diff --git a/.github/labels.yaml b/.github/labels.yaml
new file mode 100644
index 0000000..914c52f
--- /dev/null
+++ b/.github/labels.yaml
@@ -0,0 +1,25 @@
+---
+- name: bug
+ color: "c2e0c6"
+ description: Bug
+- name: do-not-merge
+ color: "e99695"
+ description: Do not merge commit
+- name: documentation
+ color: "feaef7"
+ description: Documentation
+- name: enhancement
+ color: "8d6fc8"
+ description: Enhancement
+- name: release/major
+ color: "d93f0b"
+ description: Major version
+- name: release/minor
+ color: "fbca04"
+ description: Minor version
+- name: release/patch
+ color: "0e8a16"
+ description: Patch version
+- name: security
+ color: "db175c"
+ description: Security
diff --git a/.github/workflows/ci-checks-tf.yml b/.github/workflows/ci-checks-tf.yml
index 6135c29..9c32f55 100644
--- a/.github/workflows/ci-checks-tf.yml
+++ b/.github/workflows/ci-checks-tf.yml
@@ -13,7 +13,7 @@ permissions:
jobs:
pre-commit:
runs-on: ubuntu-latest
- container: ghcr.io/antonbabenko/pre-commit-terraform:v1.79.1
+ container: ghcr.io/antonbabenko/pre-commit-terraform:v1.88.4
steps:
- uses: actions/checkout@v3
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
deleted file mode 100644
index 0ff17e0..0000000
--- a/.github/workflows/terraform.yml
+++ /dev/null
@@ -1,49 +0,0 @@
----
-name: "Terraform"
-
-on:
- pull_request:
-
-env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-jobs:
- terraform-fmt:
- runs-on: ubuntu-latest
- steps:
- - name: Check out code
- uses: actions/checkout@master
- - name: Terraform Format
- uses: hashicorp/terraform-github-actions@master
- with:
- tf_actions_version: latest
- tf_actions_subcommand: fmt
- tf_actions_comment: true
-
- terraform-docs:
- runs-on: ubuntu-latest
- steps:
- - name: Check out code
- uses: actions/checkout@v2
- with:
- ref: ${{ github.event.pull_request.head.ref }}
- continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow
- - name: Update module usage docs and push any changes back to PR branch
- uses: Dirrk/terraform-docs@v1.0.8
- with:
- tf_docs_args: "--sort-inputs-by-required"
- tf_docs_git_commit_message: "terraform-docs: Update module usage"
- tf_docs_git_push: "true"
- tf_docs_output_file: README.md
- tf_docs_output_method: inject
- tf_docs_find_dir: .
- continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow
-
- tfsec:
- name: tfsec
- runs-on: ubuntu-latest
- steps:
- - name: Check out code
- uses: actions/checkout@master
- - name: Terraform security scan
- uses: triat/terraform-security-scan@v3.1.0
diff --git a/.github/workflows/v1-func-create-tag-and-release.yml b/.github/workflows/v1-func-create-tag-and-release.yml
index 242e0d4..7aa1129 100644
--- a/.github/workflows/v1-func-create-tag-and-release.yml
+++ b/.github/workflows/v1-func-create-tag-and-release.yml
@@ -4,6 +4,9 @@ on:
pull_request:
types: [closed]
+permissions:
+ contents: write
+
jobs:
create-new-release:
runs-on: ubuntu-latest
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 898eeb6..e237779 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,7 +1,33 @@
repos:
+ - repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v4.5.0
+ hooks:
+ - id: check-json
+ - id: check-merge-conflict
+ - id: trailing-whitespace
+ - id: end-of-file-fixer
+ - id: check-yaml
+ - id: check-added-large-files
+ - id: pretty-format-json
+ args:
+ - --autofix
+ - id: detect-aws-credentials
+ args:
+ - --allow-missing-credentials
+ - id: detect-private-key
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.77.0
+ rev: v1.89.1
hooks:
- id: terraform_fmt
- id: terraform_docs
+ args:
+ - --hook-config=--use-standard-markers=true
- id: terraform_validate
+ - repo: https://github.com/bridgecrewio/checkov
+ rev: 3.0.37
+ hooks:
+ - id: checkov
+ verbose: false
+ args: [--download-external-modules, "true", --quiet, --compact]
+ additional_dependencies:
+ - "cyclonedx-python-lib==5.2.0"
diff --git a/README.md b/README.md
index 0f1e5fe..5585c58 100644
--- a/README.md
+++ b/README.md
@@ -1,18 +1,16 @@
-# terraform-aws-mcaf-opensearch
-
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13.0 |
-| [aws](#requirement\_aws) | >= 4.0.0 |
+| [aws](#requirement\_aws) | 5.49.0 |
| [elasticsearch](#requirement\_elasticsearch) | >= 2.0.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.9.0 |
+| [aws](#provider\_aws) | 5.49.0 |
## Modules
@@ -22,18 +20,21 @@ No modules.
