From 19198ff74955b14784ec6bd96e2f7326a49b9291 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 12:10:22 -0400 Subject: [PATCH 01/34] added the create_parameter_groups variable with a default of false --- terraform/modules/neptune-cluster/variables.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/terraform/modules/neptune-cluster/variables.tf b/terraform/modules/neptune-cluster/variables.tf index cb301a76..5c9a8834 100644 --- a/terraform/modules/neptune-cluster/variables.tf +++ b/terraform/modules/neptune-cluster/variables.tf @@ -38,6 +38,13 @@ variable "copy_tags_to_snapshot" { sensitive = false } +variable "create_parameter_groups" { + type = bool + description = "whether to create parameter groups for the cluster and instance(s)" + default = false + sensitive = false +} + variable "database_subnet_ids" { type = set(string) description = "the list of subnet IDs to associate with the cluster" From 2220cbac26a2a04f1e495cce2a4288f3601edab1 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 12:16:27 -0400 Subject: [PATCH 02/34] added local for control over parameter group creation logic, updated param group count conditions --- terraform/modules/neptune-cluster/locals.tf | 3 +++ terraform/modules/neptune-cluster/main.tf | 7 +++++-- 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 terraform/modules/neptune-cluster/locals.tf diff --git a/terraform/modules/neptune-cluster/locals.tf b/terraform/modules/neptune-cluster/locals.tf new file mode 100644 index 00000000..b8bad12a --- /dev/null +++ b/terraform/modules/neptune-cluster/locals.tf @@ -0,0 +1,3 @@ +locals { + create_parameter_groups = var.enable_serverless ? false : var.create_parameter_groups +} \ No newline at end of file diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index ea427e88..3b72cec8 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -33,8 +33,11 @@ resource "aws_neptune_cluster" "this" { } } +## if serverless mode is enabled, do not create parameter groups. +## if create_parameter groups + module "cluster_parameters" { - count = var.enable_serverless ? 0 : 1 + count = local.create_parameter_groups ? 1 : 0 source = "git::https://github.com/CBIIT/datacommons-devops.git//terraform/modules/neptune-cluster-parameter-group?ref=Neptune" resource_prefix = var.resource_prefix @@ -42,7 +45,7 @@ module "cluster_parameters" { } module "instance_parameters" { - count = var.enable_serverless ? 0 : 1 + count = local.create_parameter_groups ? 1 : 0 source = "git::https://github.com/CBIIT/datacommons-devops.git//terraform/modules/neptune-instance-parameter-group?ref=Neptune" resource_prefix = var.resource_prefix From f9b3edfd3e40928b85ac9385290c8afc3dfc6b20 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 12:31:54 -0400 Subject: [PATCH 03/34] updated variables and added new stand-alone resource for cluster parameters --- terraform/modules/neptune-cluster/main.tf | 31 ++++++++++++++----- .../modules/neptune-cluster/variables.tf | 31 ++++++++++++++++++- 2 files changed, 54 insertions(+), 8 deletions(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index 3b72cec8..7143bf37 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -33,15 +33,32 @@ resource "aws_neptune_cluster" "this" { } } -## if serverless mode is enabled, do not create parameter groups. -## if create_parameter groups +resource "aws_neptune_cluster_parameter_group" "this" { + count = local.create_parameter_groups ? 1 : 0 -module "cluster_parameters" { - count = local.create_parameter_groups ? 1 : 0 - source = "git::https://github.com/CBIIT/datacommons-devops.git//terraform/modules/neptune-cluster-parameter-group?ref=Neptune" + name = "${var.resource_prefix}-neptune-cluster-params" + family = var.parameter_group_family + description = "${var.resource_prefix} neptune cluster-level parameter group" + + parameter { + name = "neptune_enable_audit_log" + value = var.enable_audit_log ? "1" : "0" + } + + parameter { + name = "neptune_enable_slow_query_log" + value = var.enable_slow_query_log + } + + parameter { + name = "neptune_slow_query_log_threshold" + value = var.slow_query_log_threshold + } - resource_prefix = var.resource_prefix - enable_audit_log = var.enable_cloudwatch_logs_exports == ["audit"] ? true : false + parameter { + name = "neptune_query_timeout" + value = var.query_timeout + } } module "instance_parameters" { diff --git a/terraform/modules/neptune-cluster/variables.tf b/terraform/modules/neptune-cluster/variables.tf index 5c9a8834..dd38600f 100644 --- a/terraform/modules/neptune-cluster/variables.tf +++ b/terraform/modules/neptune-cluster/variables.tf @@ -58,6 +58,13 @@ variable "deletion_protection" { sensitive = false } +variable "enable_audit_log" { + type = bool + description = "whether to enable audit logs at the cluster level" + default = true + sensitive = false +} + variable "enable_caching" { type = bool description = "whether to enable caching for the cluster" @@ -79,6 +86,13 @@ variable "enable_serverless" { sensitive = false } +variable "enable_slow_query_log" { + type = string + description = "the log level for slow queries applied at the cluster-level - either 'info', 'debug', or 'disable'" + default = "info" + sensitive = false +} + variable "engine" { type = string description = "the name of the database engine to be used for this instance" @@ -135,6 +149,13 @@ variable "min_capacity" { sensitive = false } +variable "parameter_group_family" { + type = string + description = "the family of the neptune cluster parameter group (i.e. neptune1.3)" + default = "neptune1.3" + sensitive = false +} + variable "preferred_backup_window" { type = string description = "the daily time range during which automated backups are created if automated backups are enabled" @@ -159,7 +180,7 @@ variable "port" { variable "query_timeout" { type = string description = "time in milliseconds that a query can run before it is terminated by the cluster" - default = "120000" + default = "60000" sensitive = false } @@ -170,6 +191,14 @@ variable "replication_source_identifier" { sensitive = false } +variable "slow_query_log_threshold" { + type = number + description = "the threshold in milliseconds for slow queries applied at the cluster level" + default = 5000 + sensitive = false +} + + variable "skip_final_snapshot" { type = bool description = "whether to skip the creation of a final snapshot before deleting the cluster" From 14137a8ee6b7af8b8f3c8dd65e04edb90f78d224 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 13:42:00 -0400 Subject: [PATCH 04/34] adding stand-alone instance parameter group resource rather than call ext module --- terraform/modules/neptune-cluster/main.tf | 16 ++++++++++------ terraform/modules/neptune-cluster/variables.tf | 7 +++++++ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index 7143bf37..07e9af49 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -61,13 +61,17 @@ resource "aws_neptune_cluster_parameter_group" "this" { } } -module "instance_parameters" { - count = local.create_parameter_groups ? 1 : 0 - source = "git::https://github.com/CBIIT/datacommons-devops.git//terraform/modules/neptune-instance-parameter-group?ref=Neptune" +resource "aws_neptune_parameter_group" "this" { + count = local.create_parameter_groups ? 