Skip to main content
Data Storage Modules 0.47.0Last updated in version 0.47.0

OpenSearch Module

View Source Release Notes

This module creates an Amazon OpenSearch Service domain (the successor to Amazon Elasticsearch Service).

Features

  • OpenSearch or legacy Elasticsearch engine versions
  • VPC or public endpoint deployment
  • Encryption at rest and node-to-node encryption
  • Fine-grained access control (FGAC) with internal user database, IAM, or SAML
  • Cognito authentication for OpenSearch Dashboards
  • Dedicated master nodes, UltraWarm storage, and cold storage
  • Multi-AZ with standby
  • Auto-Tune with maintenance schedules
  • gp3 EBS volumes with configurable IOPS and throughput
  • Off-peak maintenance windows and automatic software updates
  • CloudWatch log publishing
  • Custom domain endpoints

Usage

module "opensearch" {
  source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/opensearch?ref=v1.0.0"

  domain_name    = "my-domain"
  engine_version = "OpenSearch_2.11"

  instance_type  = "m6g.large.search"
  instance_count = 2
  volume_type    = "gp3"
  volume_size    = 100

  # VPC mode
  vpc_id     = "vpc-abc123"
  subnet_ids = ["subnet-abc123", "subnet-def456"]

  allow_connections_from_cidr_blocks = ["10.0.0.0/16"]

  # Fine-grained access control
  advanced_security_options_enabled = true
  internal_user_database_enabled    = true
  master_user_name                  = "admin"
  master_user_password              = "MySecurePassword1!"
}

Required Inputs

NameDescription
domain_nameName of the OpenSearch domain (3-28 chars, lowercase)
engine_versionEngine version (e.g. OpenSearch_2.11)
instance_typeInstance type for data nodes
instance_countNumber of data nodes
volume_typeEBS volume type (gp3, gp2, io1, standard)
volume_sizeEBS volume size in GB

Outputs

NameDescription
domain_arnARN of the OpenSearch domain
domain_idUnique identifier for the domain
domain_nameName of the domain
domain_endpointEndpoint for submitting requests
dashboards_endpointEndpoint for OpenSearch Dashboards
security_group_idSecurity group ID (null if not in VPC mode)

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S OPENSEARCH MODULE
#
# NOTE: This module uses some sensitive variables marked inline with "# SENSITIVE".
# When using values other than defaults for these variables, set them through environment variables or
# another secure method.
#
# ------------------------------------------------------------------------------------------------------

module "opensearch" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/opensearch?ref=v0.47.0"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The name of the OpenSearch domain. Must be between 3 and 28 characters,
  # start with a lowercase letter, and contain only lowercase letters, numbers,
  # and hyphens.
  domain_name = <string>

  # The engine version for the OpenSearch domain (e.g. 'OpenSearch_2.11' or
  # 'Elasticsearch_7.10').
  engine_version = <string>

  # The number of data nodes in the OpenSearch domain.
  instance_count = <number>

  # The instance type for the OpenSearch domain data nodes (e.g.
  # 'm6g.large.search').
  instance_type = <string>

  # The size of the EBS volume in GB for each data node.
  volume_size = <number>

  # The type of EBS volume to use (gp3, gp2, io1, or standard).
  volume_type = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # IAM policy document specifying the access policies for the domain. If null,
  # no access policy is applied.
  access_policies = null

  # Key-value pairs of advanced configuration options (e.g.
  # 'rest.action.multi.allow_explicit_index' = 'true').
  advanced_options = null

  # Whether to enable fine-grained access control (FGAC). Requires
  # enforce_https, node_to_node_encryption, and encrypt_at_rest to be true.
  advanced_security_options_enabled = false

  # A list of CIDR-formatted IP address ranges that can connect to this
  # OpenSearch domain over HTTPS (port 443).
  allow_connections_from_cidr_blocks = []

  # A list of IPv6 CIDR-formatted IP address ranges that can connect to this
  # OpenSearch domain over HTTPS (port 443).
  allow_connections_from_ipv6_cidr_blocks = []

  # A list of security group IDs that can connect to this OpenSearch domain.
  allow_connections_from_security_groups = []

  # Whether to enable anonymous authentication. Only relevant when
  # advanced_security_options_enabled is true.
  anonymous_auth_enabled = false

