» Resource: aws_elasticsearch_domain
Manages an AWS Elasticsearch Domain.
» Example Usage
» Basic Usage
resource "aws_elasticsearch_domain" "example" {
domain_name = "example"
elasticsearch_version = "1.5"
cluster_config {
instance_type = "r4.large.elasticsearch"
}
snapshot_options {
automated_snapshot_start_hour = 23
}
tags = {
Domain = "TestDomain"
}
}
» Access Policy
See also: aws_elasticsearch_domain_policy
resource
variable "domain" {
default = "tf-test"
}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
resource "aws_elasticsearch_domain" "example" {
domain_name = "${var.domain}"
# ... other configuration ...
access_policies = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal": "*",
"Effect": "Allow",
"Resource": "arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.domain}/*",
"Condition": {
"IpAddress": {"aws:SourceIp": ["66.193.100.22/32"]}
}
}
]
}
POLICY
}
» Log Publishing to CloudWatch Logs
resource "aws_cloudwatch_log_group" "example" {
name = "example"
}
resource "aws_cloudwatch_log_resource_policy" "example" {
policy_name = "example"
policy_document = <<CONFIG
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": [
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:*"
}
]
}
CONFIG
}
resource "aws_elasticsearch_domain" "example" {
# .. other configuration ...
log_publishing_options {
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.example.arn}"
log_type = "INDEX_SLOW_LOGS"
}
}
» VPC based ES
variable "vpc" {}
variable "domain" {
default = "tf-test"
}
data "aws_vpc" "selected" {
tags {
Name = "${var.vpc}"
}
}
data "aws_subnet_ids" "selected" {
vpc_id = "${data.aws_vpc.selected.id}"
tags {
Tier = "private"
}
}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
resource "aws_security_group" "es" {
name = "${var.vpc}-elasticsearch-${var.domain}"
description = "Managed by Terraform"
vpc_id = "${data.aws_vpc.selected.id}"
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [
"${data.aws_vpc.selected.cidr_blocks}",
]
}
}
resource "aws_iam_service_linked_role" "es" {
aws_service_name = "es.amazonaws.com"
}
resource "aws_elasticsearch_domain" "es" {
domain_name = "${var.domain}"
elasticsearch_version = "6.3"
cluster_config {
instance_type = "m4.large.elasticsearch"
}
vpc_options {
subnet_ids = [
"${data.aws_subnet_ids.selected.ids[0]}",
"${data.aws_subnet_ids.selected.ids[1]}",
]
security_group_ids = ["${aws_security_group.elasticsearch.id}"]
}
advanced_options = {
"rest.action.multi.allow_explicit_index" = "true"
}
access_policies = <<CONFIG
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal": "*",
"Effect": "Allow",
"Resource": "arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.domain}/*"
}
]
}
CONFIG
snapshot_options {
automated_snapshot_start_hour = 23
}
tags {
Domain = "TestDomain"
}
depends_on = [
"aws_iam_service_linked_role.es",
]
}
» Argument Reference
The following arguments are supported:
-
domain_name
- (Required) Name of the domain. -
access_policies
- (Optional) IAM policy document specifying the access policies for the domain -
advanced_options
- (Optional) Key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply. -
ebs_options
- (Optional) EBS related options, may be required based on chosen instance size. See below. -
encrypt_at_rest
- (Optional) Encrypt at rest options. Only available for certain instance types. See below. -
node_to_node_encryption
- (Optional) Node-to-node encryption options. See below. -
cluster_config
- (Optional) Cluster configuration of the domain, see below. -
snapshot_options
- (Optional) Snapshot related options, see below. -
vpc_options
- (Optional) VPC related options, see below. Adding or removing this configuration forces a new resource (documentation). -
log_publishing_options
- (Optional) Options for publishing slow logs to CloudWatch Logs. -
elasticsearch_version
- (Optional) The version of Elasticsearch to deploy. Defaults to1.5
-
tags
- (Optional) A mapping of tags to assign to the resource
ebs_options supports the following attributes:
-
ebs_enabled
- (Required) Whether EBS volumes are attached to data nodes in the domain -
volume_type
- (Optional) The type of EBS volumes attached to data nodes. -
volume_size
- The size of EBS volumes attached to data nodes (in GB). Required ifebs_enabled
is set totrue
. -
iops
- (Optional) The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the Provisioned IOPS EBS volume type.
