Skip to content

terraform-aws-modules/terraform-aws-opensearch

AWS OpenSearch Terraform module

Terraform module which creates AWS OpenSearch resources.

SWUbanner

Usage

See examples directory for working examples to reference:

module "opensearch" {
  source = "terraform-aws-modules/opensearch/aws"


  # Domain
  advanced_options = {
    "rest.action.multi.allow_explicit_index" = "true"
  }

  advanced_security_options = {
    enabled                        = false
    anonymous_auth_enabled         = true
    internal_user_database_enabled = true

    master_user_options = {
      master_user_name     = "example"
      master_user_password = "Barbarbarbar1!"
    }
  }

  auto_tune_options = {
    desired_state = "ENABLED"

    maintenance_schedule = [
      {
        start_at                       = "2028-05-13T07:44:12Z"
        cron_expression_for_recurrence = "cron(0 0 ? * 1 *)"
        duration = {
          value = "2"
          unit  = "HOURS"
        }
      }
    ]

    rollback_on_disable = "NO_ROLLBACK"
  }

  cluster_config = {
    instance_count           = 3
    dedicated_master_enabled = true
    dedicated_master_type    = "c6g.large.search"
    instance_type            = "r6g.large.search"

    zone_awareness_config = {
      availability_zone_count = 3
    }

    zone_awareness_enabled = true
  }

  domain_endpoint_options = {
    enforce_https       = true
    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
  }

  domain_name = local.name

  ebs_options = {
    ebs_enabled = true
    iops        = 3000
    throughput  = 125
    volume_type = "gp3"
    volume_size = 20
  }

  encrypt_at_rest = {
    enabled = true
  }

  engine_version = "OpenSearch_2.11"

  log_publishing_options = [
    { log_type = "INDEX_SLOW_LOGS" },
    { log_type = "SEARCH_SLOW_LOGS" },
  ]

  node_to_node_encryption = {
    enabled = true
  }

  software_update_options = {
    auto_software_update_enabled = true
  }

  vpc_options = {
    subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
  }

  # VPC endpoint
  vpc_endpoints = {
    one = {
      subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
    }
  }

  # Access policy
  access_policy_statements = [
    {
      effect = "Allow"

      principals = [{
        type        = "*"
        identifiers = ["*"]
      }]

      actions = ["es:*"]

      condition = [{
        test     = "IpAddress"
        variable = "aws:SourceIp"
        values   = ["127.0.0.1/32"]
      }]
    }
  ]

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Requirements

Name Version
terraform >= 1.0
aws >= 5.64

Providers

Name Version
aws >= 5.64

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.this resource
aws_cloudwatch_log_resource_policy.this resource
aws_opensearch_domain.this resource
aws_opensearch_domain_policy.this resource
aws_opensearch_domain_saml_options.this resource
aws_opensearch_outbound_connection.this resource
aws_opensearch_package_association.this resource
aws_opensearch_vpc_endpoint.this resource
aws_security_group.this resource
aws_vpc_security_group_egress_rule.this resource
aws_vpc_security_group_ingress_rule.this resource
aws_caller_identity.current data source
aws_iam_policy_document.cloudwatch data source
aws_iam_policy_document.this data source
aws_iam_session_context.current data source
aws_partition.current data source
aws_region.current data source
aws_subnet.this data source