  # Whether automatic software updates are enabled for the domain.
  auto_software_update_enabled = false

  # The Auto-Tune desired state. Valid values are 'ENABLED' and 'DISABLED'.
  auto_tune_desired_state = "ENABLED"

  # Whether to enable Auto-Tune for the domain.
  auto_tune_enabled = false

  # A list of Auto-Tune maintenance schedules.
  auto_tune_maintenance_schedules = []

  # Whether to roll back Auto-Tune settings when disabling. Valid values are
  # 'NO_ROLLBACK' and 'DEFAULT_ROLLBACK'.
  auto_tune_rollback_on_disable = "NO_ROLLBACK"

  # The hour (0-23) during which the service takes an automated daily snapshot
  # of the indices. Set to null to omit.
  automated_snapshot_start_hour = null

  # The number of availability zones for zone-aware domains. Valid values are 2
  # or 3. Only used when zone_awareness_enabled is true.
  availability_zone_count = 2

  # Cognito authentication options for OpenSearch Dashboards. Set to null to
  # disable Cognito.
  cognito_options = null

  # Whether cold storage is enabled. Requires UltraWarm to be enabled.
  cold_storage_enabled = false

  # Whether to create the AWSServiceRoleForAmazonOpenSearchService
  # service-linked role. Only needed once per AWS account.
  create_service_linked_role = false

  # Timeout for creating the OpenSearch domain.
  creating_timeout = "60m"

  # The fully qualified domain name for a custom endpoint (e.g.
  # 'search.example.com'). If null, custom endpoints are disabled.
  custom_endpoint = null

  # The ACM certificate ARN for the custom endpoint. Required when
  # custom_endpoint is set.
  custom_endpoint_certificate_arn = null

  # A map of custom tags to apply to the OpenSearch domain and security group.
  # The key is the tag name and the value is the tag value.
  custom_tags = {}

  # The number of dedicated master nodes in the cluster.
  dedicated_master_count = null

  # Whether dedicated master nodes are enabled for the cluster.
  dedicated_master_enabled = false

  # The instance type for the dedicated master nodes (e.g. 'm6g.large.search').
  dedicated_master_type = null

  # Timeout for deleting the OpenSearch domain.
  deleting_timeout = "60m"

  # Whether EBS volumes are attached to data nodes.
  ebs_enabled = true

  # Whether to enable encryption at rest for the OpenSearch domain.
  encrypt_at_rest = true

  # Whether to require HTTPS for all traffic to the domain.
  enforce_https = true

  # Whether to enable the internal user database for fine-grained access
  # control.
  internal_user_database_enabled = false

  # The baseline I/O performance of EBS volumes attached to data nodes. Only
  # applicable for io1 and gp3 volume types.
  iops = null

  # The type of IP addresses supported by the endpoint. Valid values are 'ipv4'
  # and 'dualstack'.
  ip_address_type = null

  # The KMS key ID to use for encryption at rest. If not specified, the default
  # OpenSearch KMS key is used.
  kms_key_id = null

  # A list of log publishing options. Each entry specifies a log type and a
  # CloudWatch Log Group ARN.
  log_publishing_options = []

  # The ARN of the IAM user to use as the master user for FGAC. Conflicts with
  # master_user_name and master_user_password.
  master_user_arn = null

  # The master username for fine-grained access control. Requires
  # internal_user_database_enabled to be true.
  master_user_name = null

  # The master password for fine-grained access control. Requires
  # internal_user_database_enabled to be true. Must be at least 8 characters
  # with at least one uppercase letter, one lowercase letter, one digit, and one
  # special character.
  master_user_password = null # SENSITIVE

  # Whether a multi-AZ domain is turned on with a standby AZ. Requires zone
  # awareness and at least 3 AZs.
  multi_az_with_standby_enabled = false

  # Whether to enable node-to-node encryption.
  node_to_node_encryption = true

  # Whether the off-peak window is enabled. Set to null to omit the block
  # entirely.
  off_peak_window_enabled = null

  # The start time of the off-peak window.
  off_peak_window_start_time = null

  # SAML authentication options for OpenSearch Dashboards. Set to null to
  # disable SAML.
  saml_options = null

  # The description of the security group created for the OpenSearch domain.
  # Defaults to 'Security group for the <domain_name> OpenSearch domain' if not
  # specified.
  security_group_description = null

