feat: parameterize additional opensearch domain options (#28)

* Add advanced_options * Parameterize advanced_security_options * Add cognito options * Parameterize access_policies * Add defaults for advanced_options --------- Co-authored-by: Evan Stachowiak <evan.stachowiak@shiftmarkets.com> Co-authored-by: Steve Teuber <steve.teuber@idealo.de>
idealo · May 4, 2023 · 26ffc86 · 26ffc86
1 parent ad5ab44
commit 26ffc86
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 6 deletions.
diff --git a/locals.tf b/locals.tf
@@ -1,4 +1,9 @@
 locals {
+  advanced_options_defaults = {
+    "override_main_response_version"         = "true",
+    "rest.action.multi.allow_explicit_index" = "true",
+  }
+
   indices = merge({
     for filename in var.index_files :
     replace(basename(filename), "/\\.(ya?ml|json)$/", "") =>

diff --git a/main.tf b/main.tf
@@ -24,7 +24,8 @@ resource "aws_iam_service_linked_role" "es" {
 resource "aws_elasticsearch_domain" "opensearch" {
   domain_name           = var.cluster_name
   elasticsearch_version = "OpenSearch_${var.cluster_version}"
-  access_policies       = data.aws_iam_policy_document.access_policy.json
+  access_policies       = var.access_policies != null ? var.access_policies : data.aws_iam_policy_document.access_policy.json
+  advanced_options      = merge(local.advanced_options_defaults, var.advanced_options)
 
   cluster_config {
     dedicated_master_enabled = var.master_instance_enabled
@@ -48,12 +49,15 @@ resource "aws_elasticsearch_domain" "opensearch" {
     }
   }
 
-  advanced_security_options {
-    enabled                        = true
-    internal_user_database_enabled = false
+  dynamic "advanced_security_options" {
+    for_each = var.advanced_security_options_enabled ? [true] : []
+    content {
+      enabled                        = var.advanced_security_options_enabled
+      internal_user_database_enabled = false
 
-    master_user_options {
-      master_user_arn = (var.master_user_arn != "") ? var.master_user_arn : data.aws_caller_identity.current.arn
+      master_user_options {
+        master_user_arn = (var.master_user_arn != "") ? var.master_user_arn : data.aws_caller_identity.current.arn
+      }
     }
   }
 
@@ -94,6 +98,16 @@ resource "aws_elasticsearch_domain" "opensearch" {
     }
   }
 
+  dynamic "cognito_options" {
+    for_each = var.cognito_options_enabled ? [true] : []
+    content {
+      enabled          = true
+      identity_pool_id = var.cognito_options.identity_pool_id
+      role_arn         = var.cognito_options.role_arn
+      user_pool_id     = var.cognito_options.user_pool_id
+    }
+  }
+
   tags = var.tags
 
   depends_on = [aws_iam_service_linked_role.es]

diff --git a/variables.tf b/variables.tf
@@ -270,3 +270,33 @@ variable "custom_endpoint_certificate_arn" {
   type        = string
   default     = ""
 }
+
+variable "advanced_options" {
+  description = "Key-value string pairs to specify advanced configuration options."
+  type        = map(string)
+  default     = {}
+}
+
+variable "advanced_security_options_enabled" {
+  description = "Whether advanced security is enabled."
+  type        = bool
+  default     = true
+}
+
+variable "cognito_options_enabled" {
+  description = "Whether Amazon Cognito authentication with Kibana is enabled or not."
+  type        = bool
+  default     = false
+}
+
+variable "cognito_options" {
+  description = "Configuration block for authenticating Kibana with Cognito."
+  type        = map(string)
+  default     = {}
+}
+
+variable "access_policies" {
+  description = "IAM policy document specifying the access policies for the domain."
+  type        = string
+  default     = null
+}