Merge pull request #11 from rackspace-infrastructure-automation/node-…

…to-node

Add node-to-node encryption option

README.md

@@ -54,7 +54,8 @@ Terraform does not create the IAM Service Linked Role for ElasticSearch automati
 | ebs\_size | The size of the EBS volume for each data node. | string | `"20"` | no |
 | ebs\_type | The EBS volume type to use with the Amazon ES domain, such as standard, gp2, or io1. | string | `"gp2"` | no |
 | elasticsearch\_version | Elasticsearch Version. | string | `"6.3"` | no |
-| encryption\_enabled | A boolean value to determine if encryption at rest is enabled for the Elasticsearch cluster. | string | `"false"` | no |
+| encrypt\_storage\_enabled | A boolean value to determine if encryption at rest is enabled for the Elasticsearch cluster. Version must be at least 5.1. | string | `"false"` | no |
+| encrypt\_traffic\_enabled | A boolean value to determine if encryption for node-to-node traffic is enabled for the Elasticsearch cluster. Version must be at least 6.0. | string | `"false"` | no |
 | encryption\_kms\_key | The KMS key to use for encryption at rest on the Elasticsearch cluster.If omitted and encryption at rest is enabled, the aws/es KMS key is used. | string | `""` | no |
 | environment | Application environment for which this network is being created. Preferred value are Development, Integration, PreProduction, Production, QA, Staging, or Test | string | `"Development"` | no |
 | internal\_record\_name | Record Name for the new Resource Record in the Internal Hosted Zone | string | `""` | no |

examples/full_example.tf

@@ -29,8 +29,9 @@ module "es_all_options" {
   master_node_count         = "5"
   master_node_instance_type = "r4.large.elasticsearch"
 
-  encryption_enabled = true
-  encryption_kms_key = "${data.aws_kms_alias.es_kms.target_key_arn}"
+  encrypt_storage_enabled = true
+  encrypt_traffic_enabled = true
+  encryption_kms_key      = "${data.aws_kms_alias.es_kms.target_key_arn}"
 
   ebs_iops = "1000"
   ebs_size = "50"

main.tf

@@ -168,10 +168,14 @@ resource "aws_elasticsearch_domain" "es" {
   }
 
   encrypt_at_rest {
-    enabled    = "${var.encryption_enabled}"
+    enabled    = "${var.encrypt_storage_enabled}"
     kms_key_id = "${var.encryption_kms_key}"
   }
 
+  node_to_node_encryption {
+    enabled = "${var.encrypt_traffic_enabled}"
+  }
+
   log_publishing_options = [
     {
       log_type                 = "INDEX_SLOW_LOGS"

tests/test1/main.tf

@@ -72,8 +72,9 @@ module "es_all_options" {
   master_node_count         = "5"
   master_node_instance_type = "r4.large.elasticsearch"
 
-  encryption_enabled = true
-  encryption_kms_key = "${data.aws_kms_alias.es_kms.target_key_arn}"
+  encrypt_storage_enabled = true
+  encrypt_traffic_enabled = true
+  encryption_kms_key      = "${data.aws_kms_alias.es_kms.target_key_arn}"
 
   ebs_iops = "1000"
   ebs_size = "50"

variables.tf

@@ -45,8 +45,14 @@ variable "elasticsearch_version" {
   default     = "6.3"
 }
 
-variable "encryption_enabled" {
-  description = "A boolean value to determine if encryption at rest is enabled for the Elasticsearch cluster."
+variable "encrypt_storage_enabled" {
+  description = "A boolean value to determine if encryption at rest is enabled for the Elasticsearch cluster. Version must be at least 5.1."
+  type        = "string"
+  default     = false
+}
+
+variable "encrypt_traffic_enabled" {
+  description = "A boolean value to determine if encryption for node-to-node traffic is enabled for the Elasticsearch cluster. Version must be at least 6.0."
   type        = "string"
   default     = false
 }