From ee8c8c744061d8553564379c69f9a7bb5e5fea0a Mon Sep 17 00:00:00 2001 From: Giuseppe Misurelli Date: Fri, 6 Jan 2023 14:22:37 +0100 Subject: [PATCH] feat(module): add support to customize vpc and ebs options * feat(saml): add support to disable SAML authentication * feat(acm): add support to an existing ACM certificate * feat(vpc): add support to customize vpc options * feat(ebs): add support to customize ebs options * docs(readme): update prerequisites and input variables Co-authored-by: Giuseppe Misurelli Co-authored-by: misurellig Co-authored-by: Steve Teuber --- README.md | 16 ++++++++++--- main.tf | 28 +++++++++++++++++++++- variables.tf | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 104 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 76c7921..72833be 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ Terraform module to provision an OpenSearch cluster with SAML authentication. ## Prerequisites - A [hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html) to route traffic to your OpenSearch domain -- An [entityID and metadata XML](https://aws.amazon.com/de/blogs/security/configure-saml-single-sign-on-for-kibana-with-ad-fs-on-amazon-elasticsearch-service/) from your SAML identity provider +- An [entityID and metadata XML](https://aws.amazon.com/de/blogs/security/configure-saml-single-sign-on-for-kibana-with-ad-fs-on-amazon-elasticsearch-service/) from your SAML identity provider (in case `saml_enabled = true`) ## Features @@ -111,6 +111,12 @@ Here is a working example of using this Terraform module: | [cluster\_name](#input\_cluster\_name) | The name of the OpenSearch cluster. | `string` | `"opensearch"` | no | | [cluster\_version](#input\_cluster\_version) | The version of OpenSearch to deploy. | `string` | `"1.0"` | no | | [create\_service\_role](#input\_create\_service\_role) | Indicates whether to create the service-linked role. See https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html | `bool` | `true` | no | +| [custom\_endpoint\_certificate\_arn](#input\_custom\_endpoint\_certificate\_arn) | The ARN of the custom ACM certificate. | `string` | `""` | no | +| [ebs\_enabled](#input\_ebs\_enabled) | Indicates whether attach EBS volumes to the data nodes. | `bool` | `false` | no | +| [ebs\_iops](#input\_ebs\_iops) | The baseline input/output (I/O) performance of EBS volumes attached to data nodes. | `number` | `3000` | no | +| [ebs\_throughput](#input\_ebs\_throughput) | The throughput (in MiB/s) of the EBS volumes attached to data nodes. Valid values are between 125 and 1000. | `number` | `125` | no | +| [ebs\_volume\_size](#input\_ebs\_volume\_size) | The size of EBS volumes attached to data nodes (in GiB). | `number` | `10` | no | +| [ebs\_volume\_type](#input\_ebs\_volume\_type) | The type of EBS volumes attached to data nodes. | `string` | `"gp3"` | no | | [encrypt\_kms\_key\_id](#input\_encrypt\_kms\_key\_id) | The KMS key ID to encrypt the OpenSearch cluster with. If not specified, then it defaults to using the AWS OpenSearch Service KMS key. | `string` | `""` | no | | [hot\_instance\_count](#input\_hot\_instance\_count) | The number of dedicated hot nodes in the cluster. | `number` | `3` | no | | [hot\_instance\_type](#input\_hot\_instance\_type) | The type of EC2 instances to run for each hot node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing | `string` | `"r6gd.4xlarge.elasticsearch"` | no | @@ -128,14 +134,18 @@ Here is a working example of using this Terraform module: | [role\_mapping\_files](#input\_role\_mapping\_files) | A set of all role mapping files to create. | `set(string)` | `[]` | no | | [role\_mappings](#input\_role\_mappings) | A map of all role mappings to create. | `map(any)` | `{}` | no | | [roles](#input\_roles) | A map of all roles to create. | `map(any)` | `{}` | no | -| [saml\_entity\_id](#input\_saml\_entity\_id) | The unique Entity ID of the application in SAML Identity Provider. | `string` | n/a | yes | +| [saml\_enabled](#input\_saml\_enabled) | Indicates whether to configure SAML for the OpenSearch dashboard. | `bool` | `true` | no | +| [saml\_entity\_id](#input\_saml\_entity\_id) | The unique Entity ID of the application in SAML Identity Provider. | `string` | `""` | no | | [saml\_master\_backend\_role](#input\_saml\_master\_backend\_role) | This backend role receives full permissions to the cluster, equivalent to a new master role, but can only use those permissions within Dashboards. | `string` | `null` | no | | [saml\_master\_user\_name](#input\_saml\_master\_user\_name) | This username receives full permissions to the cluster, equivalent to a new master user, but can only use those permissions within Dashboards. | `string` | `null` | no | -| [saml\_metadata\_content](#input\_saml\_metadata\_content) | The metadata of the SAML application in xml format. | `string` | n/a | yes | +| [saml\_metadata\_content](#input\_saml\_metadata\_content) | The metadata of the SAML application in xml format. | `string` | `""` | no | | [saml\_roles\_key](#input\_saml\_roles\_key) | Element of the SAML assertion to use for backend roles. | `string` | `"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"` | no | | [saml\_session\_timeout](#input\_saml\_session\_timeout) | Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440. | `number` | `60` | no | | [saml\_subject\_key](#input\_saml\_subject\_key) | Element of the SAML assertion to use for username. | `string` | `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"` | no | +| [security\_group\_ids](#input\_security\_group\_ids) | The list of VPC security groups IDs to attach. | `list(string)` | `[]` | no | +| [subnet\_ids](#input\_subnet\_ids) | The list of VPC subnet IDs to use. | `list(string)` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [vpc\_enabled](#input\_vpc\_enabled) | Indicates whether the cluster is running inside a VPC. | `bool` | `false` | no | | [warm\_instance\_count](#input\_warm\_instance\_count) | The number of dedicated warm nodes in the cluster. | `number` | `3` | no | | [warm\_instance\_enabled](#input\_warm\_instance\_enabled) | Indicates whether ultrawarm nodes are enabled for the cluster. | `bool` | `true` | no | | [warm\_instance\_type](#input\_warm\_instance\_type) | The type of EC2 instances to run for each warm node. A list of available instance types can you find at https://aws.amazon.com/en/elasticsearch-service/pricing/#UltraWarm_pricing | `string` | `"ultrawarm1.large.elasticsearch"` | no | diff --git a/main.tf b/main.tf index 26f1b7d..5567f96 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,10 @@ +moved { + from = module.acm + to = module.acm[0] +} + module "acm" { + count = (var.custom_endpoint_certificate_arn != "") ? 0 : 1 source = "terraform-aws-modules/acm/aws" version = "~> 4.0.1" @@ -57,7 +63,7 @@ resource "aws_elasticsearch_domain" "opensearch" { custom_endpoint_enabled = true custom_endpoint = "${var.cluster_name}.${data.aws_route53_zone.opensearch.name}" - custom_endpoint_certificate_arn = module.acm.acm_certificate_arn + custom_endpoint_certificate_arn = (var.custom_endpoint_certificate_arn != "") ? var.custom_endpoint_certificate_arn : module.acm[0].acm_certificate_arn } node_to_node_encryption { @@ -69,12 +75,32 @@ resource "aws_elasticsearch_domain" "opensearch" { kms_key_id = var.encrypt_kms_key_id } + dynamic "vpc_options" { + for_each = var.vpc_enabled ? [true] : [] + content { + security_group_ids = var.security_group_ids + subnet_ids = var.subnet_ids + } + } + + dynamic "ebs_options" { + for_each = var.ebs_enabled ? [true] : [] + content { + ebs_enabled = true + volume_size = var.ebs_volume_size + volume_type = var.ebs_volume_type + throughput = var.ebs_throughput + iops = var.ebs_iops + } + } + tags = var.tags depends_on = [aws_iam_service_linked_role.es] } resource "aws_elasticsearch_domain_saml_options" "opensearch" { + count = var.saml_enabled ? 1 : 0 domain_name = aws_elasticsearch_domain.opensearch.domain_name saml_options { diff --git a/variables.tf b/variables.tf index 4ef81d7..d7de209 100644 --- a/variables.tf +++ b/variables.tf @@ -39,7 +39,7 @@ variable "master_instance_type" { default = "r6gd.large.elasticsearch" validation { - condition = can(regex("^[m3|r3|i3|i2|r6gd]", var.master_instance_type)) + condition = can(regex("^[t3|m3|r3|i3|i2|r6gd|c6g]", var.master_instance_type)) error_message = "The EC2 master_instance_type must provide a SSD or NVMe-based local storage." } } @@ -56,7 +56,7 @@ variable "hot_instance_type" { default = "r6gd.4xlarge.elasticsearch" validation { - condition = can(regex("^[m3|r3|i3|i2|r6gd]", var.hot_instance_type)) + condition = can(regex("^[t3|m3|r3|i3|i2|r6gd|c6g]", var.hot_instance_type)) error_message = "The EC2 hot_instance_type must provide a SSD or NVMe-based local storage." } } @@ -91,12 +91,66 @@ variable "availability_zones" { default = 3 } +variable "vpc_enabled" { + description = "Indicates whether the cluster is running inside a VPC." + type = bool + default = false +} + +variable "subnet_ids" { + description = "The list of VPC subnet IDs to use." + type = list(string) + default = [] +} + +variable "security_group_ids" { + description = "The list of VPC security groups IDs to attach." + type = list(string) + default = [] +} + +variable "ebs_enabled" { + description = "Indicates whether attach EBS volumes to the data nodes." + type = bool + default = false +} + +variable "ebs_volume_size" { + description = "The size of EBS volumes attached to data nodes (in GiB)." + type = number + default = 10 +} + +variable "ebs_volume_type" { + description = "The type of EBS volumes attached to data nodes." + type = string + default = "gp3" +} + +variable "ebs_throughput" { + description = "The throughput (in MiB/s) of the EBS volumes attached to data nodes. Valid values are between 125 and 1000." + type = number + default = 125 +} + +variable "ebs_iops" { + description = "The baseline input/output (I/O) performance of EBS volumes attached to data nodes." + type = number + default = 3000 +} + variable "encrypt_kms_key_id" { description = "The KMS key ID to encrypt the OpenSearch cluster with. If not specified, then it defaults to using the AWS OpenSearch Service KMS key." type = string default = "" } +variable "saml_enabled" { + description = "Indicates whether to configure SAML for the OpenSearch dashboard." + type = bool + default = true +} + variable "saml_subject_key" { description = "Element of the SAML assertion to use for username." type = string @@ -112,11 +166,13 @@ variable "saml_roles_key" { variable "saml_entity_id" { description = "The unique Entity ID of the application in SAML Identity Provider." type = string + default = "" } variable "saml_metadata_content" { description = "The metadata of the SAML application in xml format." type = string + default = "" } variable "saml_session_timeout" { @@ -202,3 +258,9 @@ variable "tags" { type = map(string) default = {} } + +variable "custom_endpoint_certificate_arn" { + description = "The ARN of the custom ACM certificate." + type = string + default = "" +}