1 : 0 + + name = "${var.resource_prefix}-neptune-instance-params" + family = var.parameter_group_family + description = "${var.resource_prefix} neptune instance-level parameter group" - resource_prefix = var.resource_prefix - enable_caching = var.enable_serverless ? false : var.enable_caching - query_timeout = var.query_timeout + parameter { + name = "neptune_result_cache" + value = var.enable_result_cache ? "1" : "0" + } } module "neptune_instance" { diff --git a/terraform/modules/neptune-cluster/variables.tf b/terraform/modules/neptune-cluster/variables.tf index dd38600f..c9007555 100644 --- a/terraform/modules/neptune-cluster/variables.tf +++ b/terraform/modules/neptune-cluster/variables.tf @@ -79,6 +79,13 @@ variable "enable_cloudwatch_logs_exports" { sensitive = false } +variable "enable_result_cache" { + type = bool + description = "whether to enable the result cache for the instances in the cluster" + default = false + sensitive = false +} + variable "enable_serverless" { type = bool description = "whether to enable serverless mode for the cluster" From 538c6e4e86128da484485bfccc1814573b04e5d0 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 14:10:59 -0400 Subject: [PATCH 05/34] revised outputs for new resources that replaced external modules --- terraform/modules/neptune-cluster/locals.tf | 2 +- terraform/modules/neptune-cluster/main.tf | 28 +++++++++++--------- terraform/modules/neptune-cluster/outputs.tf | 14 +++++----- 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/terraform/modules/neptune-cluster/locals.tf b/terraform/modules/neptune-cluster/locals.tf index b8bad12a..0cb397dd 100644 --- a/terraform/modules/neptune-cluster/locals.tf +++ b/terraform/modules/neptune-cluster/locals.tf @@ -1,3 +1,3 @@ locals { create_parameter_groups = var.enable_serverless ? false : var.create_parameter_groups -} \ No newline at end of file +} diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index 07e9af49..8ebed07f 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -61,6 +61,20 @@ resource "aws_neptune_cluster_parameter_group" "this" { } } +resource "aws_neptune_cluster_instance" "this" { + auto_minor_version_upgrade = var.auto_minor_version_upgrade + cluster_identifier = aws_neptune_cluster.this.cluster_identifier + engine = var.engine + engine_version = var.engine_version + instance_class = var.instance_class + neptune_subnet_group_name = aws_neptune_subnet_group.this.name + neptune_parameter_group_name = local.create_parameter_groups ? aws_neptune_parameter_group.this[0].name : null + port = var.port + preferred_backup_window = var.preferred_backup_window + preferred_maintenance_window = var.preferred_maintenance_window + publicly_accessible = false +} + resource "aws_neptune_parameter_group" "this" { count = local.create_parameter_groups ? 1 : 0 @@ -74,18 +88,6 @@ resource "aws_neptune_parameter_group" "this" { } } -module "neptune_instance" { - source = "git::https://github.com/CBIIT/datacommons-devops.git//terraform/modules/neptune-instance?ref=Neptune" - - auto_minor_version_upgrade = var.auto_minor_version_upgrade - cluster_identifier = aws_neptune_cluster.this.cluster_identifier - engine_version = var.engine_version - instance_class = var.enable_serverless ? "db.serverless" : var.instance_class - neptune_subnet_group_name = aws_neptune_subnet_group.this.name - neptune_parameter_group_name = var.enable_serverless ? "default.neptune1.2" : module.instance_parameters[0].name - port = var.port -} - resource "aws_kms_key" "this" { deletion_window_in_days = 7 description = "Enforces encryption at rest for the ${terraform.workspace}-tier neptune cluster" @@ -106,4 +108,4 @@ resource "aws_neptune_subnet_group" "this" { resource "aws_kms_key_policy" "this" { key_id = aws_kms_key.this.id policy = data.aws_iam_policy_document.kms.json -} \ No newline at end of file +} diff --git a/terraform/modules/neptune-cluster/outputs.tf b/terraform/modules/neptune-cluster/outputs.tf index 7e48aee5..3a593ad1 100644 --- a/terraform/modules/neptune-cluster/outputs.tf +++ b/terraform/modules/neptune-cluster/outputs.tf @@ -53,43 +53,43 @@ output "kms_key_arn" { } output "instance_address" { - value = module.neptune_instance.address + value = aws_neptune_cluster_instance.this[0].address description = "The hostname of the instance. See also endpoint and port." sensitive = false } output "instance_arn" { - value = module.neptune_instance.arn + value = aws_neptune_cluster_instance.this[0].arn description = "The ARN of the neptune instance" sensitive = false } output "instance_cluster_identifier" { - value = module.neptune_instance.cluster_identifier + value = aws_neptune_cluster_instance.this[0].cluster_identifier description = "The neptune cluster identifier" sensitive = false } output "instance_dbi_resource_id" { - value = module.neptune_instance.dbi_resource_id + value = aws_neptune_cluster_instance.this[0].instance_dbi_resource_id description = "The neptune instance resource ID" sensitive = false } output "instance_endpoint" { - value = module.neptune_instance.endpoint + value = aws_neptune_cluster_instance.this[0].endpoint description = "The hostname of the instance. See also address and port." sensitive = false } output "instance_id" { - value = module.neptune_instance.id + value = aws_neptune_cluster_instance.this[0].id description = "The neptune instance ID" sensitive = false } output "instance_identifier" { - value = module.neptune_instance.identifier + value = aws_neptune_cluster_instance.this[0].identifier description = "The neptune instance identifier" sensitive = false } From 2b1acd1855cfd9c81e32a217b557a10a5fd5e5ee Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 11 Mar 2024 18:14:10 +0000 Subject: [PATCH 06/34] terraform-docs: automated action --- terraform/modules/neptune-cluster/README.md | 17 ++-- terraform/modules/opensearch/README.md | 88 ++++++++++++++------- 2 files changed, 69 insertions(+), 36 deletions(-) diff --git a/terraform/modules/neptune-cluster/README.md b/terraform/modules/neptune-cluster/README.md index 3bed4a78..590685e0 100644 --- a/terraform/modules/neptune-cluster/README.md +++ b/terraform/modules/neptune-cluster/README.md @@ -11,11 +11,7 @@ No requirements. ## Modules -| Name | Source | Version | -|------|--------|---------| -| [cluster\_parameters](#module\_cluster\_parameters) | git::https://github.com/CBIIT/datacommons-devops.git//terraform/modules/neptune-cluster-parameter-group | Neptune | -| [instance\_parameters](#module\_instance\_parameters) | git::https://github.com/CBIIT/datacommons-devops.git//terraform/modules/neptune-instance-parameter-group | Neptune | -| [neptune\_instance](#module\_neptune\_instance) | git::https://github.com/CBIIT/datacommons-devops.git//terraform/modules/neptune-instance | Neptune | +No modules. ## Resources @@ -25,6 +21,9 @@ No requirements. | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_kms_key_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy) | resource | | [aws_neptune_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster) | resource | +| [aws_neptune_cluster_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster_instance) | resource | +| [aws_neptune_cluster_parameter_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster_parameter_group) | resource | +| [aws_neptune_parameter_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_parameter_group) | resource | | [aws_neptune_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_subnet_group) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -39,11 +38,15 @@ No requirements. | [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | indicates that minor engine upgrades are applied automatically to the instance during the maintenance window | `bool` | `true` | no | | [backup\_retention\_period](#input\_backup\_retention\_period) | number of days to retain backups for | `string` | `1` | no | | [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | whether to copy tags to snapshots | `bool` | `true` | no | +| [create\_parameter\_groups](#input\_create\_parameter\_groups) | whether to create parameter groups for the cluster and instance(s) | `bool` | `false` | no | | [database\_subnet\_ids](#input\_database\_subnet\_ids) | the list of subnet IDs to associate with the cluster | `set(string)` | n/a | yes | | [deletion\_protection](#input\_deletion\_protection) | whether to enable deletion protection | `bool` | `true` | no | +| [enable\_audit\_log](#input\_enable\_audit\_log) | whether to enable audit logs at the cluster level | `bool` | `true` | no | | [enable\_caching](#input\_enable\_caching) | whether to enable caching for the cluster | `bool` | `false` | no | | [enable\_cloudwatch\_logs\_exports](#input\_enable\_cloudwatch\_logs\_exports) | list of log types to export to cloudwatch | `list(string)` | 
[
  "audit"
]
