From d2b79932946ccd8fa3b53322fd76a462f24dee8a Mon Sep 17 00:00:00 2001 From: twistedgrim Date: Tue, 11 Feb 2020 11:33:42 -0600 Subject: [PATCH 1/4] Terraform 0.12 upgrade --- .terraform-version | 1 + examples/basic_internet_endpoint.tf | 11 +- examples/basic_vpc_endpoint.tf | 17 ++- examples/full_example.tf | 21 ++-- main.tf | 173 +++++++++++++++++----------- outputs.tf | 9 +- tests/test1/main.tf | 4 + tests/test2/main.tf | 24 ++-- variables.tf | 57 ++++----- 9 files changed, 189 insertions(+), 128 deletions(-) create mode 100644 .terraform-version diff --git a/.terraform-version b/.terraform-version new file mode 100644 index 0000000..e392c3d --- /dev/null +++ b/.terraform-version @@ -0,0 +1 @@ +0.12.17 diff --git a/examples/basic_internet_endpoint.tf b/examples/basic_internet_endpoint.tf index 153406d..5ca1855 100644 --- a/examples/basic_internet_endpoint.tf +++ b/examples/basic_internet_endpoint.tf @@ -1,6 +1,11 @@ -#################################################### -# Basic Internet accessible Elasticsearch endpoint # -#################################################### +terraform { + required_version = ">= 0.12" +} + +provider "aws" { + version = "~> 2.2" + region = "us-west-2" +} module "es_internet" { source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-elasticsearch//?ref=v0.0.7" diff --git a/examples/basic_vpc_endpoint.tf b/examples/basic_vpc_endpoint.tf index 5d304f4..d05b27e 100644 --- a/examples/basic_vpc_endpoint.tf +++ b/examples/basic_vpc_endpoint.tf @@ -1,6 +1,11 @@ -############################################### -# Basic VPC accessible Elasticsearch endpoint # -############################################### +terraform { + required_version = ">= 0.12" +} + +provider "aws" { + version = "~> 2.2" + region = "us-west-2" +} module "vpc" { source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//?ref=v0.0.9" @@ -12,7 +17,7 @@ module "sg" { source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-security_group//?ref=v0.0.5" resource_name = "Test-SG" - vpc_id = "${module.vpc.vpc_id}" + vpc_id = module.vpc.vpc_id } module "es_vpc" { @@ -21,6 +26,6 @@ module "es_vpc" { name = "es-vpc-endpoint" vpc_enabled = true - security_groups = ["${module.sg.public_web_security_group_id}"] - subnets = ["${module.vpc.private_subnets}"] + security_groups = [module.sg.public_web_security_group_id] + subnets = [module.vpc.private_subnets] } diff --git a/examples/full_example.tf b/examples/full_example.tf index 1d9ad32..f26ba85 100644 --- a/examples/full_example.tf +++ b/examples/full_example.tf @@ -1,17 +1,22 @@ -######################################################### -# Customized Internet accessible Elasticsearch endpoint # -######################################################### +terraform { + required_version = ">= 0.12" +} + +provider "aws" { + version = "~> 2.2" + region = "us-west-2" +} data "aws_kms_alias" "es_kms" { name = "alias/aws/es" } module "internal_zone" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-route53_internal_zone//?ref=v.0.0.3" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-route53_internal_zone//?ref=v0.0.3" zone_name = "mycompany.local" environment = "Development" - target_vpc_id = "${module.vpc.vpc_id}" + target_vpc_id = module.vpc.vpc_id } module "es_all_options" { @@ -31,15 +36,15 @@ module "es_all_options" { encrypt_storage_enabled = true encrypt_traffic_enabled = true - encryption_kms_key = "${data.aws_kms_alias.es_kms.target_key_arn}" + encryption_kms_key = data.aws_kms_alias.es_kms.target_key_arn ebs_iops = "1000" ebs_size = "50" ebs_type = "io1" internal_record_name = "es-custom" - internal_zone_id = "${module.internal_zone.internal_hosted_name}" - internal_zone_name = "${module.internal_zone.internal_hosted_name}" + internal_zone_id = module.internal_zone.internal_hosted_name + internal_zone_name = module.internal_zone.internal_hosted_name logging_application_logs = true logging_index_slow_logs = true diff --git a/main.tf b/main.tf index 7ed23c0..f6f72a8 100644 --- a/main.tf +++ b/main.tf @@ -45,11 +45,15 @@ * ``` */ +terraform { + required_version = ">= 0.12" +} + locals { - tags { - Name = "${var.name}" + tags = { + Name = var.name ServiceProvider = "Rackspace" - Environment = "${var.environment}" + Environment = var.environment } policy_condition = { @@ -57,33 +61,33 @@ locals { { test = "IpAddress" variable = "aws:SourceIp" - values = ["${var.ip_whitelist}"] + values = [var.ip_whitelist] }, ] - vpc = [] } vpc_configuration = { standard = [] - vpc = [ { - security_group_ids = ["${var.security_groups}"] - subnet_ids = ["${var.subnets}"] + security_group_ids = [var.security_groups] + subnet_ids = [var.subnets] }, ] } - vpc_lookup = "${var.vpc_enabled ? "vpc" : "standard"}" - enable_logging = "${var.logging_application_logs || var.logging_index_slow_logs || var.logging_search_slow_logs}" + vpc_lookup = var.vpc_enabled ? "vpc" : "standard" + enable_logging = var.logging_application_logs || var.logging_index_slow_logs || var.logging_search_slow_logs - za_subnet_count = "${length(var.subnets) >= 3 ? 3 : 2}" + za_subnet_count = length(var.subnets) >= 3 ? 3 : 2 } -data "aws_region" "current" {} +data "aws_region" "current" { +} -data "aws_caller_identity" "current" {} +data "aws_caller_identity" "current" { +} data "aws_iam_policy_document" "policy" { statement { @@ -96,31 +100,51 @@ data "aws_iam_policy_document" "policy" { type = "AWS" } - condition = "${local.policy_condition[local.vpc_lookup]}" + dynamic "condition" { + for_each = local.policy_condition[local.vpc_lookup] + content { + # TF-UPGRADE-TODO: The automatic upgrade tool can't predict + # which keys might be set in maps assigned here, so it has + # produced a comprehensive set here. Consider simplifying + # this after confirming which keys can be set in practice. + + test = condition.value.test + values = condition.value.values + variable = condition.value.variable + } + } } } resource "aws_iam_service_linked_role" "slr" { - count = "${var.create_service_linked_role ? 1 : 0}" + count = var.create_service_linked_role ? 1 : 0 aws_service_name = "es.amazonaws.com" } resource "aws_cloudwatch_log_group" "es" { - count = "${local.enable_logging ? 1 : 0}" + count = local.enable_logging ? 1 : 0 - name_prefix = "${var.name}" - retention_in_days = "${var.logging_retention}" - tags = "${merge(var.tags, local.tags)}" + name_prefix = var.name + retention_in_days = var.logging_retention + tags = merge(var.tags, local.tags) } data "aws_iam_policy_document" "es_cloudwatch_policy" { - count = "${local.enable_logging ? 1 : 0}" + count = local.enable_logging ? 1 : 0 statement { - actions = ["logs:PutLogEvents", "logs:CreateLogStream"] - effect = "Allow" - resources = ["${element(concat(aws_cloudwatch_log_group.es.