| Name | Type |
|------|------|
-| [aws_cloudwatch_log_group.cw_application](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_cloudwatch_log_group.cw_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_cloudwatch_log_group.cw_index](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_cloudwatch_log_group.cw_search](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_cloudwatch_log_resource_policy.cw_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource |
-| [aws_elasticsearch_domain.opensearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) | resource |
-| [aws_iam_policy_document.cw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_cloudwatch_log_group.cw_application](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.cw_audit](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.cw_index](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.cw_search](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_resource_policy.cw_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/cloudwatch_log_resource_policy) | resource |
+| [aws_elasticsearch_domain.opensearch](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/elasticsearch_domain) | resource |
+| [aws_elasticsearch_domain_saml_options.opensearch_saml_options](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/elasticsearch_domain_saml_options) | resource |
+| [aws_iam_policy_document.cw_policy](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [autotune\_enabled](#input\_autotune\_enabled) | Enable autotune options | `bool` | `false` | no |
+| [autotune\_options](#input\_autotune\_options) | n/a | object({
desired_state = string
rollback_on_disable = string
maintenance_schedule = object({
cron_expression = string
duration = number
start_at = string
})
}) | {
"desired_state": "ENABLED",
"maintenance_schedule": {
"cron_expression": "cron(0 0 ? * 1 *)",
"duration": 1,
"start_at": "2000-01-01T00:00:00.00Z"
},
"rollback_on_disable": "NO_ROLLBACK"
} | no |
| [availability\_zones](#input\_availability\_zones) | The number of availability zones for the OpenSearch cluster. Valid values: 1, 2 or 3. | `number` | `3` | no |
| [cloudwatch\_log\_enabled](#input\_cloudwatch\_log\_enabled) | Enabled Cloudwatch. | `bool` | `true` | no |
| [cloudwatch\_log\_kms\_key\_id](#input\_cloudwatch\_log\_kms\_key\_id) | The ARN of the KMS key to use when encrypting log data. | `string` | `null` | no |
@@ -45,20 +46,35 @@ No modules.
