From 0709447053985090a839c841a635f86f84d17d8c Mon Sep 17 00:00:00 2001 From: Evan Volgas <3965137+neuroticnetworks@users.noreply.github.com> Date: Fri, 11 Dec 2020 23:51:55 -0800 Subject: [PATCH] [GH Issue 85] Support Audit Logging (#86) Co-authored-by: Evan Volgas --- .github/CODEOWNERS | 13 ++- .github/auto-release.yml | 39 ++++---- .github/mergify.yml | 52 +++++++++++ .github/workflows/auto-context.yml | 55 +++++++++++ .github/workflows/auto-readme.yml | 41 +++++++++ .github/workflows/auto-release.yml | 18 ++-- .github/workflows/chatops.yml | 4 +- .github/workflows/validate-codeowners.yml | 25 +++++ README.md | 23 ++++- README.yaml | 4 +- context.tf | 4 +- docs/terraform.md | 4 +- examples/complete/context.tf | 4 +- examples/complete/main.tf | 6 +- examples/complete/versions.tf | 17 +++- examples/docs/targets.md | 12 +++ examples/docs/terraform.md | 106 ++++++++++++++++++++++ main.tf | 18 +++- variables.tf | 12 +++ versions.tf | 17 +++- 20 files changed, 421 insertions(+), 53 deletions(-) create mode 100644 .github/mergify.yml create mode 100644 .github/workflows/auto-context.yml create mode 100644 .github/workflows/auto-readme.yml create mode 100644 .github/workflows/validate-codeowners.yml create mode 100644 examples/docs/targets.md create mode 100644 examples/docs/terraform.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 07b38d2..ceb4644 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,7 +1,7 @@ # Use this file to define individuals or teams that are responsible for code in a repository. # Read more: # -# Order is important: the last matching pattern takes the most precedence +# Order is important: the last matching pattern has the highest precedence # These owners will be the default owners for everything * @cloudposse/engineering @cloudposse/contributors @@ -13,5 +13,12 @@ # Cloud Posse must review any changes to GitHub actions .github/* @cloudposse/engineering -# Cloud Posse must review any changes to standard context definition -**/context.tf @cloudposse/engineering +# Cloud Posse must review any changes to standard context definition, +# but some changes can be rubber-stamped. +**/context.tf @cloudposse/engineering @cloudposse/approvers +README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers +docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers + +# Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration +.github/mergify.yml @cloudposse/admins +.github/CODEOWNERS @cloudposse/admins diff --git a/.github/auto-release.yml b/.github/auto-release.yml index 2836185..18a1ca6 100644 --- a/.github/auto-release.yml +++ b/.github/auto-release.yml @@ -4,30 +4,35 @@ version-template: '$MAJOR.$MINOR.$PATCH' version-resolver: major: labels: - - 'major' + - 'major' minor: labels: - - 'minor' - - 'enhancement' + - 'minor' + - 'enhancement' patch: labels: - - 'patch' - - 'fix' - - 'bugfix' - - 'bug' - - 'hotfix' + - 'auto-update' + - 'patch' + - 'fix' + - 'bugfix' + - 'bug' + - 'hotfix' default: 'minor' categories: - - title: '๐Ÿš€ Enhancements' - labels: - - 'enhancement' - - title: '๐Ÿ› Bug Fixes' - labels: - - 'fix' - - 'bugfix' - - 'bug' - - 'hotfix' +- title: '๐Ÿš€ Enhancements' + labels: + - 'enhancement' + - 'patch' +- title: '๐Ÿ› Bug Fixes' + labels: + - 'fix' + - 'bugfix' + - 'bug' + - 'hotfix' +- title: '๐Ÿค– Automatic Updates' + labels: + - 'auto-update' change-template: |
diff --git a/.github/mergify.yml b/.github/mergify.yml new file mode 100644 index 0000000..485982f --- /dev/null +++ b/.github/mergify.yml @@ -0,0 +1,52 @@ +pull_request_rules: +- name: "approve automated PRs that have passed checks" + conditions: + - "check-success~=test/bats" + - "check-success~=test/readme" + - "check-success~=test/terratest" + - "base=master" + - "author=cloudpossebot" + - "head~=auto-update/.*" + actions: + review: + type: "APPROVE" + bot_account: "cloudposse-mergebot" + message: "We've automatically approved this PR because the checks from the automated Pull Request have passed." + +- name: "merge automated PRs when approved and tests pass" + conditions: + - "check-success~=test/bats" + - "check-success~=test/readme" + - "check-success~=test/terratest" + - "base=master" + - "head~=auto-update/.