| no | +| [enable\_result\_cache](#input\_enable\_result\_cache) | whether to enable the result cache for the instances in the cluster | `bool` | `false` | no | | [enable\_serverless](#input\_enable\_serverless) | whether to enable serverless mode for the cluster | `bool` | `true` | no | +| [enable\_slow\_query\_log](#input\_enable\_slow\_query\_log) | the log level for slow queries applied at the cluster-level - either 'info', 'debug', or 'disable' | `string` | `"info"` | no | | [engine](#input\_engine) | the name of the database engine to be used for this instance | `string` | `"neptune"` | no | | [engine\_version](#input\_engine\_version) | the version of the database engine to use | `string` | `"1.2.1.0"` | no | | [final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | the name of the final snapshot to be created immediately before deleting the cluster | `string` | `null` | no | @@ -52,13 +55,15 @@ No requirements. | [instance\_class](#input\_instance\_class) | the instance class to use (i.e., db.r5.large) - only required when serverless is not enabled | `string` | `"db.r5.large"` | no | | [max\_capacity](#input\_max\_capacity) | the maximum capacity for the cluster in neptune capacity units when serverless is enabled | `number` | `128` | no | | [min\_capacity](#input\_min\_capacity) | the minimum capacity for the cluster in neptune capacity units when serverless is enabled | `number` | `2` | no | +| [parameter\_group\_family](#input\_parameter\_group\_family) | the family of the neptune cluster parameter group (i.e. neptune1.3) | `string` | `"neptune1.3"` | no | | [port](#input\_port) | the port on which the DB accepts connections | `number` | `8182` | no | | [preferred\_backup\_window](#input\_preferred\_backup\_window) | the daily time range during which automated backups are created if automated backups are enabled | `string` | `"02:00-04:00"` | no | | [preferred\_maintenance\_window](#input\_preferred\_maintenance\_window) | the weekly time range during which system maintenance can occur, in (UTC) | `string` | `"sun:05:00-sun:09:00"` | no | -| [query\_timeout](#input\_query\_timeout) | time in milliseconds that a query can run before it is terminated by the cluster | `string` | `"120000"` | no | +| [query\_timeout](#input\_query\_timeout) | time in milliseconds that a query can run before it is terminated by the cluster | `string` | `"60000"` | no | | [replication\_source\_identifier](#input\_replication\_source\_identifier) | the ARN of the source Neptune instance if this Neptune instance is a read replica | `string` | `null` | no | | [resource\_prefix](#input\_resource\_prefix) | the prefix to add when creating resources | `string` | n/a | yes | | [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | whether to skip the creation of a final snapshot before deleting the cluster | `bool` | `true` | no | +| [slow\_query\_log\_threshold](#input\_slow\_query\_log\_threshold) | the threshold in milliseconds for slow queries applied at the cluster level | `number` | `5000` | no | | [snapshot\_identifier](#input\_snapshot\_identifier) | the name of an existing snapshot from which to create this cluster | `string` | `null` | no | | [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | the list of security group IDs to associate with the cluster | `set(string)` | n/a | yes | diff --git a/terraform/modules/opensearch/README.md b/terraform/modules/opensearch/README.md index 7d6a3a53..50c02f49 100644 --- a/terraform/modules/opensearch/README.md +++ b/terraform/modules/opensearch/README.md @@ -35,47 +35,75 @@ No modules. | Name | Type | |------|------| -| [aws_cloudwatch_log_group.os](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_log_resource_policy.os](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource | -| [aws_iam_service_linked_role.os](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource | -| [aws_opensearch_domain.os](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain) | resource | -| [aws_security_group.os](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | -| [aws_caller_identity.caller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.os](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_resource_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource | +| [aws_iam_policy.snapshot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.snapshot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.snapshot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_opensearch_domain.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain) | resource | +| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.snapshot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [automated\_snapshot\_start\_hour](#input\_automated\_snapshot\_start\_hour) | hour when automated snapshot to be taken | `number` | `23` | no | -| [create\_cloudwatch\_log\_policy](#input\_create\_cloudwatch\_log\_policy) | Due cloudwatch log policy limits, this should be option, we can use an existing policy | `bool` | `false` | no | -| [create\_os\_service\_role](#input\_create\_os\_service\_role) | change this value to true if running this script for the first time | `bool` | `false` | no | -| [env](#input\_env) | name of the environment to provision | `string` | n/a | yes | -| [multi\_az\_enabled](#input\_multi\_az\_enabled) | set to true to enable multi-az deployment | `bool` | `false` | no | -| [opensearch\_autotune\_rollback\_type](#input\_opensearch\_autotune\_rollback\_type) | Tell OpenSearch how to respond to disabling AutoTune. Options include NO\_ROLLBACK and DEFAULT\_ROLLBACK | `string` | `"DEFAULT_ROLLBACK"` | no | -| [opensearch\_autotune\_state](#input\_opensearch\_autotune\_state) | Tell OpenSearch to enable or disable autotuning. Options include ENABLED and DISABLED | `string` | `"ENABLED"` | no | -| [opensearch\_ebs\_volume\_size](#input\_opensearch\_ebs\_volume\_size) | size of the ebs volume attached to the opensearch instance | `number` | `30` | no | -| [opensearch\_instance\_count](#input\_opensearch\_instance\_count) | the number of data nodes to provision for each instance in the cluster | `number` | `1` | no | -| [opensearch\_instance\_type](#input\_opensearch\_instance\_type) | type of instance to be used to create the OpenSearch cluster | `string` | `"t3.medium.search"` | no | -| [opensearch\_log\_types](#input\_opensearch\_log\_types) | List of log types that OpenSearch forwards to CloudWatch. Options include INDEX\_SLOW\_LOGS, SEARCH\_SLOW\_LOGS, ES\_APPLICATION\_LOGS, AUDIT\_LOGS | `list(string)` | 
[
  "AUDIT_LOGS"
]
| no | -| [opensearch\_subnet\_ids](#input\_opensearch\_subnet\_ids) | list of subnet ids to use | `list(string)` | n/a | yes | -| [opensearch\_tls\_policy](#input\_opensearch\_tls\_policy) | Provide the TLS policy to associate with the OpenSearch domain to enforce HTTPS communications | `string` | `"Policy-Min-TLS-1-2-2019-07"` | no | -| [opensearch\_version](#input\_opensearch\_version) | specify es version | `string` | `"OpenSearch_1.2"` | no | -| [resource\_prefix](#input\_resource\_prefix) | the prefix to add when creating resources | `string` | n/a | yes | -| [stack\_name](#input\_stack\_name) | name of the project | `string` | n/a | yes | -| [tags](#input\_tags) | tags to associate with this instance | `map(string)` | n/a | yes | +| [access\_policies](#input\_access\_policies) | Required if create\_access\_policies is false. Provide json output from IAM Policy Document | `string` | `null` | no | +| [attach\_permissions\_boundary](#input\_attach\_permissions\_boundary) | Whether to attach the permissions boundary to the OpenSearch Snapshot Role | `bool` | `false` | no | +| [auto\_software\_update\_enabled](#input\_auto\_software\_update\_enabled) | Whether automatic service software updates are enabled for the domain | `bool` | `false` | no | +| [auto\_tune\_enabled](#input\_auto\_tune\_enabled) | Whether to enable the OpenSearch Auto-Tune feature | `bool` | `true` | no | +| [automated\_snapshot\_start\_hour](#input\_automated\_snapshot\_start\_hour) | hour when automated snapshot to be taken | `number` | `5` | no | +| [cluster\_tshirt\_size](#input\_cluster\_tshirt\_size) | Select