-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathopensearch.tf
108 lines (91 loc) · 3.28 KB
/
opensearch.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
resource "aws_opensearch_domain" "main" {
domain_name = "${module.generator.prefix_region}-os"
engine_version = "OpenSearch_1.3"
access_policies = templatefile("${path.module}/templates/policies/opensearch_policy.pol.tpl", {
aws_account_id = data.aws_caller_identity.current.account_id
aws_region = var.region
os_domain_name = "${module.generator.prefix_region}-os"
})
auto_tune_options {
desired_state = "ENABLED"
# maintenance_schedule {
# cron_expression_for_recurrence = ""
# start_at = ""
# duration {
# unit = "1"
# value = 2
# }
# }
rollback_on_disable = "NO_ROLLBACK"
}
node_to_node_encryption {
enabled = true
}
domain_endpoint_options {
custom_endpoint_enabled = true
custom_endpoint = "kibana.${var.route53_domain}"
custom_endpoint_certificate_arn = aws_acm_certificate.opensearch_acm.arn
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
encrypt_at_rest {
enabled = true
kms_key_id = aws_kms_alias.s3_env_key_alias.target_key_id
}
advanced_security_options {
enabled = true
internal_user_database_enabled = true
# TODO: we have to create a secret firstly, and,only after, we can create opensearch
master_user_options {
master_user_name = (lookup(jsondecode(data.aws_secretsmanager_secret_version.opensearch_user_credentials.secret_string), "opensearch_username", null))
master_user_password = (lookup(jsondecode(data.aws_secretsmanager_secret_version.opensearch_user_credentials.secret_string), "opensearch_password", null))
}
}
cluster_config {
instance_type = "c6g.large.search"
warm_enabled = false
instance_count = local.opensearch_instance_count
# zone_awareness_config {
# availability_zone_count = 2
# }
}
ebs_options {
volume_type = "gp3"
ebs_enabled = true
volume_size = 256
iops = 3000
}
tags = module.generator.common_tags
}
resource "aws_route53_record" "opensearch" {
zone_id = data.aws_route53_zone.selected.zone_id
name = "kibana.${var.route53_domain}"
allow_overwrite = true
type = "CNAME"
ttl = "60"
records = [aws_opensearch_domain.main.endpoint]
}
resource "aws_sns_topic" "opensearch_alerts" {
name = "${module.generator.prefix}-opensearch-alerts"
}
resource "aws_sns_topic_subscription" "cid-checker-team" {
topic_arn = aws_sns_topic.opensearch_alerts.arn
protocol = "email"
endpoint = "[email protected]"
}
resource "aws_iam_role" "opensearch_alerts" {
name = "${module.generator.prefix}-opensearch-alerts"
description = "${module.generator.prefix}-opensearch-alerts"
assume_role_policy = file("${path.module}/templates/roles/opensearch_role.pol.tpl")
tags = merge(
{
"Name" = "${module.generator.prefix}-opensearch-alerts"
},
module.generator.common_tags
)
}
resource "aws_iam_role_policy" "opensearch_alerts" {
name = "${terraform.workspace}-opensearch-alerts"
role = aws_iam_role.opensearch_alerts.id
policy = file("${path.module}/templates/policies/opensearch_sns_policy.pol.tpl")
}