Terraform module to provision an OpenSearch cluster with SAML authentication.
- A hosted zone to route traffic to your OpenSearch domain
- An entityID and metadata XML from your SAML identity provider
- Create an AWS OpenSearch cluster with SAML authentication
- All node types with local NVMe for high IO performance are supported
- Create or manage various OpenSearch resources:
This example is using Azure AD as SAML identity provider.
locals {
cluster_name = "opensearch"
cluster_domain = "example.com"
saml_entity_id = "https://sts.windows.net/XXX-XXX-XXX-XXX-XXX/"
saml_metadata_url = "https://login.microsoftonline.com/XXX-XXX-XXX-XXX-XXX/federationmetadata/2007-06/federationmetadata.xml?appid=YYY-YYY-YYY-YYY-YYY"
}
data "aws_region" "current" {}
data "http" "saml_metadata" {
url = local.saml_metadata_url
}
provider "elasticsearch" {
url = "https://${local.cluster_name}.${local.cluster_domain}"
aws_region = data.aws_region.current.name
elasticsearch_version = "7.10.2"
healthcheck = false
}
module "opensearch" {
source = "idealo/opensearch/aws"
cluster_name = local.cluster_name
cluster_domain = local.cluster_domain
cluster_version = "1.0"
saml_entity_id = local.saml_entity_id
saml_metadata_content = data.http.saml_metadata.body
indices = {
example-index = {
number_of_shards = 2
number_of_replicas = 1
}
}
}Here is a working example of using this Terraform module:
- Complete - Create an AWS OpenSearch cluster with all necessary resources.
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | > 4.0 |
| Name | Version |
|---|---|
| aws | > 4.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| advanced_options | Key-value string pairs to specify advanced configuration options. | map(string) |
null |
no |
| advanced_security_options_enabled | Indicates whether advanced security is enabled. | bool |
false |
no |
| advanced_security_options_internal_user_db | Indicates whether the internal user database is enabled. | bool |
false |
no |
| allow_cidrs | List of CIDR to allow connection to this Cluster | list(object({ |
[] |
no |
| allow_security_group_ids | List of Security Group IDs to allow connection to this Cluster | list(object({ |
[] |
no |
| availability_zones | The number of availability zones for the OpenSearch cluster. Valid values: 1, 2 or 3. | number |
1 |
no |
| cluster_domain | The hosted zone name of the OpenSearch cluster. | string |
n/a | yes |
| cluster_hostname | The hostname name of the OpenSearch cluster. | string |
n/a | yes |
| cluster_name | The name of the OpenSearch cluster. | string |
"opensearch" |
no |
| cluster_version | The version of OpenSearch to deploy. | string |
"1.1" |
no |
| create_custom_endpoint | n/a | bool |
true |
no |
| create_service_role | Indicates whether to create the service-linked role. See https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html | bool |
true |
no |
| ebs_enabled | n/a | bool |
true |
no |
| ebs_iops | n/a | number |
null |
no |
| ebs_volume_size | n/a | number |
10 |
no |
| ebs_volume_type | n/a | string |
null |
no |
| enable_saml_options | Enable or not saml options | string |
true |
no |
| encrypt_kms_key_id | The KMS key ID to encrypt the OpenSearch cluster with. If not specified, then it defaults to using the AWS OpenSearch Service KMS key. | string |
"" |
no |
| hot_instance_count | The number of dedicated hot nodes in the cluster. | number |
1 |
no |
| hot_instance_type | The type of EC2 instances to run for each hot node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing | string |
"r6gd.large.elasticsearch" |
no |
| log_publishing_options | A list of maps containing log publishing options. | list(object({ |
[] |
no |
| log_publishing_options_cloudwatch_log_group_arn | n/a | string |
null |
no |
| log_publishing_options_enable | n/a | bool |
null |
no |
| log_publishing_options_log_type | n/a | string |
null |
no |
| master_instance_count | The number of dedicated master nodes in the cluster. | number |
1 |
no |
| master_instance_enabled | Indicates whether dedicated master nodes are enabled for the cluster. | bool |
true |
no |
| master_instance_type | The type of EC2 instances to run for each master node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing | string |
"r6gd.large.elasticsearch" |
no |
| master_user_arn | The ARN for the master user of the cluster. If not specified, then it defaults to using the IAM user that is making the request. | string |
"" |
no |
| saml_entity_id | The unique Entity ID of the application in SAML Identity Provider. | string |
n/a | yes |
| saml_master_backend_role | SAML Master backend role. | string |
"" |
no |
| saml_master_user_name | SAML master user name | string |
"" |
no |
| saml_metadata_content | The metadata of the SAML application in xml format. | string |
n/a | yes |
| saml_roles_key | Element of the SAML assertion to use for backend roles. | string |
"" |
no |
| saml_session_timeout | Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440. | number |
60 |
no |
| saml_subject_key | Element of the SAML assertion to use for username. | string |
"" |
no |
| subnets_id | Subnets | list(string) |
n/a | yes |
| tags | A map of tags to add to all resources. | map(string) |
{} |
no |
| vpc_id | VPC | string |
n/a | yes |
| warm_instance_count | The number of dedicated warm nodes in the cluster. | number |
1 |
no |
| warm_instance_enabled | Indicates whether ultrawarm nodes are enabled for the cluster. | bool |
false |
no |
| warm_instance_type | The type of EC2 instances to run for each warm node. A list of available instance types can you find at https://aws.amazon.com/en/elasticsearch-service/pricing/#UltraWarm_pricing | string |
"ultrawarm1.large.elasticsearch" |
no |
| Name | Description |
|---|---|
| cluster_endpoint | The endpoint URL of the OpenSearch cluster. |
| cluster_name | The name of the OpenSearch cluster. |
| cluster_version | The version of the OpenSearch cluster. |
| cluster_vpc_endpoint | The VPC endpoint URL of the OpenSearch cluster. |
| kibana_endpoint | The endpoint URL of Kibana. |
Apache 2 Licensed. See LICENSE for full details.