Creates an Amazon OpenSearch Service domain with secure defaults. This module always requires node-to-node encryption, encryption at rest, HTTPS endpoints, and use of a VPC.
module "opensearch_kms_key" {
source = "dod-iac/opensearch-kms-key/aws"
name = format("alias/app-%s-opensearch-%s", var.application, var.environment)
description = format("A KMS key used to encrypt data in Amazon OpenSearch Service for %s:%s.", var.application, var.environment)
principals = ["*"]
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}
module "opensearch_domain" {
source = "dod-iac/opensearch-domain/aws"
name = format("app-%s-%s", var.application, var.environment)
kms_key_arn = module.opensearch_kms_key.aws_kms_key_arn
ingress_cidr_blocks = ["0.0.0.0/0"]
subnet_ids = slice(module.vpc.private_subnets, 0, 1)
vpc_id = module.vpc.vpc_id
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}The IAM service-linked role for Amazon OpenSearch Service is required before you can create a domain. If the role does not exist, then you can create the role with the following resource.
resource "aws_iam_service_linked_role" "main" {
aws_service_name = "opensearchservice.amazonaws.com"
}Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to main branch.
Terraform 0.11 and 0.12 are not supported.
This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 4.26.0, < 5.0 |
| Name | Version |
|---|---|
| aws | >= 4.26.0, < 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_opensearch_domain.main | resource |
| aws_security_group.main | resource |
| aws_security_group_rule.egress | resource |
| aws_security_group_rule.ingress_cidr_blocks | resource |
| aws_security_group_rule.ingress_security_groups | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.access_policies | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_policies | IAM policy document specifying the access policies for the domain. If not specified, then access is open to all principals. | string |
"" |
no |
| automated_snapshot_start_hour | Hour during which the service takes an automated daily snapshot of the indices in the domain. | string |
23 |
no |
| cold_enabled | Enable cold storage for the domain to store infrequently accessed or historical data. Requires dedicated_master_enabled and warm_enabled to also be true. |
bool |
false |
no |
| dedicated_master_count | Number of dedicated master nodes in the cluster. The value must be the number 3 or 5. For production domains, 3 is recommended. | number |
3 |
no |
| dedicated_master_enabled | Use dedicated master nodes with the Amazon OpenSearch Service domain. | bool |
false |
no |
| dedicated_master_instance_type | Instance type of the dedicated main nodes in the cluster. If not provided, then defaults to the value of the "instance_type" variable. | string |
"" |
no |
| engine_version | Either Elasticsearch_X.Y or OpenSearch_X.Y to specify the engine version for the Amazon OpenSearch Service domain. For example, OpenSearch_1.3 or Elasticsearch_7.9. | string |
"OpenSearch_1.3" |
no |
| fielddata_cache_size | Specifies the percentage of heap space that is allocated to fielddata. The value must be a number between 0 and 100. | number |
20 |
no |
| ingress_cidr_blocks | A list of CIDR blocks to allow access to the Amazon OpenSearch Service domain. Use ["0.0.0.0/0"] to allow all connections within the VPC. | list(string) |
[] |
no |
| ingress_security_groups | A list of EC2 security groups to allow access to the Amazon OpenSearch Service domain. | list(string) |
[] |
no |
| instance_count | Number of instances in the cluster. | number |
1 |
no |
| instance_type | Instance type of data nodes in the cluster. | string |
"r6g.large.search" |
no |
| kms_key_arn | The KMS key ARN to encrypt the Amazon OpenSearch Service domain with. If not specified, then it defaults to using the AWS-managed aws/es key. | string |
"" |
no |
| max_clause_count | Specifies the maximum number of allowed boolean clauses in a query. The number must be between 1 and 2147483647. | number |
1024 |
no |
| name | Name of the Amazon OpenSearch Service domain. | string |
n/a | yes |
| security_group_name | The name of the EC2 security group used by the Amazon OpenSearch Service domain. Defaults to opensearch-[name]. | string |
"" |
no |
| subnet_ids | List of VPC Subnet IDs for the Amazon OpenSearch Service domain endpoints to be created in. | list(string) |
[] |
no |
| tags | Tags applied to the Amazon OpenSearch Service domain. | map(string) |
{} |
no |
| tls_security_policy | The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values: Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07. | string |
"Policy-Min-TLS-1-2-2019-07" |
no |
| volume_iops | Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the gp3 volume type. Valid values are between 3000 and 16000. |
number |
3000 |
no |
| volume_size | The size of EBS volumes attached to data nodes (in GB). | number |
20 |
no |
| volume_throughput | Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. Valid values are between 125 and 1000. |
number |
125 |
no |
| volume_type | The type of EBS volumes attached to data nodes. | string |
"gp3" |
no |
| vpc_id | The ID of the VPC that the security group for the Amazon OpenSearch Service domain will be associated with. | string |
n/a | yes |
| warm_count | Number of warm nodes in the cluster. Valid values are between 2 and 150. | number |
3 |
no |
| warm_enabled | Enable UltraWarm data nodes for the domain to economically retain large amounts of data. | bool |
false |
no |
| warm_instance_type | Instance type for the domain's warm nodes. Valid values are ultrawarm1.medium.search, ultrawarm1.large.search and ultrawarm1.xlarge.search. |
string |
"ultrawarm1.medium.search" |
no |
| Name | Description |
|---|---|
| arn | The ARN of the Amazon OpenSearch Service domain. |
| endpoint | Domain-specific endpoint used to submit index, search, and data upload requests. |
| id | The id of the Amazon OpenSearch Service domain. |
| kibana_endpoint | Domain-specific endpoint for kibana without https scheme. |
| name | The name of the Amazon OpenSearch Service domain. |