encrypt_at_rest supports the following attributes:
-
enabled
- (Required) Whether to enable encryption at rest. If theencrypt_at_rest
block is not provided then this defaults tofalse
. -
kms_key_id
- (Optional) The KMS key id to encrypt the Elasticsearch domain with. If not specified then it defaults to using theaws/es
service KMS key.
cluster_config supports the following attributes:
-
instance_type
- (Optional) Instance type of data nodes in the cluster. -
instance_count
- (Optional) Number of instances in the cluster. -
dedicated_master_enabled
- (Optional) Indicates whether dedicated master nodes are enabled for the cluster. -
dedicated_master_type
- (Optional) Instance type of the dedicated master nodes in the cluster. -
dedicated_master_count
- (Optional) Number of dedicated master nodes in the cluster -
zone_awareness_enabled
- (Optional) Indicates whether zone awareness is enabled.
node_to_node_encryption supports the following attributes:
-
enabled
- (Required) Whether to enable node-to-node encryption. If thenode_to_node_encryption
block is not provided then this defaults tofalse
.
vpc_options supports the following attributes:
AWS documentation: VPC Support for Amazon Elasticsearch Service Domains
Note you must have created the service linked role for the Elasticsearch service to use the vpc_options
.
If you need to create the service linked role at the same time as the Elasticsearch domain then you must use depends_on
to make sure that the role is created before the Elasticsearch domain.
See the VPC based ES domain example above.
-
security_group_ids
- (Optional) List of VPC Security Group IDs to be applied to the Elasticsearch domain endpoints. If omitted, the default Security Group for the VPC will be used. -
subnet_ids
- (Required) List of VPC Subnet IDs for the Elasticsearch domain endpoints to be created in.
Security Groups and Subnets referenced in these attributes must all be within the same VPC; this determines what VPC the endpoints are created in.
snapshot_options supports the following attribute:
-
automated_snapshot_start_hour
- (Required) Hour during which the service takes an automated daily snapshot of the indices in the domain.
log_publishing_options supports the following attribute:
-
log_type
- (Required) A type of Elasticsearch log. Valid values: INDEX_SLOW_LOGS, SEARCH_SLOW_LOGS, ES_APPLICATION_LOGS -
cloudwatch_log_group_arn
- (Required) ARN of the Cloudwatch log group to which log needs to be published. -
enabled
- (Optional, Default: true) Specifies whether given log publishing option is enabled or not.
cognito_options supports the following attribute:
AWS documentation: Amazon Cognito Authentication for Kibana
-
enabled
- (Optional, Default: false) Specifies whether Amazon Cognito authentication with Kibana is enabled or not -
user_pool_id
- (Required) ID of the Cognito User Pool to use -
identity_pool_id
- (Required) ID of the Cognito Identity Pool to use -
role_arn
- (Required) ARN of the IAM role that has the AmazonESCognitoAccess policy attached
» Attributes Reference
In addition to all arguments above, the following attributes are exported:
-
arn
- Amazon Resource Name (ARN) of the domain. -
domain_id
- Unique identifier for the domain. -
domain_name
- The name of the Elasticsearch domain. -
endpoint
- Domain-specific endpoint used to submit index, search, and data upload requests. -
kibana_endpoint
- Domain-specific endpoint for kibana without https scheme. -
vpc_options.0.availability_zones
- If the domain was created inside a VPC, the names of the availability zones the configuredsubnet_ids
were created inside. -
vpc_options.0.vpc_id
- If the domain was created inside a VPC, the ID of the VPC.
» Import
Elasticsearch domains can be imported using the domain_name
, e.g.
$ terraform import aws_elasticsearch_domain.example domain_name