*.arn, list("*")), 0)}"] + actions = ["logs:PutLogEvents", "logs:CreateLogStream"] + effect = "Allow" + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibility in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. + resources = [element(concat(aws_cloudwatch_log_group.es.*.arn, ["*"]), 0)] principals { identifiers = ["es.amazonaws.com"] @@ -130,85 +154,96 @@ data "aws_iam_policy_document" "es_cloudwatch_policy" { } resource "aws_cloudwatch_log_resource_policy" "es_cloudwatch_policy" { - count = "${local.enable_logging ? 1 : 0}" + count = local.enable_logging ? 1 : 0 - policy_document = "${element(data.aws_iam_policy_document.es_cloudwatch_policy.*.json, 0)}" + policy_document = element(data.aws_iam_policy_document.es_cloudwatch_policy.*.json, 0) policy_name = "Elasticsearch-Log-Access" } resource "aws_elasticsearch_domain" "es" { - access_policies = "${data.aws_iam_policy_document.policy.json}" + access_policies = data.aws_iam_policy_document.policy.json - advanced_options = [{ - "rest.action.multi.allow_explicit_index" = "true" - }] + advanced_options = [ + { + "rest.action.multi.allow_explicit_index" = "true" + }, + ] - domain_name = "${lower(var.name)}" - elasticsearch_version = "${var.elasticsearch_version}" + domain_name = lower(var.name) + elasticsearch_version = var.elasticsearch_version - snapshot_options = { - automated_snapshot_start_hour = "${var.snapshot_start_hour}" + snapshot_options { + automated_snapshot_start_hour = var.snapshot_start_hour } - tags = "${merge(var.tags, local.tags)}" - vpc_options = ["${local.vpc_configuration[local.vpc_lookup]}"] + tags = merge(var.tags, local.tags) + dynamic "vpc_options" { + for_each = [local.vpc_configuration[local.vpc_lookup]] + content { + # TF-UPGRADE-TODO: The automatic upgrade tool can't predict + # which keys might be set in maps assigned here, so it has + # produced a comprehensive set here. Consider simplifying + # this after confirming which keys can be set in practice. + + security_group_ids = lookup(vpc_options.value, "security_group_ids", null) + subnet_ids = lookup(vpc_options.value, "subnet_ids", null) + } + } cluster_config { - dedicated_master_count = "${var.master_node_count > 0 ? var.master_node_count : 0 }" - dedicated_master_enabled = "${var.master_node_count > 0}" - dedicated_master_type = "${var.master_node_count > 0 ? var.master_node_instance_type : "" }" - instance_count = "${var.data_node_count}" - instance_type = "${var.data_node_instance_type}" - zone_awareness_enabled = "${var.zone_awareness_enabled}" + dedicated_master_count = var.master_node_count > 0 ? var.master_node_count : 0 + dedicated_master_enabled = var.master_node_count > 0 + dedicated_master_type = var.master_node_count > 0 ? var.master_node_instance_type : "" + instance_count = var.data_node_count + instance_type = var.data_node_instance_type + zone_awareness_enabled = var.zone_awareness_enabled zone_awareness_config { - availability_zone_count = "${var.zone_awareness_enabled == "false" ? 2 : local.za_subnet_count}" + availability_zone_count = var.zone_awareness_enabled == "false" ? 2 : local.za_subnet_count } } ebs_options { ebs_enabled = true - iops = "${lower(var.ebs_type) == "io1" ? var.ebs_iops : 0}" - volume_size = "${var.ebs_size}" - volume_type = "${lower(var.ebs_type)}" + iops = lower(var.ebs_type) == "io1" ? var.ebs_iops : 0 + volume_size = var.ebs_size + volume_type = lower(var.ebs_type) } encrypt_at_rest { - enabled = "${var.encrypt_storage_enabled}" - kms_key_id = "${var.encryption_kms_key}" + enabled = var.encrypt_storage_enabled + kms_key_id = var.encryption_kms_key } node_to_node_encryption { - enabled = "${var.encrypt_traffic_enabled}" + enabled = var.encrypt_traffic_enabled } - log_publishing_options = [ - { - log_type = "INDEX_SLOW_LOGS" - cloudwatch_log_group_arn = "${element(concat(aws_cloudwatch_log_group.es.*.arn, list("")), 0)}" - enabled = "${var.logging_index_slow_logs}" - }, - { - log_type = "SEARCH_SLOW_LOGS" - cloudwatch_log_group_arn = "${element(concat(aws_cloudwatch_log_group.es.*.arn, list("")), 0)}" - enabled = "${var.logging_search_slow_logs}" - }, - { - log_type = "ES_APPLICATION_LOGS" - cloudwatch_log_group_arn = "${element(concat(aws_cloudwatch_log_group.es.*.arn, list("")), 0)}" - enabled = "${var.logging_application_logs}" - }, - ] + log_publishing_options { + log_type = "INDEX_SLOW_LOGS" + cloudwatch_log_group_arn = element(concat(aws_cloudwatch_log_group.es.*.arn, [""]), 0) + enabled = var.logging_index_slow_logs + } + log_publishing_options { + log_type = "SEARCH_SLOW_LOGS" + cloudwatch_log_group_arn = element(concat(aws_cloudwatch_log_group.es.*.arn, [""]), 0) + enabled = var.logging_search_slow_logs + } + log_publishing_options { + log_type = "ES_APPLICATION_LOGS" + cloudwatch_log_group_arn = element(concat(aws_cloudwatch_log_group.es.*.arn, [""]), 0) + enabled = var.logging_application_logs + } - depends_on = ["aws_iam_service_linked_role.slr"] + depends_on = [aws_iam_service_linked_role.slr] } resource "aws_route53_record" "zone_record_alias" { - count = "${var.internal_record_name != "" ? 1 : 0}" + count = var.internal_record_name != "" ? 1 : 0 name = "${var.internal_record_name}.${var.internal_zone_name}" ttl = "300" type = "CNAME" - zone_id = "${var.internal_zone_id}" - records = ["${aws_elasticsearch_domain.es.endpoint}"] + zone_id = var.internal_zone_id + records = [aws_elasticsearch_domain.es.endpoint] } diff --git a/outputs.tf b/outputs.tf index 4dfaedd..ac94558 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,19 +1,20 @@ output "arn" { description = "The ARN for the Elasticsearch cluster" - value = "${aws_elasticsearch_domain.es.arn}" + value = aws_elasticsearch_domain.es.arn } output "log_group_arn" { description = "The ARN for the CloudWatch Log group for this Elasticsearch Cluster" - value = "${aws_cloudwatch_log_group.es.*.arn}" + value = aws_cloudwatch_log_group.es.