Example of a minimal Terraform module to deploy an AWS Elasticsearch Service instance with a single node.
Minimal doesn't have to be unsecure 😄
It supports encryption at rest with a custom KMS key and IAM Access Policy that gives access only to your public IP.
This module has been made to provide an example but in a real world scenario, it will be better to run your Elasticsearch instance under a custom VPC with only access from your EC2 instance(s) or AWS services instead of facing to Internet. Kibana can be available thru a NGINX reverse-proxy in this case, to expose the 443 port.
- Create an AWS Elasticsearch Service instance (managed by AWS)
- Encryption with a KMS CMK (let you manage the usage of the KMS key)
- Accessible only from your public IP
- Under a custom VPC (
minimal-vpcmodule) or default VPC (minimalmodule)
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
my_public_ip |
Your public IP | String | Yes | |
aws_region |
The AWS region where you want to deploy your Elasticsearch instance | String | us-east-1 |
No |
domain_name |
Elasticsearch cluster name | String | elasticsearch-single-node |
No |
elasticsearch_version |
Elasticsearch version | String | 6.3 |
No |
instance_type |
Elasticsearch instance type (t2 family doesn't support encryption at rest) | String | m4.large.elasticsearch |
No |
volume_size |
Elasticsearch volume size | String | 10 |
No |
tags |
Default tags you want to add | Map | Terraform=true |
No |
| Name | Description | Type |
|---|---|---|
elasticsearch_endpoint |
Elasticsearch public endpoint | String |
elasticsearch_kibana_endpoint |
Elasticsearch Kibana public endpoint | String |
module "es-single-node" {
source = "github.com/timoa/terraform-elasticsearch-single-node/minimal"
# Your public IP to secure your Elasticsearch instance (required)
my_public_ip = "1.2.3.4"
# AWS Region where you want to deploy your Elasticsearch single node
aws_region = "eu-west-2"
}module "es-single-node" {
source = "github.com/timoa/terraform-elasticsearch-single-node/minimal-vpc"
# Your public IP to secure your Elasticsearch instance (required)
my_public_ip = "1.2.3.4"
# AWS Region where you want to deploy your Elasticsearch single node
aws_region = "eu-west-2"
}This Terraform module can also be improved by adding this changes:
- Support for multiple environments (distinct name and tags between environment)
- Support for Route 53 (by adding an alias to an existing Route 53 zone)
| Description | Risk level | Link |
|---|---|---|
| Elasticsearch Domain open to Internet | High | Elasticsearch Domain IP-Based Access |
| Elasticsearch Domain without encryption at rest | High | Enable AWS ElasticSearch Encryption At Rest |
| Elasticsearch Domain encryption with AWS managed-keys | High | Elasticsearch Domain Encrypted with KMS CMKs |
| Elasticsearch Domain outside custom VPC | High | AWS Elasticsearch Domain In VPC |