From 26ffc8647180809926442c5eead1a48a1b23c4d1 Mon Sep 17 00:00:00 2001
From: Evan Stachowiak <evanstachowiak@users.noreply.github.com>
Date: Thu, 4 May 2023 12:17:56 +0200
Subject: [PATCH] feat: parameterize additional opensearch domain options (#28)

* Add advanced_options

* Parameterize advanced_security_options

* Add cognito options

* Parameterize access_policies

* Add defaults for advanced_options

---------

Co-authored-by: Evan Stachowiak <evan.stachowiak@shiftmarkets.com>
Co-authored-by: Steve Teuber <steve.teuber@idealo.de>
---
 locals.tf    |  5 +++++
 main.tf      | 26 ++++++++++++++++++++------
 variables.tf | 30 ++++++++++++++++++++++++++++++
 3 files changed, 55 insertions(+), 6 deletions(-)

diff --git a/locals.tf b/locals.tf
index 205906c..e9c63f7 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,4 +1,9 @@
 locals {
+  advanced_options_defaults = {
+    "override_main_response_version"         = "true",
+    "rest.action.multi.allow_explicit_index" = "true",
+  }
+
   indices = merge({
     for filename in var.index_files :
     replace(basename(filename), "/\\.(ya?ml|json)$/", "") =>
diff --git a/main.tf b/main.tf
index cc4cbac..03fc149 100644
--- a/main.tf
+++ b/main.tf
@@ -24,7 +24,8 @@ resource "aws_iam_service_linked_role" "es" {
 resource "aws_elasticsearch_domain" "opensearch" {
   domain_name           = var.cluster_name
   elasticsearch_version = "OpenSearch_${var.cluster_version}"
-  access_policies       = data.aws_iam_policy_document.access_policy.json
+  access_policies       = var.access_policies != null ? var.access_policies : data.aws_iam_policy_document.access_policy.json
+  advanced_options      = merge(local.advanced_options_defaults, var.advanced_options)
 
   cluster_config {
     dedicated_master_enabled = var.master_instance_enabled
@@ -48,12 +49,15 @@ resource "aws_elasticsearch_domain" "opensearch" {
     }
   }
 
-  advanced_security_options {
-    enabled                        = true
-    internal_user_database_enabled = false
+  dynamic "advanced_security_options" {
+    for_each = var.advanced_security_options_enabled ? [true] : []
+    content {
+      enabled                        = var.advanced_security_options_enabled
+      internal_user_database_enabled = false
 
-    master_user_options {
-      master_user_arn = (var.master_user_arn != "") ? var.master_user_arn : data.aws_caller_identity.current.arn
+      master_user_options {
+        master_user_arn = (var.master_user_arn != "") ? var.master_user_arn : data.aws_caller_identity.current.arn
+      }
     }
   }
 
@@ -94,6 +98,16 @@ resource "aws_elasticsearch_domain" "opensearch" {
     }
   }
 
+  dynamic "cognito_options" {
+    for_each = var.cognito_options_enabled ? [true] : []
+    content {
+      enabled          = true
+      identity_pool_id = var.cognito_options.identity_pool_id
+      role_arn         = var.cognito_options.role_arn
+      user_pool_id     = var.cognito_options.user_pool_id
+    }
+  }
+
   tags = var.tags
 
   depends_on = [aws_iam_service_linked_role.es]
diff --git a/variables.tf b/variables.tf
index 95138a3..bb19cae 100644
--- a/variables.tf
+++ b/variables.tf
@@ -270,3 +270,33 @@ variable "custom_endpoint_certificate_arn" {
   type        = string
   default     = ""
 }
+
+variable "advanced_options" {
+  description = "Key-value string pairs to specify advanced configuration options."
+  type        = map(string)
+  default     = {}
+}
+
+variable "advanced_security_options_enabled" {
+  description = "Whether advanced security is enabled."
+  type        = bool
+  default     = true
+}
+
+variable "cognito_options_enabled" {
+  description = "Whether Amazon Cognito authentication with Kibana is enabled or not."
+  type        = bool
+  default     = false
+}
+
+variable "cognito_options" {
+  description = "Configuration block for authenticating Kibana with Cognito."
+  type        = map(string)
+  default     = {}
+}
+
+variable "access_policies" {
+  description = "IAM policy document specifying the access policies for the domain."
+  type        = string
+  default     = null
+}