  # The name of the security group created for the OpenSearch domain. Defaults
  # to var.domain_name if not specified.
  security_group_name = null

  # A list of subnet IDs for the OpenSearch domain to use for VPC endpoints. If
  # empty, the domain is created with a public endpoint.
  subnet_ids = []

  # The throughput (in MiB/s) of the EBS volumes attached to data nodes. Only
  # applicable for gp3 volume types.
  throughput = null

  # The TLS security policy to apply to the HTTPS endpoint. Valid values are
  # 'Policy-Min-TLS-1-0-2019-07' and 'Policy-Min-TLS-1-2-2019-07'.
  tls_security_policy = "Policy-Min-TLS-1-2-2019-07"

  # Timeout for updating the OpenSearch domain.
  updating_timeout = "60m"

  # The ID of the VPC in which to create the security group. Required when
  # subnet_ids is provided.
  vpc_id = null

  # The number of UltraWarm nodes in the cluster.
  warm_count = null

  # Whether UltraWarm storage is enabled.
  warm_enabled = false

  # The instance type for UltraWarm nodes (e.g. 'ultrawarm1.medium.search').
  warm_type = null

  # Whether zone awareness is enabled. If true, nodes are distributed across
  # availability zones.
  zone_awareness_enabled = false

}


Reference

Required

domain_namestringrequired

The name of the OpenSearch domain. Must be between 3 and 28 characters, start with a lowercase letter, and contain only lowercase letters, numbers, and hyphens.

engine_versionstringrequired

The engine version for the OpenSearch domain (e.g. 'OpenSearch_2.11' or 'Elasticsearch_7.10').

instance_countnumberrequired

The number of data nodes in the OpenSearch domain.

instance_typestringrequired

The instance type for the OpenSearch domain data nodes (e.g. 'm6g.large.search').

volume_sizenumberrequired

The size of the EBS volume in GB for each data node.

volume_typestringrequired

The type of EBS volume to use (gp3, gp2, io1, or standard).

Optional

access_policiesstringoptional

IAM policy document specifying the access policies for the domain. If null, no access policy is applied.

null
advanced_optionsmap(string)optional

Key-value pairs of advanced configuration options (e.g. 'rest.action.multi.allow_explicit_index' = 'true').

null

Whether to enable fine-grained access control (FGAC). Requires enforce_https, node_to_node_encryption, and encrypt_at_rest to be true.

false

A list of CIDR-formatted IP address ranges that can connect to this OpenSearch domain over HTTPS (port 443).

[]

A list of IPv6 CIDR-formatted IP address ranges that can connect to this OpenSearch domain over HTTPS (port 443).

[]

A list of security group IDs that can connect to this OpenSearch domain.

[]

Whether to enable anonymous authentication. Only relevant when advanced_security_options_enabled is true.

false

Whether automatic software updates are enabled for the domain.

false

The Auto-Tune desired state. Valid values are 'ENABLED' and 'DISABLED'.

"ENABLED"
auto_tune_enabledbooloptional

Whether to enable Auto-Tune for the domain.

false
auto_tune_maintenance_scheduleslist(object(…))optional

A list of Auto-Tune maintenance schedules.

list(object({
    start_at                       = string
    cron_expression_for_recurrence = string
    duration_value                 = number
    duration_unit                  = string
  }))
[]

Whether to roll back Auto-Tune settings when disabling. Valid values are 'NO_ROLLBACK' and 'DEFAULT_ROLLBACK'.

"NO_ROLLBACK"

The hour (0-23) during which the service takes an automated daily snapshot of the indices. Set to null to omit.

null

The number of availability zones for zone-aware domains. Valid values are 2 or 3. Only used when zone_awareness_enabled is true.

2
cognito_optionsobject(…)optional

Cognito authentication options for OpenSearch Dashboards. Set to null to disable Cognito.

object({
    user_pool_id     = string
    identity_pool_id = string
    role_arn         = string
  })
null

Whether cold storage is enabled. Requires UltraWarm to be enabled.

false

Whether to create the AWSServiceRoleForAmazonOpenSearchService service-linked role. Only needed once per AWS account.

false
creating_timeoutstringoptional

Timeout for creating the OpenSearch domain.