*.arn } output "endpoint" { description = "The endpoint for the Elasticsearch cluster" - value = "${aws_elasticsearch_domain.es.endpoint}" + value = aws_elasticsearch_domain.es.endpoint } output "kibana_endpoint" { description = "The kibana endpoint for the Elasticsearch cluster" - value = "${aws_elasticsearch_domain.es.kibana_endpoint}" + value = aws_elasticsearch_domain.es.kibana_endpoint } + diff --git a/tests/test1/main.tf b/tests/test1/main.tf index 144bc9f..3a549bc 100644 --- a/tests/test1/main.tf +++ b/tests/test1/main.tf @@ -1,3 +1,7 @@ +terraform { + required_version = ">= 0.12" +} + provider "aws" { version = "~> 2.2" region = "us-west-2" diff --git a/tests/test2/main.tf b/tests/test2/main.tf index 26509eb..cb169dd 100644 --- a/tests/test2/main.tf +++ b/tests/test2/main.tf @@ -1,3 +1,7 @@ +terraform { + required_version = ">= 0.12" +} + provider "aws" { version = "~> 2.2" region = "us-west-2" @@ -12,7 +16,7 @@ resource "random_string" "r_string" { } module "vpc" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork?ref=master" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//?ref=master" az_count = "3" vpc_name = "ES-VPC-${random_string.r_string.result}" } @@ -21,7 +25,7 @@ module "sg" { source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-security_group?ref=master" resource_name = "ES-VPC-SG-${random_string.r_string.result}" - vpc_id = "${module.vpc.vpc_id}" + vpc_id = module.vpc.vpc_id } #################################################### @@ -34,8 +38,8 @@ module "es_vpc" { name = "es-vpc-endpoint-${random_string.r_string.result}" vpc_enabled = true - security_groups = ["${module.sg.public_web_security_group_id}"] - subnets = ["${module.vpc.private_subnets}"] + security_groups = [module.sg.public_web_security_group_id] + subnets = [module.vpc.private_subnets] } ############################################# @@ -47,11 +51,11 @@ data "aws_kms_alias" "es_kms" { } module "internal_zone" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-route53_internal_zone?ref=master" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-route53_internal_zone?ref=tf_v0.11" zone_name = "mycompany-${random_string.r_string.result}.local" environment = "Development" - target_vpc_id = "${module.vpc.vpc_id}" + target_vpc_id = module.vpc.vpc_id } module "es_all_options" { @@ -63,7 +67,7 @@ module "es_all_options" { elasticsearch_version = "7.1" environment = "Development" - subnets = ["${module.vpc.private_subnets}"] + subnets = [module.vpc.private_subnets] data_node_count = "6" data_node_instance_type = "m5.large.elasticsearch" @@ -72,15 +76,15 @@ module "es_all_options" { encrypt_storage_enabled = true encrypt_traffic_enabled = true - encryption_kms_key = "${data.aws_kms_alias.es_kms.target_key_arn}" + encryption_kms_key = data.aws_kms_alias.es_kms.target_key_arn ebs_iops = "1000" ebs_size = "35" ebs_type = "io1" internal_record_name = "es-custom" - internal_zone_id = "${module.internal_zone.internal_hosted_zone_id}" - internal_zone_name = "${module.internal_zone.internal_hosted_name}" + internal_zone_id = module.internal_zone.internal_hosted_zone_id + internal_zone_name = module.internal_zone.internal_hosted_name logging_application_logs = true logging_index_slow_logs = true diff --git a/variables.tf b/variables.tf index 855c73c..1fa2d15 100644 --- a/variables.tf +++ b/variables.tf @@ -1,166 +1,167 @@ variable "name" { description = "The desired name for the Elasticsearch domain." - type = "string" + type = string } variable "create_service_linked_role" { description = "A boolean value to determine if the ElasticSearch Service Linked Role should be created. This should only be set to true if the Service Linked Role is not already present." - type = "string" + type = string default = false } variable "data_node_count" { description = "Number of data nodes in the Elasticsearch cluster. If using Zone Awareness this must be a multiple of the number of subnets being used, e.g. 2, 4, 6, etc. for 2 subnets or 3, 6, 9, etc. for 3 subnets." - type = "string" + type = string default = 6 } variable "data_node_instance_type" { description = "Select data node instance type. See https://aws.amazon.com/elasticsearch-service/pricing/ for supported instance types." - type = "string" + type = string default = "m5.large.elasticsearch" } variable "ebs_iops" { description = "The number of I/O operations per second (IOPS) that the volume supports." - type = "string" + type = string default = 0 } variable "ebs_size" { description = "The size of the EBS volume for each data node." - type = "string" + type = string default = 35 } variable "ebs_type" { description = "The EBS volume type to use with the Amazon ES domain, such as standard, gp2, or io1." - type = "string" + type = string default = "gp2" } variable "elasticsearch_version" { description = "Elasticsearch Version." - type = "string" + type = string default = "7.1" } variable "encrypt_storage_enabled" { description = "A boolean value to determine if encryption at rest is enabled for the Elasticsearch cluster. Version must be at least 5.1." - type = "string" + type = string default = false } variable "encrypt_traffic_enabled" { description = "A boolean value to determine if encryption for node-to-node traffic is enabled for the Elasticsearch cluster. Version must be at least 6.0." - type = "string" + type = string default = false } variable "encryption_kms_key" { description = "The KMS key to use for encryption at rest on the Elasticsearch cluster.If omitted and encryption at rest is enabled, the aws/es KMS key is used." - type = "string" + type = string default = "" } variable "environment" { description = "Application environment for which this network is being created. Preferred value are Development, Integration, PreProduction, Production, QA, Staging, or Test" - type = "string" + type = string default = "Development" } variable "internal_record_name" { description = "Record Name for the new Resource Record in the Internal Hosted Zone" - type = "string" + type = string default = "" } variable "internal_zone_id" { description = "The Route53 Internal Hosted Zone ID" - type = "string" + type = string default = "" } variable "internal_zone_name" { description = "TLD for Internal Hosted Zone" - type = "string" + type = string default = "" } variable "ip_whitelist" { description = "IP Addresses allowed to access the ElasticSearch Cluster. Should be supplied if Elasticsearch cluster is not VPC enabled." - type = "list" + type = list(string) default = ["127.0.0.1"] } variable "logging_application_logs" { description = "A boolean value to determine if logging is enabled for ES_APPLICATION_LOGS." - type = "string" + type = string default = false } variable "logging_index_slow_logs" { description = "A boolean value to determine if logging is enabled for INDEX_SLOW_LOGS." - type = "string" + type = string default = false } variable "logging_retention" { description = "The number of days to retain Cloudwatch Logs for the Elasticsearch cluster." - type = "string" + type = string default = "30" } variable "logging_search_slow_logs" { description = "A boolean value to determine if logging is enabled for SEARCH_SLOW_LOGS." - type = "string" + type = string default = false } variable "master_node_count" { description = "Number of master nodes in the Elasticsearch cluster. Allowed values are 0, 3 or 5." - type = "string" + type = string default = 3 } variable "master_node_instance_type" { description = "Select master node instance type. See https://aws.amazon.com/elasticsearch-service/pricing/ for supported instance types." - type = "string" + type = string default = "m5.large.elasticsearch" } variable "security_groups" { description = "A list