diff --git a/.github/mergify.yml b/.github/mergify.yml
index ef15545..148d85c 100644
--- a/.github/mergify.yml
+++ b/.github/mergify.yml
@@ -4,13 +4,17 @@ pull_request_rules:
- name: "approve automated PRs that have passed checks"
conditions:
- "author~=^(cloudpossebot|renovate\\[bot\\])$"
- - "base=master"
- "-closed"
- "head~=^(auto-update|renovate)/.*"
- "check-success=test/bats"
- "check-success=test/readme"
- "check-success=test/terratest"
- "check-success=validate-codeowners"
+ - or:
+ - "base=master"
+ - "base=main"
+ - "base~=^release/v\\d{1,2}$"
+
actions:
review:
type: "APPROVE"
@@ -20,7 +24,6 @@ pull_request_rules:
- name: "merge automated PRs when approved and tests pass"
conditions:
- "author~=^(cloudpossebot|renovate\\[bot\\])$"
- - "base=master"
- "-closed"
- "head~=^(auto-update|renovate)/.*"
- "check-success=test/bats"
@@ -30,6 +33,11 @@ pull_request_rules:
- "#approved-reviews-by>=1"
- "#changes-requested-reviews-by=0"
- "#commented-reviews-by=0"
+ - or:
+ - "base=master"
+ - "base=main"
+ - "base~=^release/v\\d{1,2}$"
+
actions:
merge:
method: "squash"
@@ -50,7 +58,10 @@ pull_request_rules:
- name: "remove outdated reviews"
conditions:
- - "base=master"
+ - or:
+ - "base=master"
+ - "base=main"
+ - "base~=^release/v\\d{1,2}$"
actions:
dismiss_reviews:
changes_requested: true
diff --git a/.github/renovate.json b/.github/renovate.json
index a780298..b61ed24 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -3,6 +3,7 @@
"config:base",
":preserveSemverRanges"
],
+ "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"],
"labels": ["auto-update"],
"dependencyDashboardAutoclose": true,
"enabledManagers": ["terraform"],
diff --git a/.github/workflows/auto-context.yml b/.github/workflows/auto-context.yml
index 831e7fa..e439b60 100644
--- a/.github/workflows/auto-context.yml
+++ b/.github/workflows/auto-context.yml
@@ -11,6 +11,16 @@ jobs:
steps:
- uses: actions/checkout@v2
+ - name: Find default branch name
+ id: defaultBranch
+ shell: bash
+ env:
+ GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+ run: |
+ default_branch=$(gh repo view --json defaultBranchRef --jq .defaultBranchRef.name)
+ echo "defaultBranch=${default_branch}" >> "$GITHUB_OUTPUT"
+ printf "defaultBranchRef.name=%s\n" "${default_branch}"
+
- name: Update context.tf
shell: bash
id: update
@@ -50,7 +60,7 @@ jobs:
To support all the features of the `context` interface.
branch: auto-update/context.tf
- base: master
+ base: ${{ steps.defaultBranch.outputs.defaultBranch }}
delete-branch: true
labels: |
auto-update
diff --git a/README.md b/README.md
index 9261c0e..6fcd46f 100644
--- a/README.md
+++ b/README.md
@@ -224,6 +224,7 @@ Available targets:
| [cognito\_user\_pool\_id](#input\_cognito\_user\_pool\_id) | The ID of the Cognito User Pool to use | `string` | `""` | no |
| [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Enables cold storage support. | `bool` | `false` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
+| [create\_elasticsearch\_user\_role](#input\_create\_elasticsearch\_user\_role) | Whether to create an IAM role for Users/EC2 to assume to access the Elasticsearch domain. Set it to `false` if you already manage access through other means. | `bool` | `true` | no |
| [create\_iam\_service\_linked\_role](#input\_create\_iam\_service\_linked\_role) | Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info | `bool` | `true` | no |
| [create\_security\_group](#input\_create\_security\_group) | Whether to create a dedicated security group for the Elasticsearch domain. Set it to `false` if you already have security groups that you want to attach to the domain and specify them in the `security_groups` variable. | `bool` | `true` | no |
| [custom\_endpoint](#input\_custom\_endpoint) | Fully qualified domain for custom endpoint. | `string` | `""` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 1af9dd7..8562fdf 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -61,6 +61,7 @@
| [cognito\_user\_pool\_id](#input\_cognito\_user\_pool\_id) | The ID of the Cognito User Pool to use | `string` | `""` | no |
| [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Enables cold storage support. | `bool` | `false` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
+| [create\_elasticsearch\_user\_role](#input\_create\_elasticsearch\_user\_role) | Whether to create an IAM role for Users/EC2 to assume to access the Elasticsearch domain. Set it to `false` if you already manage access through other means. | `bool` | `true` | no |
| [create\_iam\_service\_linked\_role](#input\_create\_iam\_service\_linked\_role) | Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info | `bool` | `true` | no |
| [create\_security\_group](#input\_create\_security\_group) | Whether to create a dedicated security group for the Elasticsearch domain. Set it to `false` if you already have security groups that you want to attach to the domain and specify them in the `security_groups` variable. | `bool` | `true` | no |
| [custom\_endpoint](#input\_custom\_endpoint) | Fully qualified domain for custom endpoint. | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index 71fa7b0..bbdfe3e 100644
--- a/main.tf
+++ b/main.tf
@@ -70,7 +70,7 @@ resource "aws_iam_service_linked_role" "default" {
# Role that pods can assume for access to elasticsearch and kibana
resource "aws_iam_role" "elasticsearch_user" {
- count = module.this.enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
+ count = module.this.enabled && var.create_elasticsearch_user_role && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
name = module.user_label.id
assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json)
description = "IAM Role to assume to access the Elasticsearch ${module.this.id} cluster"
@@ -82,7 +82,7 @@ resource "aws_iam_role" "elasticsearch_user" {
}
data "aws_iam_policy_document" "assume_role" {
- count = module.this.enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
+ count = module.this.enabled && var.create_elasticsearch_user_role && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
statement {
actions = [
@@ -255,7 +255,7 @@ data "aws_iam_policy_document" "default" {
principals {
type = "AWS"
- identifiers = distinct(compact(concat(var.iam_role_arns, aws_iam_role.elasticsearch_user.*.arn)))
+ identifiers = distinct(compact(concat(var.iam_role_arns, aws_iam_role.elasticsearch_user[*].arn)))
}
}
diff --git a/variables.tf b/variables.tf
index 4830134..54b00d5 100644
--- a/variables.tf
+++ b/variables.tf
@@ -10,6 +10,12 @@ variable "create_security_group" {
description = "Whether to create a dedicated security group for the Elasticsearch domain. Set it to `false` if you already have security groups that you want to attach to the domain and specify them in the `security_groups` variable."
}
+variable "create_elasticsearch_user_role" {
+ type = bool
+ default = true
+ description = "Whether to create an IAM role for Users/EC2 to assume to access the Elasticsearch domain. Set it to `false` if you already manage access through other means."
+}
+
variable "ingress_port_range_start" {
type = number
default = 0