"60m"
custom_endpointstringoptional

The fully qualified domain name for a custom endpoint (e.g. 'search.example.com'). If null, custom endpoints are disabled.

null

The ACM certificate ARN for the custom endpoint. Required when custom_endpoint is set.

null
custom_tagsmap(string)optional

A map of custom tags to apply to the OpenSearch domain and security group. The key is the tag name and the value is the tag value.

{}

The number of dedicated master nodes in the cluster.

null

Whether dedicated master nodes are enabled for the cluster.

false
dedicated_master_typestringoptional

The instance type for the dedicated master nodes (e.g. 'm6g.large.search').

null
deleting_timeoutstringoptional

Timeout for deleting the OpenSearch domain.

"60m"
ebs_enabledbooloptional

Whether EBS volumes are attached to data nodes.

true
encrypt_at_restbooloptional

Whether to enable encryption at rest for the OpenSearch domain.

true
enforce_httpsbooloptional

Whether to require HTTPS for all traffic to the domain.

true

Whether to enable the internal user database for fine-grained access control.

false
iopsnumberoptional

The baseline I/O performance of EBS volumes attached to data nodes. Only applicable for io1 and gp3 volume types.

null
ip_address_typestringoptional

The type of IP addresses supported by the endpoint. Valid values are 'ipv4' and 'dualstack'.

null
kms_key_idstringoptional

The KMS key ID to use for encryption at rest. If not specified, the default OpenSearch KMS key is used.

null
log_publishing_optionslist(object(…))optional

A list of log publishing options. Each entry specifies a log type and a CloudWatch Log Group ARN.

list(object({
    log_type                 = string
    cloudwatch_log_group_arn = string
    enabled                  = optional(bool, true)
  }))
[]
master_user_arnstringoptional

The ARN of the IAM user to use as the master user for FGAC. Conflicts with master_user_name and master_user_password.

null
master_user_namestringoptional

The master username for fine-grained access control. Requires internal_user_database_enabled to be true.

null
master_user_passwordstringoptional

The master password for fine-grained access control. Requires internal_user_database_enabled to be true. Must be at least 8 characters with at least one uppercase letter, one lowercase letter, one digit, and one special character.

null

Whether a multi-AZ domain is turned on with a standby AZ. Requires zone awareness and at least 3 AZs.

false

Whether to enable node-to-node encryption.

true

Whether the off-peak window is enabled. Set to null to omit the block entirely.

null
off_peak_window_start_timeobject(…)optional

The start time of the off-peak window.

object({
    hours   = number
    minutes = number
  })
null
saml_optionsobject(…)optional

SAML authentication options for OpenSearch Dashboards. Set to null to disable SAML.

object({
    idp_entity_id           = string
    idp_metadata_content    = string
    subject_key             = optional(string)
    roles_key               = optional(string)
    session_timeout_minutes = optional(number)
    master_backend_role     = optional(string)
    master_user_name        = optional(string)
  })
null

The description of the security group created for the OpenSearch domain. Defaults to 'Security group for the <domain_name> OpenSearch domain' if not specified.

null
security_group_namestringoptional

The name of the security group created for the OpenSearch domain. Defaults to domain_name if not specified.

null
subnet_idslist(string)optional

A list of subnet IDs for the OpenSearch domain to use for VPC endpoints. If empty, the domain is created with a public endpoint.

[]
throughputnumberoptional

The throughput (in MiB/s) of the EBS volumes attached to data nodes. Only applicable for gp3 volume types.

null
tls_security_policystringoptional

The TLS security policy to apply to the HTTPS endpoint. Valid values are 'Policy-Min-TLS-1-0-2019-07' and 'Policy-Min-TLS-1-2-2019-07'.

"Policy-Min-TLS-1-2-2019-07"
updating_timeoutstringoptional

Timeout for updating the OpenSearch domain.

"60m"
vpc_idstringoptional

The ID of the VPC in which to create the security group. Required when subnet_ids is provided.

null
warm_countnumberoptional

The number of UltraWarm nodes in the cluster.

null
warm_enabledbooloptional

Whether UltraWarm storage is enabled.

false
warm_typestringoptional

The instance type for UltraWarm nodes (e.g. 'ultrawarm1.medium.search').

null

Whether zone awareness is enabled. If true, nodes are distributed across availability zones.

false