of EC2 security groups to assign to the Elasticsearch cluster. Ignored if Elasticsearch cluster is not VPC enabled." - type = "list" + type = list(string) default = [] } variable "snapshot_start_hour" { description = "The hour (0-23) to issue a daily snapshot of Elasticsearch cluster." - type = "string" + type = string default = 0 } variable "subnets" { description = "Subnets for Elasticsearch cluster. Ignored if Elasticsearch cluster is not VPC enabled. If not using Zone Awareness this should be a list of one subnet." - type = "list" + type = list(string) default = [] } variable "tags" { description = "Additional tags to be added to the Elasticsearch cluster." - type = "map" + type = map(string) default = {} } variable "vpc_enabled" { description = "A boolean value to determine if the Elasticsearch cluster is VPC enabled." - type = "string" + type = string default = false } variable "zone_awareness_enabled" { description = "A boolean value to determine if Zone Awareness is enabled. The number of data nodes must be even if this is `true`." - type = "string" + type = string default = "true" } + From 6939eec706abbb7b7cc897e1bb7bf005b0ef7fc1 Mon Sep 17 00:00:00 2001 From: twistedgrim Date: Tue, 11 Feb 2020 11:34:47 -0600 Subject: [PATCH 2/4] Set minimum AWS provider version --- main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/main.tf b/main.tf index f6f72a8..637ffa9 100644 --- a/main.tf +++ b/main.tf @@ -47,6 +47,10 @@ terraform { required_version = ">= 0.12" + + required_providers { + aws = ">= 2.1.0" + } } locals { From 5920f46b6b233a3ea7bf57ca4b1aacda761b7a18 Mon Sep 17 00:00:00 2001 From: twistedgrim Date: Wed, 12 Feb 2020 08:17:14 -0600 Subject: [PATCH 3/4] Correct conversion errors --- main.tf | 51 +++++++++++++-------------------------------- tests/test2/main.tf | 18 ++++++++-------- 2 files changed, 24 insertions(+), 45 deletions(-) diff --git a/main.tf b/main.tf index 637ffa9..450d96a 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,7 @@ * ## Limitation * * Terraform does not create the IAM Service Linked Role for ElasticSearch automatically. If this role is not present on an account, the `create_service_linked_role` parameter should be set to true for the first ElasticSearch instance. This will create the required role. This option should not be set to true on more than a single deployment per account, or it will result in a naming conflict. If the role is not present an error similar to the following would result: - * + * Error creating ElasticSearch domain: ValidationException: Before you can proceed, you must enable a service-linked role to give Amazon ES permissions to access your VPC. * ``` * 1 error(s) occurred: * @@ -61,13 +61,11 @@ locals { } policy_condition = { - standard = [ - { - test = "IpAddress" - variable = "aws:SourceIp" - values = [var.ip_whitelist] - }, - ] + standard = [{ + test = "IpAddress" + variable = "aws:SourceIp" + values = var.ip_whitelist + }] vpc = [] } @@ -75,8 +73,8 @@ locals { standard = [] vpc = [ { - security_group_ids = [var.security_groups] - subnet_ids = [var.subnets] + security_group_ids = var.security_groups + subnet_ids = var.subnets }, ] } @@ -94,6 +92,7 @@ data "aws_caller_identity" "current" { } data "aws_iam_policy_document" "policy" { + statement { actions = ["es:*"] effect = "Allow" @@ -107,11 +106,6 @@ data "aws_iam_policy_document" "policy" { dynamic "condition" { for_each = local.policy_condition[local.vpc_lookup] content { - # TF-UPGRADE-TODO: The automatic upgrade tool can't predict - # which keys might be set in maps assigned here, so it has - # produced a comprehensive set here. Consider simplifying - # this after confirming which keys can be set in practice. - test = condition.value.test values = condition.value.values variable = condition.value.variable @@ -138,16 +132,8 @@ data "aws_iam_policy_document" "es_cloudwatch_policy" { count = local.enable_logging ? 1 : 0 statement { - actions = ["logs:PutLogEvents", "logs:CreateLogStream"] - effect = "Allow" - # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to - # force an interpolation expression to be interpreted as a list by wrapping it - # in an extra set of list brackets. That form was supported for compatibility in - # v0.11, but is no longer supported in Terraform v0.12. - # - # If the expression in the following list itself returns a list, remove the - # brackets to avoid interpretation as a list of lists. If the expression - # returns a single list item then leave it as-is and remove this TODO comment. + actions = ["logs:PutLogEvents", "logs:CreateLogStream"] + effect = "Allow" resources = [element(concat(aws_cloudwatch_log_group.es.*.arn, ["*"]), 0)] principals { @@ -167,11 +153,9 @@ resource "aws_cloudwatch_log_resource_policy" "es_cloudwatch_policy" { resource "aws_elasticsearch_domain" "es" { access_policies = data.aws_iam_policy_document.policy.json - advanced_options = [ - { - "rest.action.multi.allow_explicit_index" = "true" - }, - ] + advanced_options = { + "rest.action.multi.allow_explicit_index" = "true" + } domain_name = lower(var.name) elasticsearch_version = var.elasticsearch_version @@ -182,13 +166,8 @@ resource "aws_elasticsearch_domain" "es" { tags = merge(var.tags, local.tags) dynamic "vpc_options" { - for_each = [local.vpc_configuration[local.vpc_lookup]] + for_each = local.vpc_configuration[local.vpc_lookup] content { - # TF-UPGRADE-TODO: The automatic upgrade tool can't predict - # which keys might be set in maps assigned here, so it has - # produced a comprehensive set here. Consider simplifying - # this after confirming which keys can be set in practice. - security_group_ids = lookup(vpc_options.value, "security_group_ids", null) subnet_ids = lookup(vpc_options.value, "subnet_ids", null) } diff --git a/tests/test2/main.tf b/tests/test2/main.tf index cb169dd..1f7f23b 100644 --- a/tests/test2/main.tf +++ b/tests/test2/main.tf @@ -18,14 +18,14 @@ resource "random_string" "r_string" { module "vpc" { source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//?ref=master" az_count = "3" - vpc_name = "ES-VPC-${random_string.r_string.result}" + name = "ES-VPC-${random_string.r_string.result}" } module "sg" { source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-security_group?ref=master" - resource_name = "ES-VPC-SG-${random_string.r_string.result}" - vpc_id = module.vpc.vpc_id + name = "ES-VPC-SG-${random_string.r_string.result}" + vpc_id = module.vpc.vpc_id } #################################################### @@ -39,7 +39,7 @@ module "es_vpc" { vpc_enabled = true security_groups = [module.sg.public_web_security_group_id] - subnets = [module.vpc.private_subnets] + subnets = module.vpc.private_subnets } ############################################# @@ -51,11 +51,11 @@ data "aws_kms_alias" "es_kms" { } module "internal_zone" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-route53_internal_zone?ref=tf_v0.11" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-route53_internal_zone?ref=master" - zone_name = "mycompany-${random_string.r_string.result}.local" - environment = "Development" - target_vpc_id = module.vpc.vpc_id + name = "mycompany-${random_string.r_string.result}.local" + environment = "Development" + vpc_id = module.vpc.vpc_id } module "es_all_options" { @@ -67,7 +67,7 @@ module "es_all_options" { elasticsearch_version = "7.1" environment = "Development" - subnets = [module.vpc.private_subnets] + subnets = module.vpc.private_subnets data_node_count = "6" data_node_instance_type = "m5.large.elasticsearch" From d0cf3d5eac55df6a6079d2841d736e3172ead090 Mon Sep 17 00:00:00 2001 From: twistedgrim Date: Thu, 13 Feb 2020 11:29:47 -0600 Subject: [PATCH 4/4] Update and reorder vars,params,outputs and examples and tests --- README.md | 68 ++++++++++++++++------------- examples/basic_internet_endpoint.tf | 6 +-- examples/basic_vpc_endpoint.tf | 17 ++++---- examples/full_example.tf | 67 ++++++++++++---------------- main.tf | 60 ++++++++++++------------- outputs.tf | 9 ++-- tests/test1/main.tf | 6 +-- tests/test2/main.tf | 63 ++++++++++++-------------- variables.tf | 43 +++++++++--------- 9 files changed, 163 insertions(+), 176 deletions(-) diff --git a/README.md b/README.md index b8cf797..31e7931 100644 --- a/README.md +++ b/README.md @@ -32,8 +32,8 @@ Full working references are available at [examples](examples) ## Limitation -Terraform does not create the IAM Service Linked Role for ElasticSearch automatically. If this role is not present on an account, the `create_service_linked_role` parameter should be set to true for the first ElasticSearch instance. This will create the required role. This option should not be set to true on more than a single deployment per account, or it will result in a naming conflict. If the role is not present an error similar to the following would result: - +Terraform does not create the IAM Service Linked Role for ElasticSearch automatically. If this role is not present on an account, the `create_service_linked_role` parameter should be set to true for the first ElasticSearch instance. This will create the required role. This option should not be set to true on more than a single deployment per account, or it will result in a naming conflict. If the role is not present an error similar to the following would result: +Error creating ElasticSearch domain: ValidationException: Before you can proceed, you must enable a service-linked role to give Amazon ES permissions to access your VPC. ``` 1 error(s) occurred: @@ -43,38 +43,44 @@ Terraform does not create the IAM Service Linked Role for ElasticSearch automati status code: 404, request id: 5a1614d2-1e64-11e9-a87e-3149d48d2026 ``` +## Providers + +| Name | Version | +|------|---------| +| aws | >= 2.2.0 | + ## Inputs | Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| create\_service\_linked\_role | A boolean value to determine if the ElasticSearch Service Linked Role should be created. This should only be set to true if the Service Linked Role is not already present. | string | `"false"` | no | -| data\_node\_count | Number of data nodes in the Elasticsearch cluster. If using Zone Awareness this must be a multiple of the number of subnets being used, e.g. 2, 4, 6, etc. for 2 subnets or 3, 6, 9, etc. for 3 subnets. | string | `"6"` | no | -| data\_node\_instance\_type | Select data node instance type. See https://aws.amazon.com/elasticsearch-service/pricing/ for supported instance types. | string | `"m5.large.elasticsearch"` | no | -| ebs\_iops | The number of I/O operations per second (IOPS) that the volume supports. | string | `"0"` | no | -| ebs\_size | The size of the EBS volume for each data node. | string | `"35"` | no | -| ebs\_type | The EBS volume type to use with the Amazon ES domain, such as standard, gp2, or io1. | string | `"gp2"` | no | -| elasticsearch\_version | Elasticsearch Version. | string | `"7.1"` | no | -| encrypt\_storage\_enabled | A boolean value to determine if encryption at rest is enabled for the Elasticsearch cluster. Version must be at least 5.1. | string | `"false"` | no | -| encrypt\_traffic\_enabled | A boolean value to determine if encryption for node-to-node traffic is enabled for the Elasticsearch cluster. Version must be at least 6.0. | string | `"false"` | no | -| encryption\_kms\_key | The KMS key to use for encryption at rest on the Elasticsearch cluster.If omitted and encryption at rest is enabled, the aws/es KMS key is used. | string | `""` | no | -| environment | Application environment for which this network is being created. Preferred value are Development, Integration, PreProduction, Production, QA, Staging, or Test | string | `"Development"` | no | -| internal\_record\_name | Record Name for the new Resource Record in the Internal Hosted Zone | string | `""` | no | -| internal\_zone\_id | The Route53 Internal Hosted Zone ID | string | `""` | no | -| internal\_zone\_name | TLD for Internal Hosted Zone | string | `""` | no | -| ip\_whitelist | IP Addresses allowed to access the ElasticSearch Cluster. Should be supplied if Elasticsearch cluster is not VPC enabled. | list | `` | no | -| logging\_application\_logs | A boolean value to determine if logging is enabled for ES_APPLICATION_LOGS. | string | `"false"` | no | -| logging\_index\_slow\_logs | A boolean value to determine if logging is enabled for INDEX_SLOW_LOGS. | string | `"false"` | no | -| logging\_retention | The number of days to retain Cloudwatch Logs for the Elasticsearch cluster. | string | `"30"` | no | -| logging\_search\_slow\_logs | A boolean value to determine if logging is enabled for SEARCH_SLOW_LOGS. | string | `"false"` | no | -| master\_node\_count | Number of master nodes in the Elasticsearch cluster. Allowed values are 0, 3 or 5. | string | `"3"` | no | -| master\_node\_instance\_type | Select master node instance type. See https://aws.amazon.com/elasticsearch-service/pricing/ for supported instance types. | string | `"m5.large.elasticsearch"` | no | -| name | The desired name for the Elasticsearch domain. | string | n/a | yes | -| security\_groups | A list of EC2 security groups to assign to the Elasticsearch cluster. Ignored if Elasticsearch cluster is not VPC enabled. | list | `` | no | -| snapshot\_start\_hour | The hour (0-23) to issue a daily snapshot of Elasticsearch cluster. | string | `"0"` | no | -| subnets | Subnets for Elasticsearch cluster. Ignored if Elasticsearch cluster is not VPC enabled. If not using Zone Awareness this should be a list of one subnet. | list | `` | no | -| tags | Additional tags to be added to the