Dynamic Terraform module, which creates a Opensearch Serverless Collection and related resources.
| Module version | AWS Provider version |
|---|---|
| >= 1.x.x | => 5.31 |
- Encryption Policy
- Network Policy
- Data Access Policy
- Opensearch Serverless VPCE
- Data Lifecycle Policy
- Security Config
This example will create: * