool` | `false` | no |
+| domain\_endpoint\_options\_tls\_security\_policy | The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values: `Policy-Min-TLS-1-0-2019-07` and `Policy-Min-TLS-1-2-2019-07` | `string` | `"Policy-Min-TLS-1-2-2019-07"` | no |
 | domain\_name | Name of the domain | `string` | n/a | yes |
 | ebs\_enabled | Whether EBS volumes are attached to data nodes in the domain | `bool` | `true` | no |
 | ebs\_options | EBS related options, may be required based on chosen instance size | `map` | `{}` | no |

examples/advanced_security_options_master_user_arn/README.md

@@ -0,0 +1,65 @@
+# AWS Elasticsearch domain with Advanced Security Options using master user ARN example 
+
+```
+module "aws_es" {
+
+  source = "lgallard/elasticsearch/aws"
+
+  domain_name           = var.es_domain_name
+  elasticsearch_version = var.es_version
+
+  cluster_config = {
+    dedicated_master_enabled = "true"
+    instance_count           = "3"
+    instance_type            = "r5.large.elasticsearch"
+    zone_awareness_enabled   = "true"
+    availability_zone_count  = "3"
+  }
+
+  advanced_security_options = {
+    enabled                        = true
+    internal_user_database_enabled = true
+    master_user_options = {
+      master_user_arn = "arn:aws:iam::123456789101:user/lgallard"
+    }
+  }
+
+  domain_endpoint_options_enforce_https = true
+
+  ebs_options = {
+    ebs_enabled = "true"
+    volume_size = "25"
+  }
+
+  encrypt_at_rest = {
+    enabled    = "true"
+    kms_key_id = "arn:aws:kms:us-east-1:123456789101:key/cccc103b-4ba3-5993-6fc7-b7e538b25fd8"
+  }
+
+
+  log_publishing_options = {
+    enabled = "true"
+  }
+
+  advanced_options = {
+    "rest.action.multi.allow_explicit_index" = "true"
+  }
+
+  access_policies = templatefile("${path.module}/whitelits.tpl", {
+    region      = data.aws_region.current.name,
+    account     = data.aws_caller_identity.current.account_id,
+    domain_name = var.es_domain_name,
+    whitelist   = "${jsonencode(var.whitelist)}"
+  })
+
+  node_to_node_encryption_enabled                = "true"
+  snapshot_options_automated_snapshot_start_hour = "23"
+
+  #timeouts_update = "90m"
+
+  tags = {
+    Owner = "sysops"
+    env   = "dev"
+  }
+}
+```

examples/advanced_security_options/master_user_arn/datasources.tf renamed to examples/advanced_security_options_master_user_arn/datasources.tf

@@ -21,14 +21,16 @@ module "aws_es" {
     }
   }
 
+  domain_endpoint_options_enforce_https = true
+
   ebs_options = {
     ebs_enabled = "true"
     volume_size = "25"
   }
 
   encrypt_at_rest = {
     enabled    = "true"
-    kms_key_id = "alias/aws/es"
+    kms_key_id = "arn:aws:kms:us-east-1:123456789101:key/cccc103b-4ba3-5993-6fc7-b7e538b25fd8"
   }