| [cognito\_identity\_pool\_id](#input\_cognito\_identity\_pool\_id) | ID of the Cognito identity pool to use. | `string` | `null` | no |
| [cognito\_role\_arn](#input\_cognito\_role\_arn) | ARN of the IAM role that has the AmazonESCognitoAccess policy. | `string` | `null` | no |
| [cognito\_user\_pool\_id](#input\_cognito\_user\_pool\_id) | ID of the Cognito user pool to use. | `string` | `null` | no |
+| [cold\_enabled](#input\_cold\_enabled) | Enable cold storage. | `bool` | `false` | no |
| [custom\_endpoint](#input\_custom\_endpoint) | FQDN of the custom endpoint | `string` | `null` | no |
| [custom\_endpoint\_certificate\_arn](#input\_custom\_endpoint\_certificate\_arn) | ACM certificate ARN for your custom endpoint. | `string` | `null` | no |
| [custom\_endpoint\_enabled](#input\_custom\_endpoint\_enabled) | Enable custom endpoint. | `bool` | `false` | no |
| [ebs\_enabled](#input\_ebs\_enabled) | Enable EBS volumes for data nodes | `bool` | `false` | no |
+| [ebs\_iops](#input\_ebs\_iops) | Baseline I/O performance of EBS volumes attached to data nodes. | `number` | `null` | no |
| [ebs\_volume\_size](#input\_ebs\_volume\_size) | EBS Volume size in GiB | `number` | `null` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | EBS volume type. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html | `string` | `null` | no |
+| [enabled](#input\_enabled) | Enable OpenSearch. | `bool` | `true` | no |
| [encrypt\_at\_rest](#input\_encrypt\_at\_rest) | Enable encryption at rest | `bool` | `true` | no |
| [encrypt\_kms\_key\_id](#input\_encrypt\_kms\_key\_id) | KMS key id to encrypt OpenSearch domain with. | `string` | `null` | no |
| [enforce\_https](#input\_enforce\_https) | Enforce HTTPS domain endpoint. | `string` | `null` | no |
| [hot\_instance\_count](#input\_hot\_instance\_count) | The number of dedicated hot nodes in the cluster. | `number` | `3` | no |
| [hot\_instance\_type](#input\_hot\_instance\_type) | The instance type for dedicated hot nodes in the cluster. | `string` | `"t3.small.elasticsearch"` | no |
+| [internal\_user\_database\_enabled](#input\_internal\_user\_database\_enabled) | Enable internal user database. | `bool` | `true` | no |
| [master\_instance\_count](#input\_master\_instance\_count) | The number of dedicated master nodes in the cluster. | `number` | `3` | no |
| [master\_instance\_type](#input\_master\_instance\_type) | Instance type for the OpenSearch master nodes. | `string` | `"t3.small.elasticsearch"` | no |
| [master\_user\_arn](#input\_master\_user\_arn) | ARN of the main user. | `string` | `null` | no |
+| [master\_user\_name](#input\_master\_user\_name) | Name of the main user. | `string` | `null` | no |
+| [master\_user\_password](#input\_master\_user\_password) | Password of the main user. | `string` | `null` | no |
| [node\_to\_node\_encryption](#input\_node\_to\_node\_encryption) | Enable node-to-node encryption. | `bool` | `true` | no |
+| [saml\_options\_enabled](#input\_saml\_options\_enabled) | Enable saml\_options | `bool` | `false` | no |
+| [saml\_options\_idp\_entity\_id](#input\_saml\_options\_idp\_entity\_id) | URL of the entity id | `string` | `null` | no |
+| [saml\_options\_idp\_metadata\_content](#input\_saml\_options\_idp\_metadata\_content) | Contents of the saml-metadata.xml file | `string` | `null` | no |
+| [saml\_options\_master\_backend\_role](#input\_saml\_options\_master\_backend\_role) | (Optional) This backend role from the SAML IdP receives full permissions to the cluster, equivalent to a new master user. | `string` | `null` | no |
+| [saml\_options\_master\_user\_name](#input\_saml\_options\_master\_user\_name) | (Optional) This username from the SAML IdP receives full permissions to the cluster, equivalent to a new master user. | `string` | `null` | no |
+| [saml\_options\_roles\_key](#input\_saml\_options\_roles\_key) | (Optional) Element of the SAML assertion to use for backend roles. Default is roles. e.g. http://schemas.microsoft.com/ws/2008/06/identity/claims/groups | `string` | `null` | no |
+| [saml\_options\_session\_timeout\_minutes](#input\_saml\_options\_session\_timeout\_minutes) | (Optional) Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440. | `number` | `null` | no |
+| [saml\_options\_subject\_key](#input\_saml\_options\_subject\_key) | (Optional) Custom SAML attribute to use for user names. Default is an empty string. This will cause Elasticsearch to use the NameID element of the Subject, which is the default location for name identifiers in the SAML specification. | `string` | `null` | no |
| [security\_group\_ids](#input\_security\_group\_ids) | List of VPC security group id's. | `list(string)` | `[]` | no |
| [subnet\_ids](#input\_subnet\_ids) | The subnet id where to deploy the OpenSearch cluster. | `list(string)` | `[]` | no |
| [tags](#input\_tags) | A mapping of tags to assign to the OpenSearch cluster. | `map(string)` | `{}` | no |
@@ -78,4 +94,3 @@ No modules.