*" + - "#approved-reviews-by>=1" + - "#changes-requested-reviews-by=0" + - "#commented-reviews-by=0" + - "base=master" + - "author=cloudpossebot" + actions: + merge: + method: "squash" + +- name: "delete the head branch after merge" + conditions: + - "merged" + actions: + delete_head_branch: {} + +- name: "ask to resolve conflict" + conditions: + - "conflict" + actions: + comment: + message: "This pull request is now in conflict. Could you fix it @{{author}}? ๐Ÿ™" + +- name: "remove outdated reviews" + conditions: + - "base=master" + actions: + dismiss_reviews: + changes_requested: true + approved: true + message: "This Pull Request has been updated, so we're dismissing all reviews." diff --git a/.github/workflows/auto-context.yml b/.github/workflows/auto-context.yml new file mode 100644 index 0000000..df1a857 --- /dev/null +++ b/.github/workflows/auto-context.yml @@ -0,0 +1,55 @@ +name: "auto-context" +on: + schedule: + # Update context.tf nightly + - cron: '0 3 * * *' + +jobs: + update: + if: github.event_name == 'schedule' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Update context.tf + shell: bash + id: update + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + if [[ -f context.tf ]]; then + echo "Discovered existing context.tf! Fetching most recent version to see if there is an update." + curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf + if git diff --no-patch --exit-code context.tf; then + echo "No changes detected! Exiting the job..." + else + echo "context.tf file has changed. Update examples and rebuild README.md." + make init + make github/init/context.tf + make readme/build + echo "::set-output name=create_pull_request=true" + fi + else + echo "This module has not yet been updated to support the context.tf pattern! Please update in order to support automatic updates." + fi + + - name: Create Pull Request + if: steps.update.outputs.create_pull_request == 'true' + uses: cloudposse/actions/github/create-pull-request@0.22.0 + with: + token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + commit-message: Update context.tf from origin source + title: Update context.tf + body: |- + ## what + This is an auto-generated PR that updates the `context.tf` file to the latest version from `cloudposse/terraform-null-label` + + ## why + To support all the features of the `context` interface. + + branch: auto-update/context.tf + base: master + delete-branch: true + labels: | + auto-update + context diff --git a/.github/workflows/auto-readme.yml b/.github/workflows/auto-readme.yml new file mode 100644 index 0000000..6229e60 --- /dev/null +++ b/.github/workflows/auto-readme.yml @@ -0,0 +1,41 @@ +name: "auto-readme" +on: + schedule: + # Update README.md nightly + - cron: '0 4 * * *' + +jobs: + update: + if: github.event_name == 'schedule' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Update readme + shell: bash + id: update + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + make init + make readme/build + + - name: Create Pull Request + uses: cloudposse/actions/github/create-pull-request@0.20.0 + with: + token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + commit-message: Update README.md and docs + title: Update README.md and docs + body: |- + ## what + This is an auto-generated PR that updates the README.md and docs + + ## why + To have most recent changes of README.md and doc from origin templates + + branch: auto-update/readme + base: master + delete-branch: true + labels: | + auto-update + readme diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index e21fbfe..ccc27be 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -3,17 +3,17 @@ name: auto-release on: push: branches: - - master + - master jobs: semver: runs-on: ubuntu-latest steps: - # Drafts your next Release notes as Pull Requests are merged into "master" - - uses: release-drafter/release-drafter@v5 - with: - publish: true - prerelease: false - config-name: auto-release.yml - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Drafts your next Release notes as Pull Requests are merged into "master" + - uses: release-drafter/release-drafter@v5 + with: + publish: true + prerelease: false + config-name: auto-release.yml + env: + GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml index 0d94310..4ddc067 100644 --- a/.github/workflows/chatops.yml +++ b/.github/workflows/chatops.yml @@ -9,7 +9,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: "Handle common commands" - uses: cloudposse/actions/github/slash-command-dispatch@0.16.0 + uses: cloudposse/actions/github/slash-command-dispatch@0.22.