Merge pull request #51 from lgallard/feature/public-cold-storage

lgallard · web-flow · commit da18f90e5934 · 2022-06-10T17:29:57.000-03:00
Add support and example for cold_storage_options
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.13.0 (June 10, 2022)
+
+ENHANCEMENTS:
+
+* Add support and example for `cold_storage_options`
+
 ## 0.12.2 (August 26, 2021)
 
 FIXES:
diff --git a/README.md b/README.md
@@ -131,8 +131,8 @@ module "aws_es" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.6.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.1.2 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.18.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.3.1 |
 
 ## Modules
 
diff --git a/examples/public_cold_storage/.terraform.lock.hcl b/examples/public_cold_storage/.terraform.lock.hcl
diff --git a/examples/public_cold_storage/README.md b/examples/public_cold_storage/README.md
@@ -0,0 +1,70 @@
+# Public AWS Elasticearch Domain example
+
+```
+module "aws_es" {
+
+  source = "lgallard/elasticsearch/aws"
+
+  domain_name           = var.es_domain_name
+  elasticsearch_version = var.es_version
+
+  cluster_config = {
+    dedicated_master_enabled = "true"
+    instance_count           = "3"
+    instance_type            = "r5.large.elasticsearch"
+    zone_awareness_enabled   = "true"
+    availability_zone_count  = "3"
+  }
+
+  ebs_options = {
+    ebs_enabled = "true"
+    volume_size = "25"
+  }
+
+  encrypt_at_rest = {
+    enabled    = "true"
+    kms_key_id = "alias/aws/es"
+  }
+
+  log_publishing_options = {
+    index_slow_logs = {
+      enabled                          = true
+      cloudwatch_log_group_arn         = "arn:aws:logs:us-east-1:123456789101:log-group:/aws/elasticsearch/index_slow_logs:*"
+      rog_publishing_options_retention = 90
+    }
+    search_slow_logs = {
+      enabled                  = true
+      cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789101:log-group:/aws/elasticsearch/search_slow_logs:*"
+    }
+    es_application_logs = {
+      enabled                   = true
+      cloudwatch_log_group_name = "es_application_logs_dev"
+    }
+    audit_logs = {
+      enabled                   = false
+      cloudwatch_log_group_name = "audit_logs_dev"
+    }
+  }
+
+  advanced_options = {
+    "rest.action.multi.allow_explicit_index" = "true"
+  }
+
+  access_policies = templatefile("${path.module}/whitelits.tpl", {
+    region      = data.aws_region.current.name,
+    account     = data.aws_caller_identity.current.account_id,
+    domain_name = var.es_domain_name,
+    whitelist   = "${jsonencode(var.whitelist)}"
+  })
+
+  node_to_node_encryption_enabled                = "true"
+  snapshot_options_automated_snapshot_start_hour = "23"
+
+  timeouts_update = "60m"
+
+  tags = {
+    Owner = "sysops"
+    env   = "dev"
+  }
+}
+```
diff --git a/examples/public_cold_storage/datasources.tf b/examples/public_cold_storage/datasources.tf
@@ -0,0 +1,6 @@
+# Use this data source to get the access to the effective Account ID in which
+# Terraform is working.
+data "aws_caller_identity" "current" {}
+
+# To obtain the name of the AWS region configured on the provider
+data "aws_region" "current" {}
diff --git a/examples/public_cold_storage/main.tf b/examples/public_cold_storage/main.tf
@@ -0,0 +1,70 @@
+module "aws_es" {
+
+  source = "../../"
+
+  domain_name           = var.es_domain_name
+  elasticsearch_version = var.es_version
+
+  cluster_config = {
+    dedicated_master_enabled     = true
+    instance_count               = 3
+    instance_type                = "r5.large.elasticsearch"
+    zone_awareness_enabled       = true
+    warm_enabled                 = true
+    warm_type                    = "ultrawarm1.medium.elasticsearch"