a T-Shirt size for the cluster | `string` | `"xs"` | no | +| [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Boolean to enable cold storage for an OpenSearch domain. Master and ultrawarm nodes must be enabled for cold storage. | `bool` | `false` | no | +| [create\_access\_policies](#input\_create\_access\_policies) | Whether to allow the module to create the access policies for the OpenSearch domain | `bool` | `true` | no | +| [create\_cloudwatch\_log\_policy](#input\_create\_cloudwatch\_log\_policy) | Whether to allow the module to create the cloudwatch log policy for the OpenSearch domain | `bool` | `true` | no | +| [create\_security\_group](#input\_create\_security\_group) | Whether to allow the module to create the security group for the OpenSearch domain | `bool` | `true` | no | +| [create\_snapshot\_role](#input\_create\_snapshot\_role) | Whether to allow the module to create the snapshot role for the OpenSearch domain | `bool` | `true` | no | +| [dedicated\_master\_count](#input\_dedicated\_master\_count) | The number of Dedicated Master nodes in the cluster | `number` | `null` | no | +| [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Whether to enable Dedicated Master nodes in the cluster | `bool` | `false` | no | +| [dedicated\_master\_type](#input\_dedicated\_master\_type) | The instance type of the Dedicated Master nodes in the cluster | `string` | `null` | no | +| [encrypt\_at\_rest](#input\_encrypt\_at\_rest) | Whether to enable encryption at rest for the domain | `bool` | `true` | no | +| [enforce\_https](#input\_enforce\_https) | Whether to require HTTPS for all traffic to the domain | `bool` | `true` | no | +| [engine\_version](#input\_engine\_version) | The engine version of the OpenSearch domain (i.e., OpenSearch\_2.11) | `string` | n/a | yes | +| [iam\_prefix](#input\_iam\_prefix) | Prefix for IAM resource names | `string` | `"power-user"` | no | +| [instance\_count](#input\_instance\_count) | The number of Data Nodes attached to the cluster in each availability zone | `number` | `null` | no | +| [instance\_type](#input\_instance\_type) | The instance type of the Data Nodes in the cluster | `string` | `null` | no | +| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The number of days to retain OpenSearch logs in CloudWatch Logs | `number` | `180` | no | +| [log\_types](#input\_log\_types) | The type of OpenSearch logs that will be published to CloudWatch Logs | `set(string)` | 
[
  "INDEX_SLOW_LOGS",
  "SEARCH_SLOW_LOGS",
  "ES_APPLICATION_LOGS"
]
| no | +| [resource\_prefix](#input\_resource\_prefix) | Prefix for resource names, advised to use the program-tier-app convention | `string` | n/a | yes | +| [s3\_snapshot\_bucket\_arn](#input\_s3\_snapshot\_bucket\_arn) | The ARN of the S3 bucket to store OpenSearch snapshots | `string` | `null` | no | +| [security\_group\_ids](#input\_security\_group\_ids) | A set of one or more Security Group IDs to associate with the cluster | `set(string)` | `[]` | no | +| [subnet\_ids](#input\_subnet\_ids) | A set of one or more Private Subnet IDs to associate with the cluster | `set(string)` | n/a | yes | +| [tags](#input\_tags) | tags to associate with this instance | `map(string)` | `{}` | no | +| [tls\_security\_policy](#input\_tls\_security\_policy) | The name of the TLS security policy to apply to the domain | `string` | `"Policy-Min-TLS-1-2-PFS-2023-10"` | no | +| [volume\_size](#input\_volume\_size) | The size of the EBS volumes attached to data nodes (in GB) - between 10 and 200 | `number` | `null` | no | +| [volume\_type](#input\_volume\_type) | The volume type to use for data and master nodes | `string` | `"gp3"` | no | | [vpc\_id](#input\_vpc\_id) | the ID of the VPC the OpenSearch cluster is being deployed into | `string` | n/a | yes | +| [warm\_count](#input\_warm\_count) | The total number of warm nodes attached to the cluster | `number` | `null` | no | +| [warm\_enabled](#input\_warm\_enabled) | Whether to enable warm nodes in the cluster | `bool` | `false` | no | +| [warm\_type](#input\_warm\_type) | The instance type of the warm nodes in the cluster | `string` | `null` | no | +| [zone\_awareness\_enabled](#input\_zone\_awareness\_enabled) | Whether to enable Multi-AZ cluster deployment | `bool` | `false` | no | ## Outputs | Name | Description | |------|-------------| -| [opensearch\_arn](#output\_opensearch\_arn) | the OpenSearch domain arn | -| [opensearch\_cloudwatch\_log\_group\_arn](#output\_opensearch\_cloudwatch\_log\_group\_arn) | the log group arn that collects OpenSearch logs | -| [opensearch\_endpoint](#output\_opensearch\_endpoint) | the opensearch domain endpoint url | -| [opensearch\_security\_group\_arn](#output\_opensearch\_security\_group\_arn) | the arn of the security group associated with the OpenSearch cluster | -| [opensearch\_security\_group\_id](#output\_opensearch\_security\_group\_id) | the id of the security group associated with the OpenSearch cluster | +| [arn](#output\_arn) | The ARN of the OpenSearch domain | +| [dashboard\_endpoint](#output\_dashboard\_endpoint) | The endpoint of the OpenSearch domain dashboard | +| [domain\_id](#output\_domain\_id) | The unique identifier for the OpenSearch domain | +| [domain\_name](#output\_domain\_name) | The name of the OpenSearch domain | +| [endpoint](#output\_endpoint) | The domain-specific endpoint used to submit index, search, and data upload requests to an OpenSearch domain | +| [id](#output\_id) | The unique identifier for the OpenSearch domain | +| [role\_arn](#output\_role\_arn) | The ARN of the IAM role used to take snapshots of the OpenSearch domain | +| [role\_id](#output\_role\_id) | The ID of the IAM role used to take snapshots of the OpenSearch domain | +| [role\_name](#output\_role\_name) | The name of the IAM role used to take snapshots of the OpenSearch domain | +| [security\_group\_arn](#output\_security\_group\_arn) | The ARN of the security group for the OpenSearch domain | +| [security\_group\_id](#output\_security\_group\_id) | The ID of the security group for the OpenSearch domain | # Implementation Guide From 62f0f4e2823df7601d99e1ad9bc5a4a0e4ce2fbd Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 14:25:28 -0400 Subject: [PATCH 07/34] resolved errors due to module dependencies --- terraform/modules/neptune-cluster/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index 8ebed07f..6bc41bba 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -13,7 +13,7 @@ resource "aws_neptune_cluster" "this" { iam_database_authentication_enabled = var.iam_database_authentication_enabled kms_key_arn = aws_kms_key.this.arn neptune_subnet_group_name = aws_neptune_subnet_group.this.name - neptune_cluster_parameter_group_name = var.enable_serverless ? "default.neptune1.2" : module.cluster_parameters[0].name + neptune_cluster_parameter_group_name = var.enable_serverless ? "default.neptune1.2" : aws_neptune_cluster_parameter_group.this[0].name preferred_backup_window = var.preferred_backup_window preferred_maintenance_window = var.preferred_maintenance_window port = var.port From f7ee9af54d9a5c414765a2e7d09c306bc1cca034 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 14:28:14 -0400 Subject: [PATCH 08/34] updated the address of the instance resource in outputs by removing iterators --- terraform/modules/neptune-cluster/outputs.