Elasticsearch cluster. | map | `` | no | -| vpc\_enabled | A boolean value to determine if the Elasticsearch cluster is VPC enabled. | string | `"false"` | no | -| zone\_awareness\_enabled | A boolean value to determine if Zone Awareness is enabled. The number of data nodes must be even if this is `true`. | string | `"true"` | no | +|------|-------------|------|---------|:-----:| +| create\_service\_linked\_role | A boolean value to determine if the ElasticSearch Service Linked Role should be created. This should only be set to true if the Service Linked Role is not already present. | `bool` | `false` | no | +| data\_node\_count | Number of data nodes in the Elasticsearch cluster. If using Zone Awareness this must be a multiple of the number of subnets being used, e.g. 2, 4, 6, etc. for 2 subnets or 3, 6, 9, etc. for 3 subnets. | `number` | `6` | no | +| data\_node\_instance\_type | Select data node instance type. See https://aws.amazon.com/elasticsearch-service/pricing/ for supported instance types. | `string` | `"m5.large.elasticsearch"` | no | +| ebs\_iops | The number of I/O operations per second (IOPS) that the volume supports. | `number` | `0` | no | +| ebs\_size | The size of the EBS volume for each data node. | `number` | `35` | no | +| ebs\_type | The EBS volume type to use with the Amazon ES domain, such as standard, gp2, or io1. | `string` | `"gp2"` | no | +| elasticsearch\_version | Elasticsearch Version. | `string` | `"7.1"` | no | +| encrypt\_storage\_enabled | A boolean value to determine if encryption at rest is enabled for the Elasticsearch cluster. Version must be at least 5.1. | `bool` | `false` | no | +| encrypt\_traffic\_enabled | A boolean value to determine if encryption for node-to-node traffic is enabled for the Elasticsearch cluster. Version must be at least 6.0. | `bool` | `false` | no | +| encryption\_kms\_key | The KMS key to use for encryption at rest on the Elasticsearch cluster.If omitted and encryption at rest is enabled, the aws/es KMS key is used. | `string` | `""` | no | +| environment | Application environment for which this network is being created. Preferred value are Development, Integration, PreProduction, Production, QA, Staging, or Test | `string` | `"Development"` | no | +| internal\_record\_name | Record Name for the new Resource Record in the Internal Hosted Zone | `string` | `""` | no | +| internal\_zone\_id | The Route53 Internal Hosted Zone ID | `string` | `""` | no | +| internal\_zone\_name | TLD for Internal Hosted Zone | `string` | `""` | no | +| ip\_whitelist | IP Addresses allowed to access the ElasticSearch Cluster. Should be supplied if Elasticsearch cluster is not VPC enabled. | `list(string)` | 
[
  "127.0.0.1"
]
| no | +| logging\_application\_logs | A boolean value to determine if logging is enabled for ES\_APPLICATION\_LOGS. | `bool` | `false` | no | +| logging\_index\_slow\_logs | A boolean value to determine if logging is enabled for INDEX\_SLOW\_LOGS. | `bool` | `false` | no | +| logging\_retention | The number of days to retain Cloudwatch Logs for the Elasticsearch cluster. | `number` | `30` | no | +| logging\_search\_slow\_logs | A boolean value to determine if logging is enabled for SEARCH\_SLOW\_LOGS. | `bool` | `false` | no | +| master\_node\_count | Number of master nodes in the Elasticsearch cluster. Allowed values are 0, 3 or 5. | `number` | `3` | no | +| master\_node\_instance\_type | Select master node instance type. See https://aws.amazon.com/elasticsearch-service/pricing/ for supported instance types. | `string` | `"m5.large.elasticsearch"` | no | +| name | The desired name for the Elasticsearch domain. | `string` | n/a | yes | +| security\_groups | A list of EC2 security groups to assign to the Elasticsearch cluster. Ignored if Elasticsearch cluster is not VPC enabled. | `list(string)` | `[]` | no | +| snapshot\_start\_hour | The hour (0-23) to issue a daily snapshot of Elasticsearch cluster. | `number` | `0` | no | +| subnets | Subnets for Elasticsearch cluster. Ignored if Elasticsearch cluster is not VPC enabled. If not using Zone Awareness this should be a list of one subnet. | `list(string)` | `[]` | no | +| tags | Additional tags to be added to the Elasticsearch cluster. | `map(string)` | `{}` | no | +| vpc\_enabled | A boolean value to determine if the Elasticsearch cluster is VPC enabled. | `bool` | `false` | no | +| zone\_awareness\_enabled | A boolean value to determine if Zone Awareness is enabled. The number of data nodes must be even if this is `true`. | `bool` | `true` | no | ## Outputs diff --git a/examples/basic_internet_endpoint.tf b/examples/basic_internet_endpoint.tf index 5ca1855..a890179 100644 --- a/examples/basic_internet_endpoint.tf +++ b/examples/basic_internet_endpoint.tf @@ -3,13 +3,13 @@ terraform { } provider "aws" { - version = "~> 2.2" region = "us-west-2" + version = "~> 2.2" } module "es_internet" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-elasticsearch//?ref=v0.0.7" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-elasticsearch//?ref=v0.12.0" - name = "es-internet-endpoint" ip_whitelist = ["1.2.3.4"] + name = "es-internet-endpoint" } diff --git a/examples/basic_vpc_endpoint.tf b/examples/basic_vpc_endpoint.tf index d05b27e..683d288 100644 --- a/examples/basic_vpc_endpoint.tf +++ b/examples/basic_vpc_endpoint.tf @@ -3,29 +3,28 @@ terraform { } provider "aws" { - version = "~> 2.2" region = "us-west-2" + version = "~> 2.2" } module "vpc" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//?ref=v0.0.9" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//?ref=v0.12.0" - vpc_name = "Test1VPC" + name = "Test1VPC" } module "sg" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-security_group//?ref=v0.0.5" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-security_group//?ref=v0.12.0" resource_name = "Test-SG" vpc_id = module.vpc.vpc_id } module "es_vpc" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-elasticsearch//?ref=v0.0.7" - - name = "es-vpc-endpoint" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-elasticsearch//?ref=v0.12.0" - vpc_enabled = true + name = "es-vpc-endpoint" security_groups = [module.sg.public_web_security_group_id] - subnets = [module.vpc.private_subnets] + subnets = module.vpc.private_subnets + vpc_enabled = true } diff --git a/examples/full_example.tf b/examples/full_example.tf index f26ba85..717cc3f 100644 --- a/examples/full_example.tf +++ b/examples/full_example.tf @@ -3,8 +3,8 @@ terraform { } provider "aws" { - version = "~> 2.2" region = "us-west-2" + version = "~> 2.2" } data "aws_kms_alias" "es_kms" { @@ -12,50 +12,41 @@ data "aws_kms_alias" "es_kms" { } module "internal_zone" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-route53_internal_zone//?ref=v0.0.3" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-route53_internal_zone//?ref=v0.12.0" - zone_name = "mycompany.local" - environment = "Development" - target_vpc_id = module.vpc.vpc_id + environment = "Development" + name = "mycompany.local" + vpc_id = module.vpc.vpc_id } module "es_all_options" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-elasticsearch//?ref=v0.0.7" - - name = "es-custom" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-elasticsearch//?ref=v0.12.0" - ip_whitelist = ["1.2.3.4"] - - elasticsearch_version = "7.1" - environment = "Production" - - data_node_count = "8" + data_node_count = 8 data_node_instance_type = "r4.large.elasticsearch" - master_node_count = "5" + ebs_iops = 1000 + ebs_size = 50 + ebs_type = "io1" + elasticsearch_version = "7.1" + encrypt_storage_enabled = true + encrypt_traffic_enabled = true + encryption_kms_key = data.aws_kms_alias.es_kms.target_key_arn + environment = "Production" + internal_record_name = "es-custom" + internal_zone_id = module.internal_zone.internal_hosted_name + internal_zone_name = module.internal_zone.internal_hosted_name + ip_whitelist = ["1.2.3.4"] + logging_application_logs = true + logging_index_slow_logs = true + logging_retention = 14 + logging_search_slow_logs = true + master_node_count = 5 master_node_instance_type = "r4.large.elasticsearch" - - encrypt_storage_enabled = true - encrypt_traffic_enabled = true - encryption_kms_key = data.aws_kms_alias.es_kms.target_key_arn - - ebs_iops = "1000" - ebs_size = "50" - ebs_type = "io1" - - internal_record_name = "es-custom" - internal_zone_id = module.internal_zone.internal_hosted_name - internal_zone_name = module.internal_zone.internal_hosted_name - - logging_application_logs = true - logging_index_slow_logs = true - logging_retention = 14 - logging_search_slow_logs = true - - snapshot_start_hour = 21 - - vpc_enabled = true - subnets = ["subnet-0146733139bfe351b", "subnet-04362ec0a2a4b1382"] - security_groups = ["sg-0024aee5bbfbaddbc", "sg-018f1576271f11f3e"] + name = "es-custom" + security_groups = ["sg-0024aee5bbfbaddbc", "sg-018f1576271f11f3e"] + snapshot_start_hour = 21 + subnets = ["subnet-0146733139bfe351b", "subnet-04362ec0a2a4b1382"] + vpc_enabled = true tags = { Tag1 = "Value1" diff --git a/main.tf b/main.tf index 450d96a..e2fbfe0 100644 --- a/main.tf +++ b/main.tf @@ -49,22 +49,26 @@ terraform { required_version = ">= 0.12" required_providers { - aws = ">= 2.1.0" + aws = ">= 2.2.0" } } locals { + vpc_lookup = var.vpc_enabled ? "vpc" : "standard" + enable_logging = var.logging_application_logs || var.logging_index_slow_logs || var.logging_search_slow_logs + za_subnet_count = length(var.subnets) >= 3 ? 3 : 2 + tags = { + Environment = var.environment Name = var.name ServiceProvider = "Rackspace" - Environment = var.environment } policy_condition = { standard = [{ test = "IpAddress" - variable = "aws:SourceIp" values = var.ip_whitelist + variable = "aws:SourceIp" }] vpc = [] } @@ -78,11 +82,6 @@ locals { }, ] } - - vpc_lookup = var.vpc_enabled ? "vpc" : "standard" - enable_logging = var.logging_application_logs || var.logging_index_slow_logs || var.logging_search_slow_logs - - za_subnet_count = length(var.subnets) >= 3 ? 3 : 2 } data "aws_region" "current" { @@ -151,26 +150,13 @@ resource "aws_cloudwatch_log_resource_policy" "es_cloudwatch_policy" { } resource "aws_elasticsearch_domain" "es" { - access_policies = data.aws_iam_policy_document.policy.json - - advanced_options = { - "rest.action.multi.allow_explicit_index" = "true" - } - + access_policies = data.aws_iam_policy_document.policy.json domain_name = lower(var.name) elasticsearch_version = var.elasticsearch_version + tags = merge(var.tags, local.tags) - snapshot_options { - automated_snapshot_start_hour = var.snapshot_start_hour - } - - tags = merge(var.tags, local.tags) - dynamic "vpc_options" { - for_each = local.vpc_configuration[local.vpc_lookup] - content { - security_group_ids = lookup(vpc_options.value, "security_group_ids", null) - subnet_ids = lookup(vpc_options.value, "subnet_ids", null) - } + advanced_options = { + "rest.action.multi.allow_explicit_index" = "true" } cluster_config { @@ -198,26 +184,40 @@ resource "aws_elasticsearch_domain" "es" { kms_key_id = var.encryption_kms_key } - node_to_node_encryption { - enabled = var.encrypt_traffic_enabled - } - log_publishing_options { log_type = "INDEX_SLOW_LOGS" cloudwatch_log_group_arn = element(concat(aws_cloudwatch_log_group.es.*.arn, [""]), 0) enabled = var.logging_index_slow_logs } + log_publishing_options { log_type = "SEARCH_SLOW_LOGS" cloudwatch_log_group_arn = element(concat(aws_cloudwatch_log_group.es.*.arn, [""]), 0) enabled = var.logging_search_slow_logs } + log_publishing_options { log_type = "ES_APPLICATION_LOGS" cloudwatch_log_group_arn = element(concat(aws_cloudwatch_log_group.es.*.arn, [""]), 0) enabled = var.logging_application_logs } + node_to_node_encryption { + enabled = var.encrypt_traffic_enabled + } + + snapshot_options { + automated_snapshot_start_hour = var.snapshot_start_hour + } + + dynamic "vpc_options" { + for_each = local.vpc_configuration[local.vpc_lookup] + content { + security_group_ids = lookup(vpc_options.value, "security_group_ids", null) + subnet_ids = lookup(vpc_options.value, "subnet_ids", null) + } + } + depends_on = [aws_iam_service_linked_role.slr] } @@ -225,8 +225,8 @@ resource "aws_route53_record" "zone_record_alias" { count = var.internal_record_name != "" ? 1 : 0 name = "${var.internal_record_name}.${var.internal_zone_name}" + records = [aws_elasticsearch_domain.es.endpoint] ttl = "300" type = "CNAME" zone_id = var.internal_zone_id - records = [aws_elasticsearch_domain.es.endpoint] } diff --git a/outputs.tf b/outputs.tf index ac94558..b4fa332 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,11 +3,6 @@ output "arn" { value = aws_elasticsearch_domain.es.arn } -output "log_group_arn" { - description = "The ARN for the CloudWatch Log group for this Elasticsearch Cluster" - value = aws_cloudwatch_log_group.es.*.arn -} - output "endpoint" { description = "The endpoint for the Elasticsearch cluster" value = aws_elasticsearch_domain.es.endpoint @@ -18,3 +13,7 @@ output "kibana_endpoint" { value = aws_elasticsearch_domain.es.kibana_endpoint } +output "log_group_arn" { + description = "The ARN for the CloudWatch Log group for this Elasticsearch Cluster" + value = aws_cloudwatch_log_group.es.