+    warm_count                   = 2
+    cold_storage_options_enabled = true
+    availability_zone_count      = 3
+  }
+
+  ebs_options = {
+    ebs_enabled = true
+    volume_size = 25
+  }
+
+  encrypt_at_rest = {
+    enabled = true
+    #kms_key_id = "arn:aws:kms:us-east-1:123456789101:key/cccc103b-4ba3-5993-6fc7-b7e538b25fd8"
+  }
+
+  log_publishing_options = {
+    index_slow_logs = {
+      enabled                          = false
+      cloudwatch_log_group_arn         = "arn:aws:logs:us-east-1:758889637411:log-group:/aws/elasticsearch/index_slow_logs:*"
+      log_publishing_options_retention = 90
+    }
+    search_slow_logs = {
+      enabled                  = false
+      cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:758889637411:log-group:/aws/elasticsearch/search_slow_logs:*"
+    }
+    es_application_logs = {
+      enabled                   = false
+      cloudwatch_log_group_name = "es_application_logs_dev"
+    }
+    audit_logs = {
+      enabled                   = false
+      cloudwatch_log_group_name = "audit_logs_dev"
+    }
+  }
+
+  advanced_options = {
+    "rest.action.multi.allow_explicit_index" = true
+  }
+
+  access_policies = templatefile("${path.module}/whitelits.tpl", {
+    region      = data.aws_region.current.name,
+    account     = data.aws_caller_identity.current.account_id,
+    domain_name = var.es_domain_name,
+    whitelist   = jsonencode(var.whitelist)
+  })
+
+  node_to_node_encryption_enabled                = true
+  snapshot_options_automated_snapshot_start_hour = 23
+
+  timeouts_update = "60m"
+
+  tags = {
+    Owner = "sysops"
+    env   = "dev"
+  }
+}
diff --git a/examples/public_cold_storage/provider.tf b/examples/public_cold_storage/provider.tf
@@ -0,0 +1,4 @@
+provider "aws" {
+  region  = var.region
+  profile = var.profile
+}
diff --git a/examples/public_cold_storage/terraform.tfvars b/examples/public_cold_storage/terraform.tfvars
@@ -0,0 +1,5 @@
+region         = "us-east-1"
+profile        = "default"
+es_domain_name = "elasticsearch-public"
+es_version     = "OpenSearch_1.2"
+whitelist      = ["1.1.1.1", "2.2.2.2"]
diff --git a/examples/public_cold_storage/variables.tf b/examples/public_cold_storage/variables.tf
@@ -0,0 +1,14 @@
+# Provider
+variable "region" {}
+variable "profile" {}
+
+
+# AWS Elasticsearch
+variable "es_domain_name" {}
+variable "es_version" {}
+
+
+# Whitelist (allow public IPs)
+variable "whitelist" {
+  default = []
+}
diff --git a/examples/public_cold_storage/versions.tf b/examples/public_cold_storage/versions.tf
@@ -0,0 +1,7 @@
+
+terraform {
+  required_version = ">= 0.12"
+  required_providers {
+    aws = ">= 3.35.0"
+  }
+}
diff --git a/examples/public_cold_storage/whitelits.tpl b/examples/public_cold_storage/whitelits.tpl
@@ -0,0 +1,19 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "es:*",
+      "Resource": "arn:aws:es:${region}:${account}:domain/${domain_name}/*",
+      "Condition": {
+        "IpAddress": {
+          "aws:SourceIp": ${whitelist}
+        }
+      }
+    }
+  ]
+}
diff --git a/main.tf b/main.tf
@@ -83,6 +83,13 @@ resource "aws_elasticsearch_domain" "es_domain" {
       warm_count               = lookup(cluster_config.value, "warm_count")
       warm_type                = lookup(cluster_config.value, "warm_type")
 
+      dynamic "cold_storage_options" {
+        for_each = lookup(cluster_config.value, "cold_storage_options_enabled", false) ? [1] : []
+        content {
+          enabled = lookup(cluster_config.value, "cold_storage_options_enabled", false)
+        }
+      }
+
       dynamic "zone_awareness_config" {
         # cluster_availability_zone_count valid values: 2 or 3.
         for_each = lookup(cluster_config.value, "zone_awareness_enabled", false) ? [1] : []