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} @@ -24,7 +24,7 @@ jobs: - name: "Checkout commit" uses: actions/checkout@v2 - name: "Run tests" - uses: cloudposse/actions/github/slash-command-dispatch@0.16.0 + uses: cloudposse/actions/github/slash-command-dispatch@0.22.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml new file mode 100644 index 0000000..386eb28 --- /dev/null +++ b/.github/workflows/validate-codeowners.yml @@ -0,0 +1,25 @@ +name: Validate Codeowners +on: + pull_request: + +jobs: + validate-codeowners: + runs-on: ubuntu-latest + steps: + - name: "Checkout source code at current commit" + uses: actions/checkout@v2 + - uses: mszostok/codeowners-validator@v0.5.0 + if: github.event.pull_request.head.repo.full_name == github.repository + name: "Full check of CODEOWNERS" + with: + # For now, remove "files" check to allow CODEOWNERS to specify non-existent + # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos + # checks: "files,syntax,owners,duppatterns" + checks: "syntax,owners,duppatterns" + # GitHub access token is required only if the `owners` check is enabled + github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}" + - uses: mszostok/codeowners-validator@v0.5.0 + if: github.event.pull_request.head.repo.full_name != github.repository + name: "Syntax check of CODEOWNERS" + with: + checks: "syntax,duppatterns" diff --git a/README.md b/README.md index 42ad003..d9ab1e6 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ + # terraform-aws-elasticsearch [![Codefresh Build Status](https://g.codefresh.io/api/badges/pipeline/cloudposse/terraform-modules%2Fterraform-aws-elasticsearch?type=cf-1)](https://g.codefresh.io/public/accounts/cloudposse/pipelines/5d22bfe5a7e22ea3b67ea820) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-elasticsearch.svg)](https://github.com/cloudposse/terraform-aws-elasticsearch/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) + [![README Header][readme_header_img]][readme_header_link] @@ -75,14 +77,23 @@ If you don't enable zone awareness, Amazon ES places an endpoint into only one s ## Usage -**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases. -Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-elasticsearch/releases). +**IMPORTANT:** We do not pin modules to versions in our examples because of the +difficulty of keeping the versions in the documentation in sync with the latest released versions. +We highly recommend that in your code you pin the version to the exact version you are +using so that your infrastructure remains stable, and update versions in a +systematic way so that they do not catch you by surprise. + +Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)), +the registry shows many of our inputs as required when in fact they are optional. +The table below correctly indicates which inputs are required. ```hcl module "elasticsearch" { - source = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=master" + source = "cloudposse/elasticsearch/aws" + # Cloud Posse recommends pinning every module to a specific version + # version = "x.x.x" namespace = "eg" stage = "dev" name = "es" @@ -136,7 +147,7 @@ Available targets: | Name | Version | |------|---------| -| terraform | >= 0.12.0 | +| terraform | >= 0.12.26 | | aws | >= 2.0 | | null | >= 2.0 | | template | >= 2.0 | @@ -200,6 +211,8 @@ Available targets: | label\_order | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | | log\_publishing\_application\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for ES\_APPLICATION\_LOGS needs to be published | `string` | `""` | no | | log\_publishing\_application\_enabled | Specifies whether log publishing option for ES\_APPLICATION\_LOGS is enabled or not | `bool` | `false` | no | +| log\_publishing\_audit\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for AUDIT\_LOGS needs to be published | `string` | `""` | no | +| log\_publishing\_audit\_enabled | Specifies whether log publishing option for AUDIT\_LOGS is enabled or not | `bool` | `false` | no | | log\_publishing\_index\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for INDEX\_SLOW\_LOGS needs to be published | `string` | `""` | no | | log\_publishing\_index\_enabled | Specifies whether log publishing option for INDEX\_SLOW\_LOGS is enabled or not | `bool` | `false` | no | | log\_publishing\_search\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for SEARCH\_SLOW\_LOGS needs to be published | `string` | `""` | no | @@ -382,8 +395,10 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply ### Contributors + | [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] | [![Igor Rodionov][goruha_avatar]][goruha_homepage]