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/modules/neptune-cluster/outputs.tf b/terraform/modules/neptune-cluster/outputs.tf index 3a593ad1..b589d208 100644 --- a/terraform/modules/neptune-cluster/outputs.tf +++ b/terraform/modules/neptune-cluster/outputs.tf @@ -53,43 +53,43 @@ output "kms_key_arn" { } output "instance_address" { - value = aws_neptune_cluster_instance.this[0].address + value = aws_neptune_cluster_instance.this.address description = "The hostname of the instance. See also endpoint and port." sensitive = false } output "instance_arn" { - value = aws_neptune_cluster_instance.this[0].arn + value = aws_neptune_cluster_instance.this.arn description = "The ARN of the neptune instance" sensitive = false } output "instance_cluster_identifier" { - value = aws_neptune_cluster_instance.this[0].cluster_identifier + value = aws_neptune_cluster_instance.this.cluster_identifier description = "The neptune cluster identifier" sensitive = false } output "instance_dbi_resource_id" { - value = aws_neptune_cluster_instance.this[0].instance_dbi_resource_id + value = aws_neptune_cluster_instance.this.instance_dbi_resource_id description = "The neptune instance resource ID" sensitive = false } output "instance_endpoint" { - value = aws_neptune_cluster_instance.this[0].endpoint + value = aws_neptune_cluster_instance.this.endpoint description = "The hostname of the instance. See also address and port." sensitive = false } output "instance_id" { - value = aws_neptune_cluster_instance.this[0].id + value = aws_neptune_cluster_instance.this.id description = "The neptune instance ID" sensitive = false } output "instance_identifier" { - value = aws_neptune_cluster_instance.this[0].identifier + value = aws_neptune_cluster_instance.this.identifier description = "The neptune instance identifier" sensitive = false } From d7e47a0307c4f829b57c31e49b20b88b65983da6 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 14:29:43 -0400 Subject: [PATCH 09/34] resolved instance dbi_resource_id output typo --- terraform/modules/neptune-cluster/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/outputs.tf b/terraform/modules/neptune-cluster/outputs.tf index b589d208..20f08691 100644 --- a/terraform/modules/neptune-cluster/outputs.tf +++ b/terraform/modules/neptune-cluster/outputs.tf @@ -71,7 +71,7 @@ output "instance_cluster_identifier" { } output "instance_dbi_resource_id" { - value = aws_neptune_cluster_instance.this.instance_dbi_resource_id + value = aws_neptune_cluster_instance.this.dbi_resource_id description = "The neptune instance resource ID" sensitive = false } From dc2e7331dcad312ccf0cab4a03e5953f92169db2 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 14:33:41 -0400 Subject: [PATCH 10/34] updated serverless neptune default cluster value for the cluster --- terraform/modules/neptune-cluster/main.tf | 2 +- terraform/modules/neptune-cluster/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index 6bc41bba..d3a85d1b 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -13,7 +13,7 @@ resource "aws_neptune_cluster" "this" { iam_database_authentication_enabled = var.iam_database_authentication_enabled kms_key_arn = aws_kms_key.this.arn neptune_subnet_group_name = aws_neptune_subnet_group.this.name - neptune_cluster_parameter_group_name = var.enable_serverless ? "default.neptune1.2" : aws_neptune_cluster_parameter_group.this[0].name + neptune_cluster_parameter_group_name = var.enable_serverless ? "default.neptune1.3" : aws_neptune_cluster_parameter_group.this[0].name preferred_backup_window = var.preferred_backup_window preferred_maintenance_window = var.preferred_maintenance_window port = var.port diff --git a/terraform/modules/neptune-cluster/variables.tf b/terraform/modules/neptune-cluster/variables.tf index c9007555..c58ed771 100644 --- a/terraform/modules/neptune-cluster/variables.tf +++ b/terraform/modules/neptune-cluster/variables.tf @@ -75,7 +75,7 @@ variable "enable_caching" { variable "enable_cloudwatch_logs_exports" { type = list(string) description = "list of log types to export to cloudwatch" - default = ["audit"] + default = ["audit", "slowquery"] sensitive = false } From 7db5c479b0a1fa0c9546f2d15130f8c44f47c2a5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 11 Mar 2024 18:34:04 +0000 Subject: [PATCH 11/34] terraform-docs: automated action --- terraform/modules/neptune-cluster/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/README.md b/terraform/modules/neptune-cluster/README.md index 590685e0..12c9486d 100644 --- a/terraform/modules/neptune-cluster/README.md +++ b/terraform/modules/neptune-cluster/README.md @@ -43,7 +43,7 @@ No modules. | [deletion\_protection](#input\_deletion\_protection) | whether to enable deletion protection | `bool` | `true` | no | | [enable\_audit\_log](#input\_enable\_audit\_log) | whether to enable audit logs at the cluster level | `bool` | `true` | no | | [enable\_caching](#input\_enable\_caching) | whether to enable caching for the cluster | `bool` | `false` | no | -| [enable\_cloudwatch\_logs\_exports](#input\_enable\_cloudwatch\_logs\_exports) | list of log types to export to cloudwatch | `list(string)` | 
[
  "audit"
]
| no | +| [enable\_cloudwatch\_logs\_exports](#input\_enable\_cloudwatch\_logs\_exports) | list of log types to export to cloudwatch | `list(string)` | 
[
  "audit",
  "slowquery"
]
| no | | [enable\_result\_cache](#input\_enable\_result\_cache) | whether to enable the result cache for the instances in the cluster | `bool` | `false` | no | | [enable\_serverless](#input\_enable\_serverless) | whether to enable serverless mode for the cluster | `bool` | `true` | no | | [enable\_slow\_query\_log](#input\_enable\_slow\_query\_log) | the log level for slow queries applied at the cluster-level - either 'info', 'debug', or 'disable' | `string` | `"info"` | no | From 0f1d1c61896bed37bd0ecd3e96ffbf927d9de988 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 18:05:38 -0400 Subject: [PATCH 12/34] fixed variable issue with cloudwatch log exports --- terraform/modules/neptune-cluster/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/variables.tf b/terraform/modules/neptune-cluster/variables.tf index c58ed771..c9007555 100644 --- a/terraform/modules/neptune-cluster/variables.tf +++ b/terraform/modules/neptune-cluster/variables.tf @@ -75,7 +75,7 @@ variable "enable_caching" { variable "enable_cloudwatch_logs_exports" { type = list(string) description = "list of log types to export to cloudwatch" - default = ["audit", "slowquery"] + default = ["audit"] sensitive = false } From e3d6b626bc59e4e68b0512b8ef644bd594110e5a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 11 Mar 2024 22:06:03 +0000 Subject: [PATCH 13/34] terraform-docs: automated action --- terraform/modules/neptune-cluster/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/README.md b/terraform/modules/neptune-cluster/README.md index 12c9486d..590685e0 100644 --- a/terraform/modules/neptune-cluster/README.md +++ b/terraform/modules/neptune-cluster/README.md @@ -43,7 +43,7 @@ No modules. | [deletion\_protection](#input\_deletion\_protection) | whether to enable deletion protection | `bool` | `true` | no | | [enable\_audit\_log](#input\_enable\_audit\_log) | whether to enable audit logs at the cluster level | `bool` | `true` | no | | [enable\_caching](#input\_enable\_caching) | whether to enable caching for the cluster | `bool` | `false` | no | -| [enable\_cloudwatch\_logs\_exports](#input\_enable\_cloudwatch\_logs\_exports) | list of log types to export to cloudwatch | `list(string)` | 
[
  "audit",
  "slowquery"
]
| no | +| [enable\_cloudwatch\_logs\_exports](#input\_enable\_cloudwatch\_logs\_exports) | list of log types to export to cloudwatch | `list(string)` | 
[
  "audit"
]