Inputs

Name Description Type Default Required
access_policies IAM policy document specifying the access policies for the domain. Required if create_access_policy is false string null no
access_policy_override_policy_documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid list(string) [] no
access_policy_source_policy_documents List of IAM policy documents that are merged together into the exported document. Statements must have unique sids list(string) [] no
access_policy_statements A map of IAM policy statements for custom permission usage any {} no
advanced_options Key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply map(string) {} no
advanced_security_options Configuration block for fine-grained access control any
{
"anonymous_auth_enabled": false,
"enabled": true
}
no
auto_tune_options Configuration block for the Auto-Tune options of the domain any
{
"desired_state": "ENABLED",
"rollback_on_disable": "NO_ROLLBACK"
}
no
cloudwatch_log_group_class Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS string null no
cloudwatch_log_group_kms_key_id If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) string null no
cloudwatch_log_group_retention_in_days Number of days to retain log events number 60 no
cloudwatch_log_group_skip_destroy Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state bool null no
cloudwatch_log_resource_policy_name Name of the resource policy for OpenSearch to log to CloudWatch string null no
cluster_config Configuration block for the cluster of the domain any
{
"dedicated_master_enabled": true
}
no
cognito_options Configuration block for authenticating Kibana with Cognito any {} no
create Determines whether resources will be created (affects all resources) bool true no
create_access_policy Determines whether an access policy will be created bool true no
create_cloudwatch_log_groups Determines whether log groups are created bool true no
create_cloudwatch_log_resource_policy Determines whether a resource policy will be created for OpenSearch to log to CloudWatch bool true no
create_saml_options Determines whether SAML options will be created bool false no
create_security_group Determines if a security group is created bool true no
domain_endpoint_options Configuration block for domain endpoint HTTP(S) related options any
{
"enforce_https": true,
"tls_security_policy": "Policy-Min-TLS-1-2-2019-07"
}
no
domain_name Name of the domain string "" no
ebs_options Configuration block for EBS related options, may be required based on chosen instance size any
{
"ebs_enabled": true,
"volume_size": 64,
"volume_type": "gp3"
}
no
enable_access_policy Determines whether an access policy will be applied to the domain bool true no
encrypt_at_rest Configuration block for encrypting at rest any
{
"enabled": true
}
no
engine_version Version of the OpenSearch engine to use string null no
ip_address_type The IP address type for the endpoint. Valid values are ipv4 and dualstack string null no
log_publishing_options Configuration block for publishing slow and application logs to CloudWatch Logs. This block can be declared multiple times, for each log_type, within the same resource any
[
{
"log_type": "INDEX_SLOW_LOGS"
},
{
"log_type": "SEARCH_SLOW_LOGS"
}
]
no
node_to_node_encryption Configuration block for node-to-node encryption options any
{
"enabled": true
}
no
off_peak_window_options Configuration to add Off Peak update options any
{
"enabled": true,
"off_peak_window": {
"hours": 7
}
}
no
outbound_connections Map of AWS OpenSearch outbound connections to create any {} no
package_associations Map of package association IDs to associate with the domain map(string) {} no
saml_options SAML authentication options for an AWS OpenSearch Domain any {} no
security_group_description Description of the security group created string null no
security_group_name Name to use on security group created string null no
security_group_rules Security group ingress and egress rules to add to the security group created any {} no
security_group_tags A map of additional tags to add to the security group created map(string) {} no
security_group_use_name_prefix Determines whether the security group name (security_group_name) is used as a prefix bool true no
software_update_options Software update options for the domain any
{
"auto_software_update_enabled": true
}
no
tags A map of tags to add to all resources map(string) {} no
timeouts Create and delete timeout configurations for the domain map(string) {} no
vpc_endpoints Map of VPC endpoints to create for the domain any {} no
vpc_options Configuration block for VPC related options. Adding or removing this configuration forces a new resource (documentation) any {} no

Outputs

Name Description
cloudwatch_logs Map of CloudWatch log groups created and their attributes
domain_arn The Amazon Resource Name (ARN) of the domain
domain_dashboard_endpoint Domain-specific endpoint for Dashboard without https scheme
domain_dashboard_endpoint_v2 V2 domain endpoint for Dashboard that works with both IPv4 and IPv6 addresses, without https scheme
domain_endpoint Domain-specific endpoint used to submit index, search, and data upload requests
domain_endpoint_v2 V2 domain endpoint that works with both IPv4 and IPv6 addresses, used to submit index, search, and data upload requests
domain_id The unique identifier for the domain
outbound_connections Map of outbound connections created and their attributes
package_associations Map of package associations created and their attributes
security_group_arn Amazon Resource Name (ARN) of the security group
security_group_id ID of the security group
vpc_endpoints Map of VPC endpoints created and their attributes

License

Apache-2.0 Licensed. See LICENSE.