[Igor Rodionov][goruha_homepage] | [![Sarkis Varozian][sarkis_avatar]][sarkis_homepage]
[Sarkis Varozian][sarkis_homepage] | [![Marcin Braล„ski][3h4x_avatar]][3h4x_homepage]
[Marcin Braล„ski][3h4x_homepage] | |---|---|---|---|---| + [osterman_homepage]: https://github.com/osterman [osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png diff --git a/README.yaml b/README.yaml index 5ae6bd3..e466e5e 100644 --- a/README.yaml +++ b/README.yaml @@ -57,7 +57,9 @@ usage: |- ```hcl module "elasticsearch" { - source = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=master" + source = "cloudposse/elasticsearch/aws" + # Cloud Posse recommends pinning every module to a specific version + # version = "x.x.x" namespace = "eg" stage = "dev" name = "es" diff --git a/context.tf b/context.tf index bae0cf1..e5734b7 100644 --- a/context.tf +++ b/context.tf @@ -18,8 +18,10 @@ # will be null, and `module.this.delimiter` will be `-` (hyphen). # + module "this" { - source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.19.2" + source = "cloudposse/label/null" + version = "0.22.0" // requires Terraform >= 0.12.26 enabled = var.enabled namespace = var.namespace diff --git a/docs/terraform.md b/docs/terraform.md index 415e34d..fd6535a 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| terraform | >= 0.12.0 | +| terraform | >= 0.12.26 | | aws | >= 2.0 | | null | >= 2.0 | | template | >= 2.0 | @@ -67,6 +67,8 @@ | label\_order | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | | log\_publishing\_application\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for ES\_APPLICATION\_LOGS needs to be published | `string` | `""` | no | | log\_publishing\_application\_enabled | Specifies whether log publishing option for ES\_APPLICATION\_LOGS is enabled or not | `bool` | `false` | no | +| log\_publishing\_audit\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for AUDIT\_LOGS needs to be published | `string` | `""` | no | +| log\_publishing\_audit\_enabled | Specifies whether log publishing option for AUDIT\_LOGS is enabled or not | `bool` | `false` | no | | log\_publishing\_index\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for INDEX\_SLOW\_LOGS needs to be published | `string` | `""` | no | | log\_publishing\_index\_enabled | Specifies whether log publishing option for INDEX\_SLOW\_LOGS is enabled or not | `bool` | `false` | no | | log\_publishing\_search\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for SEARCH\_SLOW\_LOGS needs to be published | `string` | `""` | no | diff --git a/examples/complete/context.tf b/examples/complete/context.tf index bae0cf1..e5734b7 100644 --- a/examples/complete/context.tf +++ b/examples/complete/context.tf @@ -18,8 +18,10 @@ # will be null, and `module.this.delimiter` will be `-` (hyphen). # + module "this" { - source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.19.2" + source = "cloudposse/label/null" + version = "0.22.0" // requires Terraform >= 0.12.26 enabled = var.enabled namespace = var.namespace diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 04ca29d..4b9a9ca 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -3,7 +3,8 @@ provider "aws" { } module "vpc" { - source = "git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.17.0" + source = "cloudposse/vpc/aws" + version = "0.17.0" cidr_block = "172.16.0.0/16" @@ -11,7 +12,8 @@ module "vpc" { } module "subnets" { - source = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.30.0" + source = "cloudposse/dynamic-subnets/aws" + version = "0.30.0" availability_zones = var.availability_zones vpc_id = module.vpc.vpc_id diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index 7c5a568..9b6d904 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -1,9 +1,18 @@ terraform { - required_version = ">= 0.12.0" + required_version = ">= 0.12.26" required_providers { - aws = ">= 2.0" - template = ">= 2.0" - null = ">= 2.0" + aws = { + source = "hashicorp/aws" + version = ">= 2.0" + } + template = { + source = "hashicorp/template" + version = ">= 2.0" + } + null = { + source = "hashicorp/null" + version = ">= 2.0" + } } } diff --git a/examples/docs/targets.md b/examples/docs/targets.md new file mode 100644 index 0000000..3dce8b3 --- /dev/null +++ b/examples/docs/targets.md @@ -0,0 +1,12 @@ + +## Makefile Targets +```text +Available targets: + + help Help screen + help/all Display help for all targets + help/short This help short screen + lint Lint terraform code + +``` + diff --git a/examples/docs/terraform.md b/examples/docs/terraform.md new file mode 100644 index 0000000..00d0c97 --- /dev/null +++ b/examples/docs/terraform.md @@ -0,0 +1,106 @@ + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 0.12.0 | +| aws | >= 2.0 | +| null | >= 2.0 | +| template | >= 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| aws | >= 2.0 | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| additional\_tag\_map | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| advanced\_options | Key-value string pairs to specify advanced configuration options | `map(string)` | `{}` | no | +| advanced\_security\_options\_enabled | AWS Elasticsearch Kibana enchanced security plugin enabling (forces new resource) | `bool` | `false` | no | +| advanced\_security\_options\_internal\_user\_database\_enabled | Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin | `bool` | `false` | no | +| advanced\_security\_options\_master\_user\_arn | ARN of IAM user who is to be mapped to be Kibana master user (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to false) | `string` | `""` | no | +| advanced\_security\_options\_master\_user\_name | Master user username (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to true) | `string` | `""` | no | +| advanced\_security\_options\_master\_user\_password | Master user password (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to true) | `string` | `""` | no | +| allowed\_cidr\_blocks | List of CIDR blocks to be allowed to connect to the cluster | `list(string)` | `[]` | no | +| attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | +| automated\_snapshot\_start\_hour | Hour at which automated snapshots are taken, in UTC | `number` | `0` | no | +| availability\_zone\_count | Number of Availability Zones for the domain to use. | `number` | `2` | no | +| aws\_ec2\_service\_name | AWS EC2 Service Name | `list(string)` | 
[
  "ec2.amazonaws.com"
]
| no | +| cognito\_authentication\_enabled | Whether to enable Amazon Cognito authentication with Kibana | `bool` | `false` | no | +| cognito\_iam\_role\_arn | ARN of the IAM role that has the AmazonESCognitoAccess policy attached | `string` | `""` | no | +| cognito\_identity\_pool\_id | The ID of the Cognito Identity Pool to use | `string` | `""` | no | +| cognito\_user\_pool\_id | The ID of the Cognito User Pool to use | `string` | `""` | no | +| context | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | 
object({
    enabled             = bool
    namespace           = string
    environment         = string
    stage               = string
    name                = string
    delimiter           = string
    attributes          = list(string)
    tags                = map(string)
    additional_tag_map  = map(string)
    regex_replace_chars = string
    label_order         = list(string)
    id_length_limit     = number
  })
| 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_order": [],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {}
}
| no | +| create\_iam\_service\_linked\_role | Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info | `bool` | `true` | no | +| dedicated\_master\_count | Number of dedicated master nodes in the cluster | `number` | `0` | no | +| dedicated\_master\_enabled | Indicates whether dedicated master nodes are enabled for the cluster | `bool` | `false` | no | +| dedicated\_master\_type | Instance type of the dedicated master nodes in the cluster | `string` | `"t2.small.elasticsearch"` | no | +| delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| dns\_zone\_id | Route53 DNS Zone ID to add hostname records for Elasticsearch domain and Kibana | `string` | `""` | no | +| domain\_endpoint\_options\_enforce\_https | Whether or not to require HTTPS | `bool` | `false` | no | +| domain\_endpoint\_options\_tls\_security\_policy | The name of the TLS security policy that needs to be applied to the HTTPS endpoint | `string` | `"Policy-Min-TLS-1-0-2019-07"` | no | +| domain\_hostname\_enabled | Explicit flag to enable creating a DNS hostname for ES. If `true`, then `var.dns_zone_id` is required. | `bool` | `false` | no | +| ebs\_iops | The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the Provisioned IOPS EBS volume type | `number` | `0` | no | +| ebs\_volume\_size | EBS volumes for data storage in GB | `number` | `0` | no | +| ebs\_volume\_type | Storage type of EBS volumes | `string` | `"gp2"` | no | +| elasticsearch\_subdomain\_name | The name of the subdomain for Elasticsearch in the DNS zone (\_e.g.