diff --git a/main.tf b/main.tf index d74910e..9c3cc81 100644 --- a/main.tf +++ b/main.tf @@ -77,6 +77,7 @@ locals { module.postgres_admin_login[*], module.redis_token[*], module.secret_key[*], + module.opensearch[0].secret_details, values(module.developer_managed_secrets), ) } diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf index 1ec18de..7d3e52a 100644 --- a/modules/opensearch/main.tf +++ b/modules/opensearch/main.tf @@ -96,14 +96,14 @@ resource "aws_opensearch_domain" "this" { } } - dedicated_master_count = try(cluster_config.value.dedicated_master_count, 3) - dedicated_master_enabled = try(cluster_config.value.dedicated_master_enabled, true) - dedicated_master_type = try(cluster_config.value.dedicated_master_type, "c6g.large.search") - instance_count = try(cluster_config.value.instance_count, 3) - instance_type = try(cluster_config.value.instance_type, "r6g.large.search") - warm_count = try(cluster_config.value.warm_count, null) - warm_enabled = try(cluster_config.value.warm_enabled, null) - warm_type = try(cluster_config.value.warm_type, null) + dedicated_master_count = try(cluster_config.value.dedicated_master_count, 3) + dedicated_master_enabled = try(cluster_config.value.dedicated_master_enabled, true) + dedicated_master_type = try(cluster_config.value.dedicated_master_type, "c6g.large.search") + instance_count = try(cluster_config.value.instance_count, 3) + instance_type = try(cluster_config.value.instance_type, "r6g.large.search") + warm_count = try(cluster_config.value.warm_count, null) + warm_enabled = try(cluster_config.value.warm_enabled, null) + warm_type = try(cluster_config.value.warm_type, null) dynamic "zone_awareness_config" { for_each = try([cluster_config.value.zone_awareness_config], []) @@ -163,7 +163,7 @@ resource "aws_opensearch_domain" "this" { } } - engine_version = var.engine_version + engine_version = var.engine_version dynamic "log_publishing_options" { for_each = { for opt in var.log_publishing_options : opt.log_type => opt } @@ -305,7 +305,7 @@ resource "aws_opensearch_domain_saml_options" "this" { resource "aws_opensearch_outbound_connection" "this" { for_each = { for k, v in var.outbound_connections : k => v if var.create } - connection_alias = try(each.value.connection_alias, each.key) + connection_alias = try(each.value.connection_alias, each.key) local_domain_info { owner_id = try(each.value.local_domain_info.owner_id, local.account_id) @@ -447,3 +447,20 @@ resource "aws_vpc_security_group_egress_rule" "this" { tags = merge(local.tags, var.security_group_tags, try(each.value.tags, {})) } + +module "elasticsearch_secret" { + source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0" + + admin_principals = var.admin_principals + description = "Elastisearch secrets for: ${local.name}" + name = "${local.name}-secret" + read_principals = var.read_principals + resource_tags = var.tags + + initial_value = jsonencode({ + ES_ENDPOINT = module.opensearch[0].domain_endpoint + ES_DASHBOARD_ENDPOINT = module.opensearch[0].domain_dashboard_endpoint + ES_DOMAIN_ID = module.opensearch[0].domain_id + ES_PASSWORD = random_password.es.result + }) +} diff --git a/modules/opensearch/outputs.tf b/modules/opensearch/outputs.tf index 61c35c5..0269135 100644 --- a/modules/opensearch/outputs.tf +++ b/modules/opensearch/outputs.tf @@ -52,4 +52,21 @@ output "security_group_arn" { output "security_group_id" { description = "ID of the security group" value = try(aws_security_group.this[0].id, null) +} + +################################################################################ +# Secret details +################################################################################ + +output "secret_details" { + description = "Map containing secret details for opensearch credentials" + value = [ + { + name = secret.secret_name + environment_variables = ["ES_ENDPOINT", "ES_DASHBOARD_ENDPOINT", "ES_DOMAIN_ID", "ES_PASSWORD"] + policy_json = module.elasticsearch_secret.policy_json + kms_key_arn = module.elasticsearch_secret.kms_key_arn + secret_arn = module.elasticsearch_secret.arn + } + ] } \ No newline at end of file diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 96c3eeb..0a018d7 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -1,3 +1,9 @@ +variable "application_name" { + type = string + description = "Unique name for the opensearch instance" + default = "" +} + variable "create" { description = "Determines whether resources will be created (affects all resources)" type = bool @@ -271,3 +277,15 @@ variable "security_group_tags" { type = map(string) default = {} } + +variable "admin_principals" { + description = "Principals allowed to peform admin actions (default: current account)" + type = list(string) + default = null +} + +variable "read_principals" { + description = "Principals allowed to read the secret (default: current account)" + type = list(string) + default = null +} diff --git a/opensearch-variables.tf b/opensearch-variables.tf index 689534b..07489eb 100644 --- a/opensearch-variables.tf +++ b/opensearch-variables.tf @@ -44,13 +44,13 @@ variable "es_engine_version" { description = "Version of Elasticsearch to deploy." } -variable "admin_principals" { +variable "es_admin_principals" { description = "Principals allowed to peform admin actions (default: current account)" type = list(string) default = null } -variable "read_principals" { +variable "es_read_principals" { description = "Principals allowed to read the secret (default: current account)" type = list(string) default = null diff --git a/opensearch.tf b/opensearch.tf index 46d93c3..d371441 100644 --- a/opensearch.tf +++ b/opensearch.tf @@ -90,6 +90,12 @@ module "opensearch" { { log_type = "SEARCH_SLOW_LOGS" }, ] + application_name = var.es_application_name + + admin_principals = var.es_admin_principals + + read_principals = var.es_read_principals + node_to_node_encryption = { enabled = true } @@ -140,12 +146,12 @@ resource "random_password" "es" { special = false } -module "secret" { +module "elasticsearch_secret" { count = var.elasticsearch_enabled ? 1 : 0 source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0" admin_principals = var.admin_principals - description = "Elastisearch password for: ${local.name}" + description = "Elastisearch secrets for: ${local.name}" name = "${local.name}-secret" read_principals = var.read_principals resource_tags = var.tags @@ -153,18 +159,18 @@ module "secret" { initial_value = jsonencode({ ES_ENDPOINT = module.opensearch[0].domain_endpoint ES_DASHBOARD_ENDPOINT = module.opensearch[0].domain_dashboard_endpoint - DOMAIN_ID = module.opensearch[0].domain_id - PASSWORD = random_password.es.result + ES_DOMAIN_ID = module.opensearch[0].domain_id + ES_PASSWORD = random_password.es.result }) } resource "aws_iam_role_policy_attachment" "test-attach" { - count = var.elasticsearch_enabled ? 1 : 0 + count = var.elasticsearch_enabled ? 1 : 0 role = module.pod_role.name policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AmazonElasticsearchServiceRolePolicy" - depends_on = [ module.pod_policy ] + depends_on = [module.pod_policy] } module "pod_policy" { @@ -172,9 +178,9 @@ module "pod_policy" { source = "github.com/thoughtbot/flightdeck//aws/service-account-policy?ref=v0.9.0" name = "es-${var.es_application_name}-pods" - policy_documents = module.secret[*].policy_json + policy_documents = module.opensearch[*].secret_details.policy_json - role_names = [module.pod_role.name] + role_names = [module.pod_role.name] } data "aws_region" "current" {}