| no | | [enable\_result\_cache](#input\_enable\_result\_cache) | whether to enable the result cache for the instances in the cluster | `bool` | `false` | no | | [enable\_serverless](#input\_enable\_serverless) | whether to enable serverless mode for the cluster | `bool` | `true` | no | | [enable\_slow\_query\_log](#input\_enable\_slow\_query\_log) | the log level for slow queries applied at the cluster-level - either 'info', 'debug', or 'disable' | `string` | `"info"` | no | From 5b07e133c4146d4c370febc769dc7350da396af1 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 18:14:01 -0400 Subject: [PATCH 14/34] resolving issues with parameter groups specifications --- terraform/modules/neptune-cluster/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index d3a85d1b..c72c22bd 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -68,7 +68,7 @@ resource "aws_neptune_cluster_instance" "this" { engine_version = var.engine_version instance_class = var.instance_class neptune_subnet_group_name = aws_neptune_subnet_group.this.name - neptune_parameter_group_name = local.create_parameter_groups ? aws_neptune_parameter_group.this[0].name : null + neptune_parameter_group_name = var.enable_serverless ? "default.neptune1.3" : aws_neptune_cluster_parameter_group.this[0].name port = var.port preferred_backup_window = var.preferred_backup_window preferred_maintenance_window = var.preferred_maintenance_window From 84f36993002a8bbf8a7186cfd29ee6899f36601a Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 18:17:18 -0400 Subject: [PATCH 15/34] just formatting --- terraform/modules/neptune-cluster/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/outputs.tf b/terraform/modules/neptune-cluster/outputs.tf index 20f08691..ee3fda99 100644 --- a/terraform/modules/neptune-cluster/outputs.tf +++ b/terraform/modules/neptune-cluster/outputs.tf @@ -116,4 +116,4 @@ output "kms_alias_name" { value = aws_kms_alias.this.name description = "the neptune cluster kms key alias name" sensitive = false -} \ No newline at end of file +} From 5f7f5cf586f92fd7c47422bf976fbd500077d566 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 18:59:58 -0400 Subject: [PATCH 16/34] removed backup and maintenance windows for instance since they are defined with cluster --- terraform/modules/neptune-cluster/main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index c72c22bd..c19387ab 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -70,8 +70,6 @@ resource "aws_neptune_cluster_instance" "this" { neptune_subnet_group_name = aws_neptune_subnet_group.this.name neptune_parameter_group_name = var.enable_serverless ? "default.neptune1.3" : aws_neptune_cluster_parameter_group.this[0].name port = var.port - preferred_backup_window = var.preferred_backup_window - preferred_maintenance_window = var.preferred_maintenance_window publicly_accessible = false } From db95f33d5716761373c291959c8d196fb99c4464 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 20:09:03 -0400 Subject: [PATCH 17/34] using a key alias for neptune cluster --- terraform/modules/neptune-cluster/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index c19387ab..c791aca5 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -11,7 +11,7 @@ resource "aws_neptune_cluster" "this" { final_snapshot_identifier = var.final_snapshot_identifier iam_roles = var.iam_roles iam_database_authentication_enabled = var.iam_database_authentication_enabled - kms_key_arn = aws_kms_key.this.arn + kms_key_arn = aws_kms_alias.this.arn neptune_subnet_group_name = aws_neptune_subnet_group.this.name neptune_cluster_parameter_group_name = var.enable_serverless ? "default.neptune1.3" : aws_neptune_cluster_parameter_group.this[0].name preferred_backup_window = var.preferred_backup_window From 0a72b7d59e784ed0c6f186a958766a9178ff56f8 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 20:34:42 -0400 Subject: [PATCH 18/34] added lifecycle rule --- terraform/modules/neptune-cluster/main.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index c791aca5..06670c08 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -31,6 +31,12 @@ resource "aws_neptune_cluster" "this" { min_capacity = var.min_capacity } } + + lifecycle { + ignore_changes = [ + kms_key_arn + ] + } } resource "aws_neptune_cluster_parameter_group" "this" { From 6e292d9cedf6328b4af8c72b5161aa67dbb17def Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 22:37:21 -0400 Subject: [PATCH 19/34] added a parameter group dependency for neptune --- terraform/modules/neptune-cluster/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index 06670c08..34ec1163 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -77,6 +77,10 @@ resource "aws_neptune_cluster_instance" "this" { neptune_parameter_group_name = var.enable_serverless ? "default.neptune1.3" : aws_neptune_cluster_parameter_group.this[0].name port = var.port publicly_accessible = false + + depends_on = [ + aws_neptune_parameter_group.this + ] } resource "aws_neptune_parameter_group" "this" { From 4cf7856064a991d21ae10710483ba3d05881bb3f Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Mon, 11 Mar 2024 22:56:31 -0400 Subject: [PATCH 20/34] fixed invalid reference to a db parameter group --- terraform/modules/neptune-cluster/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index 34ec1163..a60092eb 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -74,7 +74,7 @@ resource "aws_neptune_cluster_instance" "this" { engine_version = var.engine_version instance_class = var.instance_class neptune_subnet_group_name = aws_neptune_subnet_group.this.name - neptune_parameter_group_name = var.enable_serverless ? "default.neptune1.3" : aws_neptune_cluster_parameter_group.this[0].name + neptune_parameter_group_name = var.enable_serverless ? "default.neptune1.3" : aws_neptune_parameter_group.this[0].name port = var.port publicly_accessible = false From ccbca3a0bca4dbb09914cc4e8b2b7b3e2bce8c3f Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Tue, 26 Mar 2024 11:48:04 -0400 Subject: [PATCH 21/34] setting dependencies for the kms key in the neptune module --- terraform/modules/neptune-cluster/main.tf | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index a60092eb..86ceb14c 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -32,11 +32,7 @@ resource "aws_neptune_cluster" "this" { } } - lifecycle { - ignore_changes = [ - kms_key_arn - ] - } + depends_on = [aws_kms_key.this, aws_kms_alias.this] } resource "aws_neptune_cluster_parameter_group" "this" { @@ -65,6 +61,8 @@ resource "aws_neptune_cluster_parameter_group" "this" { name = "neptune_query_timeout" value = var.query_timeout } + + depends_on = [aws_kms_key.this, aws_kms_alias.this] } resource "aws_neptune_cluster_instance" "this" { From 55e1649b6cb6607e422e8ccc89c02c57919e499d Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Tue, 26 Mar 2024 11:49:38 -0400 Subject: [PATCH 22/34] fixed typo --- terraform/modules/neptune-cluster/main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index 86ceb14c..1601f80d 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -61,8 +61,6 @@ resource "aws_neptune_cluster_parameter_group" "this" { name = "neptune_query_timeout" value = var.query_timeout } - - depends_on = [aws_kms_key.this, aws_kms_alias.this] } resource "aws_neptune_cluster_instance" "this" { From 4085cb4b9915eb165e44ddde5eadf103676ea3c0 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Wed, 27 Mar 2024 10:46:18 -0400 Subject: [PATCH 23/34] following standards by making kms key creation conditional on variables --- terraform/modules/neptune-cluster/data.tf | 7 ++++--- terraform/modules/neptune-cluster/main.tf | 16 ++++++++++++---- terraform/modules/neptune-cluster/variables.tf | 7 +++++++ 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/terraform/modules/neptune-cluster/data.tf b/terraform/modules/neptune-cluster/data.tf index bb579799..60767629 100644 --- a/terraform/modules/neptune-cluster/data.tf +++ b/terraform/modules/neptune-cluster/data.tf @@ -4,6 +4,7 @@ data "aws_caller_identity" "current" { data "aws_region" "current" {} data "aws_iam_policy_document" "kms" { + count = var.create_kms_key ? 1 : 0 statement { effect = "Allow" @@ -52,8 +53,8 @@ data "aws_iam_policy_document" "kms" { "kms:Verify" ] resources = [ - aws_kms_key.this.arn, - aws_kms_alias.this.arn + aws_kms_key.this[0].arn, + aws_kms_alias.this[0].arn ] } @@ -78,7 +79,7 @@ data "aws_iam_policy_document" "kms" { "kms:DescribeKey" ] resources = [ - aws_kms_key.this.arn + aws_kms_key.this[0].arn ] condition { test = "StringEquals" diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index 1601f80d..a5d953be 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -11,7 +11,7 @@ resource "aws_neptune_cluster" "this" { final_snapshot_identifier = var.final_snapshot_identifier iam_roles = var.iam_roles iam_database_authentication_enabled = var.iam_database_authentication_enabled - kms_key_arn = aws_kms_alias.this.arn + kms_key_arn = var.create_kms_key ? aws_kms_alias.this[0].arn : null neptune_subnet_group_name = aws_neptune_subnet_group.this.name neptune_cluster_parameter_group_name = var.enable_serverless ? "default.neptune1.3" : aws_neptune_cluster_parameter_group.this[0].name preferred_backup_window = var.preferred_backup_window @@ -93,23 +93,31 @@ resource "aws_neptune_parameter_group" "this" { } resource "aws_kms_key" "this" { + count = var.create_kms_key ? 