\_ `elasticsearch`, `ui`, `ui-es`, `search-ui`) | `string` | `""` | no | +| elasticsearch\_version | Version of Elasticsearch to deploy (\_e.g.\_ `7.4`, `7.1`, `6.8`, `6.7`, `6.5`, `6.4`, `6.3`, `6.2`, `6.0`, `5.6`, `5.5`, `5.3`, `5.1`, `2.3`, `1.5` | `string` | `"7.4"` | no | +| enabled | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| encrypt\_at\_rest\_enabled | Whether to enable encryption at rest | `bool` | `true` | no | +| encrypt\_at\_rest\_kms\_key\_id | The KMS key ID to encrypt the Elasticsearch domain with. If not specified, then it defaults to using the AWS/Elasticsearch service KMS key | `string` | `""` | no | +| environment | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| iam\_actions | List of actions to allow for the IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost` | `list(string)` | `[]` | no | +| iam\_authorizing\_role\_arns | List of IAM role ARNs to permit to assume the Elasticsearch user role | `list(string)` | `[]` | no | +| iam\_role\_arns | List of IAM role ARNs to permit access to the Elasticsearch domain | `list(string)` | `[]` | no | +| iam\_role\_max\_session\_duration | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | `number` | `3600` | no | +| id\_length\_limit | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| ingress\_port\_range\_end | End number for allowed port range. (e.g. `443`) | `number` | `65535` | no | +| ingress\_port\_range\_start | Start number for allowed port range. (e.g. `443`) | `number` | `0` | no | +| instance\_count | Number of data nodes in the cluster | `number` | `4` | no | +| instance\_type | Elasticsearch instance type for data nodes in the cluster | `string` | `"t2.small.elasticsearch"` | no | +| kibana\_hostname\_enabled | Explicit flag to enable creating a DNS hostname for Kibana. If `true`, then `var.dns_zone_id` is required. | `bool` | `false` | no | +| kibana\_subdomain\_name | The name of the subdomain for Kibana in the DNS zone (\_e.g.\_ `kibana`, `ui`, `ui-es`, `search-ui`, `kibana.elasticsearch`) | `string` | n/a | yes | +| label\_order | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | +| log\_publishing\_application\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for ES\_APPLICATION\_LOGS needs to be published | `string` | `""` | no | +| log\_publishing\_application\_enabled | Specifies whether log publishing option for ES\_APPLICATION\_LOGS is enabled or not | `bool` | `false` | no | +| log\_publishing\_audit\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for AUDIT\_LOGS needs to be published | `string` | `""` | no | +| log\_publishing\_audit\_enabled | Specifies whether log publishing option for AUDIT\_LOGS is enabled or not | `bool` | `false` | no | +| log\_publishing\_index\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for INDEX\_SLOW\_LOGS needs to be published | `string` | `""` | no | +| log\_publishing\_index\_enabled | Specifies whether log publishing option for INDEX\_SLOW\_LOGS is enabled or not | `bool` | `false` | no | +| log\_publishing\_search\_cloudwatch\_log\_group\_arn | ARN of the CloudWatch log group to which log for SEARCH\_SLOW\_LOGS needs to be published | `string` | `""` | no | +| log\_publishing\_search\_enabled | Specifies whether log publishing option for SEARCH\_SLOW\_LOGS is enabled or not | `bool` | `false` | no | +| name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | +| namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| node\_to\_node\_encryption\_enabled | Whether to enable node-to-node encryption | `bool` | `false` | no | +| regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| security\_groups | List of security group IDs to be allowed to connect to the cluster | `list(string)` | `[]` | no | +| stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| subnet\_ids | VPC Subnet IDs | `list(string)` | `[]` | no | +| tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| vpc\_enabled | Set to false if ES should be deployed outside of VPC. | `bool` | `true` | no | +| vpc\_id | VPC ID | `string` | `null` | no | +| warm\_count | Number of UltraWarm nodes | `number` | `2` | no | +| warm\_enabled | Whether AWS UltraWarm is