*.arn +} diff --git a/tests/test1/main.tf b/tests/test1/main.tf index 3a549bc..e612f57 100644 --- a/tests/test1/main.tf +++ b/tests/test1/main.tf @@ -9,10 +9,10 @@ provider "aws" { resource "random_string" "r_string" { length = 6 - special = false lower = true - upper = false number = false + special = false + upper = false } #################################################### @@ -22,6 +22,6 @@ resource "random_string" "r_string" { module "es_internet" { source = "../../module" - name = "es-internet-endpoint-${random_string.r_string.result}" ip_whitelist = ["1.2.3.4"] + name = "es-internet-endpoint-${random_string.r_string.result}" } diff --git a/tests/test2/main.tf b/tests/test2/main.tf index 1f7f23b..5bf8e48 100644 --- a/tests/test2/main.tf +++ b/tests/test2/main.tf @@ -9,15 +9,16 @@ provider "aws" { resource "random_string" "r_string" { length = 6 - special = false lower = true - upper = false number = false + special = false + upper = false } module "vpc" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//?ref=master" - az_count = "3" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//?ref=master" + + az_count = 3 name = "ES-VPC-${random_string.r_string.result}" } @@ -35,11 +36,10 @@ module "sg" { module "es_vpc" { source = "../../module" - name = "es-vpc-endpoint-${random_string.r_string.result}" - - vpc_enabled = true + name = "es-vpc-endpoint-${random_string.r_string.result}" security_groups = [module.sg.public_web_security_group_id] subnets = module.vpc.private_subnets + vpc_enabled = true } ############################################# @@ -53,43 +53,36 @@ data "aws_kms_alias" "es_kms" { module "internal_zone" { source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-route53_internal_zone?ref=master" - name = "mycompany-${random_string.r_string.result}.local" environment = "Development" + name = "mycompany-${random_string.r_string.result}.local" vpc_id = module.vpc.vpc_id } module "es_all_options" { source = "../../module" - name = "es-custom3az-${random_string.r_string.result}" - - ip_whitelist = ["1.2.3.4"] - - elasticsearch_version = "7.1" - environment = "Development" - subnets = module.vpc.private_subnets - - data_node_count = "6" + data_node_count = 6 data_node_instance_type = "m5.large.elasticsearch" - master_node_count = "3" + ebs_iops = 1000 + ebs_size = 35 + ebs_type = "io1" + elasticsearch_version = "7.1" + encrypt_storage_enabled = true + encrypt_traffic_enabled = true + encryption_kms_key = data.aws_kms_alias.es_kms.target_key_arn + environment = "Development" + internal_record_name = "es-custom" + internal_zone_id = module.internal_zone.internal_hosted_zone_id + internal_zone_name = module.internal_zone.internal_hosted_name + ip_whitelist = ["1.2.3.4"] + logging_application_logs = true + logging_index_slow_logs = true + logging_retention = 7 + logging_search_slow_logs = true + master_node_count = 3 master_node_instance_type = "m5.large.elasticsearch" - - encrypt_storage_enabled = true - encrypt_traffic_enabled = true - encryption_kms_key = data.aws_kms_alias.es_kms.target_key_arn - - ebs_iops = "1000" - ebs_size = "35" - ebs_type = "io1" - - internal_record_name = "es-custom" - internal_zone_id = module.internal_zone.internal_hosted_zone_id - internal_zone_name = module.internal_zone.internal_hosted_name - - logging_application_logs = true - logging_index_slow_logs = true - logging_retention = 7 - logging_search_slow_logs = true + name = "es-custom3az-${random_string.r_string.result}" + subnets = module.vpc.private_subnets tags = { Tag1 = "Value1" diff --git a/variables.tf b/variables.tf index 1fa2d15..6363c32 100644 --- a/variables.tf +++ b/variables.tf @@ -1,17 +1,12 @@ -variable "name" { - description = "The desired name for the Elasticsearch domain." - type = string -} - variable "create_service_linked_role" { description = "A boolean value to determine if the ElasticSearch Service Linked Role should be created. This should only be set to true if the Service Linked Role is not already present." - type = string + type = bool default = false } variable "data_node_count" { description = "Number of data nodes in the Elasticsearch cluster. If using Zone Awareness this must be a multiple of the number of subnets being used, e.g. 2, 4, 6, etc. for 2 subnets or 3, 6, 9, etc. for 3 subnets." - type = string + type = number default = 6 } @@ -23,13 +18,13 @@ variable "data_node_instance_type" { variable "ebs_iops" { description = "The number of I/O operations per second (IOPS) that the volume supports." - type = string + type = number default = 0 } variable "ebs_size" { description = "The size of the EBS volume for each data node." - type = string + type = number default = 35 } @@ -47,13 +42,13 @@ variable "elasticsearch_version" { variable "encrypt_storage_enabled" { description = "A boolean value to determine if encryption at rest is enabled for the Elasticsearch cluster. Version must be at least 5.1." - type = string + type = bool default = false } variable "encrypt_traffic_enabled" { description = "A boolean value to determine if encryption for node-to-node traffic is enabled for the Elasticsearch cluster. Version must be at least 6.0." - type = string + type = bool default = false } @@ -95,31 +90,31 @@ variable "ip_whitelist" { variable "logging_application_logs" { description = "A boolean value to determine if logging is enabled for ES_APPLICATION_LOGS." - type = string + type = bool default = false } variable "logging_index_slow_logs" { description = "A boolean value to determine if logging is enabled for INDEX_SLOW_LOGS." - type = string + type = bool default = false } variable "logging_retention" { description = "The number of days to retain Cloudwatch Logs for the Elasticsearch cluster." - type = string - default = "30" + type = number + default = 30 } variable "logging_search_slow_logs" { description = "A boolean value to determine if logging is enabled for SEARCH_SLOW_LOGS." - type = string + type = bool default = false } variable "master_node_count" { description = "Number of master nodes in the Elasticsearch cluster. Allowed values are 0, 3 or 5." - type = string + type = number default = 3 } @@ -129,6 +124,11 @@ variable "master_node_instance_type" { default = "m5.large.elasticsearch" } +variable "name" { + description = "The desired name for the Elasticsearch domain." + type = string +} + variable "security_groups" { description = "A list of EC2 security groups to assign to the Elasticsearch cluster. Ignored if Elasticsearch cluster is not VPC enabled." type = list(string) @@ -137,7 +137,7 @@ variable "security_groups" { variable "snapshot_start_hour" { description = "The hour (0-23) to issue a daily snapshot of Elasticsearch cluster." - type = string + type = number default = 0 } @@ -155,13 +155,12 @@ variable "tags" { variable "vpc_enabled" { description = "A boolean value to determine if the Elasticsearch cluster is VPC enabled." - type = string + type = bool default = false } variable "zone_awareness_enabled" { description = "A boolean value to determine if Zone Awareness is enabled. The number of data nodes must be even if this is `true`." - type = string - default = "true" + type = bool + default = true } -