1 : 0 + deletion_window_in_days = 7 description = "Enforces encryption at rest for the ${terraform.workspace}-tier neptune cluster" key_usage = "ENCRYPT_DECRYPT" } resource "aws_kms_alias" "this" { + count = var.create_kms_key ? 1 : 0 + name = "alias/${var.resource_prefix}-neptune-key" - target_key_id = aws_kms_key.this.id + target_key_id = aws_kms_key.this[0].id } resource "aws_neptune_subnet_group" "this" { + count = var.create_kms_key ? 1 : 0 + name = "${var.resource_prefix}-neptune-subnets" description = "subnet group for the ${terraform.workspace}-tier neptune cluster" subnet_ids = var.database_subnet_ids } resource "aws_kms_key_policy" "this" { - key_id = aws_kms_key.this.id - policy = data.aws_iam_policy_document.kms.json + count = var.create_kms_key ? 1 : 0 + + key_id = aws_kms_key.this[0].id + policy = data.aws_iam_policy_document.kms[0].json } diff --git a/terraform/modules/neptune-cluster/variables.tf b/terraform/modules/neptune-cluster/variables.tf index c9007555..6802fb8b 100644 --- a/terraform/modules/neptune-cluster/variables.tf +++ b/terraform/modules/neptune-cluster/variables.tf @@ -45,6 +45,13 @@ variable "create_parameter_groups" { sensitive = false } +variable "create_kms_key" { + type = bool + description = "whether to create the kms key that encrypts the cluster and instance(s)" + default = true + sensitive = false +} + variable "database_subnet_ids" { type = set(string) description = "the list of subnet IDs to associate with the cluster" From 9a40c634b17509cecf2f828fa25926784b1a29f6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 27 Mar 2024 14:46:43 +0000 Subject: [PATCH 24/34] terraform-docs: automated action --- terraform/modules/neptune-cluster/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/modules/neptune-cluster/README.md b/terraform/modules/neptune-cluster/README.md index 590685e0..a28b53ea 100644 --- a/terraform/modules/neptune-cluster/README.md +++ b/terraform/modules/neptune-cluster/README.md @@ -38,6 +38,7 @@ No modules. | [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | indicates that minor engine upgrades are applied automatically to the instance during the maintenance window | `bool` | `true` | no | | [backup\_retention\_period](#input\_backup\_retention\_period) | number of days to retain backups for | `string` | `1` | no | | [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | whether to copy tags to snapshots | `bool` | `true` | no | +| [create\_kms\_key](#input\_create\_kms\_key) | whether to create the kms key that encrypts the cluster and instance(s) | `bool` | `true` | no | | [create\_parameter\_groups](#input\_create\_parameter\_groups) | whether to create parameter groups for the cluster and instance(s) | `bool` | `false` | no | | [database\_subnet\_ids](#input\_database\_subnet\_ids) | the list of subnet IDs to associate with the cluster | `set(string)` | n/a | yes | | [deletion\_protection](#input\_deletion\_protection) | whether to enable deletion protection | `bool` | `true` | no | From 393739e87f39f8c0bee385fd9decd4c5f5c27010 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Wed, 27 Mar 2024 10:56:09 -0400 Subject: [PATCH 25/34] handling outputs for conditional values --- terraform/modules/neptune-cluster/locals.tf | 6 ++++++ terraform/modules/neptune-cluster/main.tf | 14 ++++++-------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/terraform/modules/neptune-cluster/locals.tf b/terraform/modules/neptune-cluster/locals.tf index 0cb397dd..a16b657c 100644 --- a/terraform/modules/neptune-cluster/locals.tf +++ b/terraform/modules/neptune-cluster/locals.tf @@ -1,3 +1,9 @@ locals { create_parameter_groups = var.enable_serverless ? false : var.create_parameter_groups + + # outputs: + kms_key_id = var.create_kms_key ? aws_kms_key.this[0].key_id : "KMS was created by AWS" + kms_alias_arn = var.create_kms_key ? aws_kms_alias.this[0].arn : "KMS was created by AWS" + kms_alias_id = var.create_kms_key ? aws_kms_alias.this[0].id : "KMS was created by AWS" + kms_alias_name = var.create_kms_key ? aws_kms_alias.this[0].name : "KMS was created by AWS" } diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index a5d953be..8e1ffcd9 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -107,17 +107,15 @@ resource "aws_kms_alias" "this" { target_key_id = aws_kms_key.this[0].id } -resource "aws_neptune_subnet_group" "this" { - count = var.create_kms_key ? 1 : 0 - - name = "${var.resource_prefix}-neptune-subnets" - description = "subnet group for the ${terraform.workspace}-tier neptune cluster" - subnet_ids = var.database_subnet_ids -} - resource "aws_kms_key_policy" "this" { count = var.create_kms_key ? 1 : 0 key_id = aws_kms_key.this[0].id policy = data.aws_iam_policy_document.kms[0].json } + +resource "aws_neptune_subnet_group" "this" { + name = "${var.resource_prefix}-neptune-subnets" + description = "subnet group for the ${terraform.workspace}-tier neptune cluster" + subnet_ids = var.database_subnet_ids +} From f093e9026777158e861ba1bdbd77ee91d3179978 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Wed, 27 Mar 2024 10:56:53 -0400 Subject: [PATCH 26/34] handling outputs for conditional values --- terraform/modules/neptune-cluster/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index 8e1ffcd9..b847b0ab 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -119,3 +119,4 @@ resource "aws_neptune_subnet_group" "this" { description = "subnet group for the ${terraform.workspace}-tier neptune cluster" subnet_ids = var.database_subnet_ids } + From 246e56863dffd32c0e1ae260d340fec1f40ccb61 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Wed, 27 Mar 2024 10:58:51 -0400 Subject: [PATCH 27/34] updated the outputs to have count iterators --- terraform/modules/neptune-cluster/outputs.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/modules/neptune-cluster/outputs.tf b/terraform/modules/neptune-cluster/outputs.tf index ee3fda99..10d3a921 100644 --- a/terraform/modules/neptune-cluster/outputs.tf +++ b/terraform/modules/neptune-cluster/outputs.tf @@ -95,25 +95,25 @@ output "instance_identifier" { } output "kms_key_id" { - value = aws_kms_key.this.key_id + value = aws_kms_key.this[0].key_id description = "the neptune cluster kms key id" sensitive = false } output "kms_alias_arn" { - value = aws_kms_alias.this.arn + value = aws_kms_alias.this[0].arn description = "the neptune cluster kms key alias arn" sensitive = false } output "kms_alias_id" { - value = aws_kms_alias.this.id + value = aws_kms_alias.this[0].id description = "the neptune cluster kms key alias id" sensitive = false } output "kms_alias_name" { - value = aws_kms_alias.this.name + value = aws_kms_alias.this[0].name description = "the neptune cluster kms key alias name" sensitive = false } From a9d812381ef38f455c4ec72a9d4069f939a88837 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Wed, 27 Mar 2024 11:00:14 -0400 Subject: [PATCH 28/34] updated the outputs to have count iterators --- terraform/modules/neptune-cluster/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/outputs.tf b/terraform/modules/neptune-cluster/outputs.tf index 10d3a921..9b73ebb0 100644 --- a/terraform/modules/neptune-cluster/outputs.tf +++ b/terraform/modules/neptune-cluster/outputs.tf @@ -47,7 +47,7 @@ output "cluster_reader_endpoint" { } output "kms_key_arn" { - value = aws_kms_key.this.arn + value = aws_kms_key.this[0].arn description = "the neptune cluster kms key arn" sensitive = false } From c96a98b427991ff1330966971bf041107b20face Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Wed, 27 Mar 2024 11:02:24 -0400 Subject: [PATCH 29/34] updated the outputs to have count iterators --- terraform/modules/neptune-cluster/locals.tf | 1 + terraform/modules/neptune-cluster/outputs.