| [kibana\_endpoint](#output\_kibana\_endpoint) | The endpoint URL of Kibana. |
| [opensearch\_domain\_arn](#output\_opensearch\_domain\_arn) | Return ARN of the OpenSearch cluster domain. |
| [opensearch\_domain\_id](#output\_opensearch\_domain\_id) | The domain id of the OpenSearch cluster. |
-
\ No newline at end of file
diff --git a/example/README.md b/example/README.md
index 0d932ee..f4edd2f 100644
--- a/example/README.md
+++ b/example/README.md
@@ -1,35 +1,3 @@
-# Usage
-
-## Requirements
+# Example
-| Name | Version |
-|------|---------|
-| terraform | >= 1.0 |
-| aws | >= 4.0 |
-| elasticsearch | >=2.0.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| aws | >= 4.0 |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| cluster\_domain | The hosted zone name of the OpenSearch cluster. | `string` | `""` | no |
-| cluster\_name | The name of the OpenSearch cluster. | `string` | `"opensearch"` | no |
-| security\_group\_ids | The security group id's to add to the OpenSearch security group. | `list(string)` | `[]` | no |
-| subnet\_ids | The subnet id's to use for the OpenSearch cluster. | `list(string)` | `[]` | no |
-| tags | Tags | `map(string)` | `{}` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| cluster\_endpoint | The endpoint URL of the OpenSearch cluster. |
-| cluster\_name | The name of the OpenSearch cluster. |
-| cluster\_version | The version of the OpenSearch cluster. |
-
-
+Look at the README.md in the root folder of this project
diff --git a/example/main.tf b/example/main.tf
index 230bbce..55b5443 100644
--- a/example/main.tf
+++ b/example/main.tf
@@ -14,7 +14,8 @@ module "opensearch" {
cluster_name = var.cluster_name
cluster_version = "OpenSearch_2.7"
- subnet_ids = var.subnet_ids
+ subnet_ids = var.subnet_ids
+ #checkov:skip=CKV_AWS_248:This example doesn't contain a security group
security_group_ids = var.security_group_ids
warm_enabled = false
diff --git a/main.tf b/main.tf
index ffad22b..9d8c042 100644
--- a/main.tf
+++ b/main.tf
@@ -4,7 +4,7 @@ resource "aws_elasticsearch_domain" "opensearch" {
count = var.enabled ? 1 : 0
cluster_config {
- dedicated_master_enabled = var.master_instance_count > 0
+ dedicated_master_enabled = true
dedicated_master_count = var.master_instance_count
dedicated_master_type = var.master_instance_type
diff --git a/variables.tf b/variables.tf
index 0ad8ab7..c876016 100644
--- a/variables.tf
+++ b/variables.tf
@@ -155,7 +155,7 @@ variable "custom_endpoint_certificate_arn" {
variable "internal_user_database_enabled" {
description = "Enable internal user database."
type = bool
- default = false
+ default = true
}
variable "master_user_arn" {
diff --git a/versions.tf b/versions.tf
index 49fa410..63fd78e 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0.0"
+ version = "5.49.0"
}
elasticsearch = {
source = "phillbaker/elasticsearch"