enabled | `bool` | `false` | no | +| warm\_type | Type of UltraWarm nodes | `string` | `"ultrawarm1.medium.elasticsearch"` | no | +| zone\_awareness\_enabled | Enable zone awareness for Elasticsearch cluster | `bool` | `true` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| domain\_arn | ARN of the Elasticsearch domain | +| domain\_endpoint | Domain-specific endpoint used to submit index, search, and data upload requests | +| domain\_hostname | Elasticsearch domain hostname to submit index, search, and data upload requests | +| domain\_id | Unique identifier for the Elasticsearch domain | +| domain\_name | Name of the Elasticsearch domain | +| elasticsearch\_user\_iam\_role\_arn | The ARN of the IAM role to allow access to Elasticsearch cluster | +| elasticsearch\_user\_iam\_role\_name | The name of the IAM role to allow access to Elasticsearch cluster | +| kibana\_endpoint | Domain-specific endpoint for Kibana without https scheme | +| kibana\_hostname | Kibana hostname | +| security\_group\_id | Security Group ID to control access to the Elasticsearch domain | + + diff --git a/main.tf b/main.tf index e795d7f..39c01b4 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,6 @@ module "user_label" { - source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.19.2" + source = "cloudposse/label/null" + version = "0.19.2" attributes = compact(concat(module.this.attributes, ["user"])) @@ -7,7 +8,8 @@ module "user_label" { } module "kibana_label" { - source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.19.2" + source = "cloudposse/label/null" + version = "0.19.2" attributes = compact(concat(module.this.attributes, ["kibana"])) @@ -187,6 +189,12 @@ resource "aws_elasticsearch_domain" "default" { cloudwatch_log_group_arn = var.log_publishing_search_cloudwatch_log_group_arn } + log_publishing_options { + enabled = var.log_publishing_audit_enabled + log_type = "AUDIT_LOGS" + cloudwatch_log_group_arn = var.log_publishing_audit_cloudwatch_log_group_arn + } + log_publishing_options { enabled = var.log_publishing_application_enabled log_type = "ES_APPLICATION_LOGS" @@ -253,7 +261,8 @@ resource "aws_elasticsearch_domain_policy" "default" { } module "domain_hostname" { - source = "git::https://github.com/cloudposse/terraform-aws-route53-cluster-hostname.git?ref=tags/0.7.0" + source = "cloudposse/route53-cluster-hostname/aws" + version = "0.7.0" enabled = module.this.enabled && var.domain_hostname_enabled dns_name = var.elasticsearch_subdomain_name == "" ? module.this.id : var.elasticsearch_subdomain_name @@ -265,7 +274,8 @@ module "domain_hostname" { } module "kibana_hostname" { - source = "git::https://github.com/cloudposse/terraform-aws-route53-cluster-hostname.git?ref=tags/0.7.0" + source = "cloudposse/route53-cluster-hostname/aws" + version = "0.7.0" enabled = module.this.enabled && var.kibana_hostname_enabled dns_name = var.kibana_subdomain_name == "" ? module.kibana_label.id : var.kibana_subdomain_name diff --git a/variables.tf b/variables.tf index 722cd23..9460636 100644 --- a/variables.tf +++ b/variables.tf @@ -167,6 +167,12 @@ variable "log_publishing_search_enabled" { description = "Specifies whether log publishing option for SEARCH_SLOW_LOGS is enabled or not" } +variable "log_publishing_audit_enabled" { + type = bool + default = false + description = "Specifies whether log publishing option for AUDIT_LOGS is enabled or not" +} + variable "log_publishing_application_enabled" { type = bool default = false @@ -185,6 +191,12 @@ variable "log_publishing_search_cloudwatch_log_group_arn" { description = "ARN of the CloudWatch log group to which log for SEARCH_SLOW_LOGS needs to be published" } +variable "log_publishing_audit_cloudwatch_log_group_arn" { + type = string + default = "" + description = "ARN of the CloudWatch log group to which log for AUDIT_LOGS needs to be published" +} + variable "log_publishing_application_cloudwatch_log_group_arn" { type = string default = "" diff --git a/versions.tf b/versions.tf index 7c5a568..9b6d904 100644 --- a/versions.tf +++ b/versions.tf @@ -1,9 +1,18 @@ terraform { - required_version = ">= 0.12.0" + required_version = ">= 0.12.26" required_providers { - aws = ">= 2.0" - template = ">= 2.0" - null = ">= 2.0" + aws = { + source = "hashicorp/aws" + version = ">= 2.0" + } + template = { + source = "hashicorp/template" + version = ">= 2.0" + } + null = { + source = "hashicorp/null" + version = ">= 2.0" + } } }