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/locals.tf b/terraform/modules/neptune-cluster/locals.tf index a16b657c..dd3c2b17 100644 --- a/terraform/modules/neptune-cluster/locals.tf +++ b/terraform/modules/neptune-cluster/locals.tf @@ -2,6 +2,7 @@ locals { create_parameter_groups = var.enable_serverless ? false : var.create_parameter_groups # outputs: + kms_key_arn = var.create_kms_key ? aws_kms_key.this[0].arn : "KMS was created by AWS" kms_key_id = var.create_kms_key ? aws_kms_key.this[0].key_id : "KMS was created by AWS" kms_alias_arn = var.create_kms_key ? aws_kms_alias.this[0].arn : "KMS was created by AWS" kms_alias_id = var.create_kms_key ? aws_kms_alias.this[0].id : "KMS was created by AWS" diff --git a/terraform/modules/neptune-cluster/outputs.tf b/terraform/modules/neptune-cluster/outputs.tf index 9b73ebb0..f6c64dfa 100644 --- a/terraform/modules/neptune-cluster/outputs.tf +++ b/terraform/modules/neptune-cluster/outputs.tf @@ -47,7 +47,7 @@ output "cluster_reader_endpoint" { } output "kms_key_arn" { - value = aws_kms_key.this[0].arn + value = local.kms_key_arn description = "the neptune cluster kms key arn" sensitive = false } From 6572601b1e0072c2758f5c3542a6953f234be3d4 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Wed, 27 Mar 2024 11:03:56 -0400 Subject: [PATCH 30/34] updated the outputs to have count iterators --- terraform/modules/neptune-cluster/main.tf | 1 - terraform/modules/neptune-cluster/outputs.tf | 48 ++++++++++---------- 2 files changed, 24 insertions(+), 25 deletions(-) diff --git a/terraform/modules/neptune-cluster/main.tf b/terraform/modules/neptune-cluster/main.tf index b847b0ab..8e1ffcd9 100644 --- a/terraform/modules/neptune-cluster/main.tf +++ b/terraform/modules/neptune-cluster/main.tf @@ -119,4 +119,3 @@ resource "aws_neptune_subnet_group" "this" { description = "subnet group for the ${terraform.workspace}-tier neptune cluster" subnet_ids = var.database_subnet_ids } - diff --git a/terraform/modules/neptune-cluster/outputs.tf b/terraform/modules/neptune-cluster/outputs.tf index f6c64dfa..92e388f8 100644 --- a/terraform/modules/neptune-cluster/outputs.tf +++ b/terraform/modules/neptune-cluster/outputs.tf @@ -52,6 +52,30 @@ output "kms_key_arn" { sensitive = false } +output "kms_key_id" { + value = local.kms_key_id + description = "the neptune cluster kms key id" + sensitive = false +} + +output "kms_alias_arn" { + value = local.kms_alias_arn + description = "the neptune cluster kms key alias arn" + sensitive = false +} + +output "kms_alias_id" { + value = local.kms_alias_id + description = "the neptune cluster kms key alias id" + sensitive = false +} + +output "kms_alias_name" { + value = local.kms_alias_name + description = "the neptune cluster kms key alias name" + sensitive = false +} + output "instance_address" { value = aws_neptune_cluster_instance.this.address description = "The hostname of the instance. See also endpoint and port." @@ -93,27 +117,3 @@ output "instance_identifier" { description = "The neptune instance identifier" sensitive = false } - -output "kms_key_id" { - value = aws_kms_key.this[0].key_id - description = "the neptune cluster kms key id" - sensitive = false -} - -output "kms_alias_arn" { - value = aws_kms_alias.this[0].arn - description = "the neptune cluster kms key alias arn" - sensitive = false -} - -output "kms_alias_id" { - value = aws_kms_alias.this[0].id - description = "the neptune cluster kms key alias id" - sensitive = false -} - -output "kms_alias_name" { - value = aws_kms_alias.this[0].name - description = "the neptune cluster kms key alias name" - sensitive = false -} From d1f9a8baa73063fd7ba535c80fd5362834748e13 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Wed, 27 Mar 2024 11:09:36 -0400 Subject: [PATCH 31/34] updating default engine version variable value --- terraform/modules/neptune-cluster/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/variables.tf b/terraform/modules/neptune-cluster/variables.tf index 6802fb8b..a07efbf2 100644 --- a/terraform/modules/neptune-cluster/variables.tf +++ b/terraform/modules/neptune-cluster/variables.tf @@ -117,7 +117,7 @@ variable "engine" { variable "engine_version" { type = string description = "the version of the database engine to use" - default = "1.2.1.0" + default = "1.3.1.0" sensitive = false } From bdce17bc58d555c5ca212c6769256b27bb3cc6c5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 27 Mar 2024 15:09:57 +0000 Subject: [PATCH 32/34] terraform-docs: automated action --- terraform/modules/neptune-cluster/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/README.md b/terraform/modules/neptune-cluster/README.md index a28b53ea..69250931 100644 --- a/terraform/modules/neptune-cluster/README.md +++ b/terraform/modules/neptune-cluster/README.md @@ -49,7 +49,7 @@ No modules. | [enable\_serverless](#input\_enable\_serverless) | whether to enable serverless mode for the cluster | `bool` | `true` | no | | [enable\_slow\_query\_log](#input\_enable\_slow\_query\_log) | the log level for slow queries applied at the cluster-level - either 'info', 'debug', or 'disable' | `string` | `"info"` | no | | [engine](#input\_engine) | the name of the database engine to be used for this instance | `string` | `"neptune"` | no | -| [engine\_version](#input\_engine\_version) | the version of the database engine to use | `string` | `"1.2.1.0"` | no | +| [engine\_version](#input\_engine\_version) | the version of the database engine to use | `string` | `"1.3.1.0"` | no | | [final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | the name of the final snapshot to be created immediately before deleting the cluster | `string` | `null` | no | | [iam\_database\_authentication\_enabled](#input\_iam\_database\_authentication\_enabled) | whether to enable IAM database authentication for the cluster | `bool` | `false` | no | | [iam\_roles](#input\_iam\_roles) | the list of IAM roles to associate with the cluster | `set(string)` | `[]` | no | From c5681019cdbf573691b8b96dc9587f2eabf585fd Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Wed, 27 Mar 2024 12:15:42 -0400 Subject: [PATCH 33/34] updated the value for the kms_key_arn output --- terraform/modules/neptune-cluster/locals.tf | 1 - terraform/modules/neptune-cluster/outputs.tf | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/modules/neptune-cluster/locals.tf b/terraform/modules/neptune-cluster/locals.tf index dd3c2b17..a16b657c 100644 --- a/terraform/modules/neptune-cluster/locals.tf +++ b/terraform/modules/neptune-cluster/locals.tf @@ -2,7 +2,6 @@ locals { create_parameter_groups = var.enable_serverless ? false : var.create_parameter_groups # outputs: - kms_key_arn = var.create_kms_key ? aws_kms_key.this[0].arn : "KMS was created by AWS" kms_key_id = var.create_kms_key ? aws_kms_key.this[0].key_id : "KMS was created by AWS" kms_alias_arn = var.create_kms_key ? aws_kms_alias.this[0].arn : "KMS was created by AWS" kms_alias_id = var.create_kms_key ? aws_kms_alias.this[0].id : "KMS was created by AWS" diff --git a/terraform/modules/neptune-cluster/outputs.tf b/terraform/modules/neptune-cluster/outputs.tf index 92e388f8..cb1edc38 100644 --- a/terraform/modules/neptune-cluster/outputs.tf +++ b/terraform/modules/neptune-cluster/outputs.tf @@ -47,7 +47,7 @@ output "cluster_reader_endpoint" { } output "kms_key_arn" { - value = local.kms_key_arn + value = aws_neptune_cluster_instance.this.kms_key_arn description = "the neptune cluster kms key arn" sensitive = false } From 02ed7f7554f12ca874814c4547b49c56a7a7e024 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Wed, 27 Mar 2024 12:16:37 -0400 Subject: [PATCH 34/34] formatting only --- terraform/modules/neptune-cluster/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/neptune-cluster/variables.tf b/terraform/modules/neptune-cluster/variables.tf index a07efbf2..0c33b99e 100644 --- a/terraform/modules/neptune-cluster/variables.tf +++ b/terraform/modules/neptune-cluster/variables.tf @@ -231,4 +231,4 @@ variable "vpc_security_group_ids" { type = set(string) description = "the list of security group IDs to associate with the cluster" sensitive = false -} \ No newline at end of file +}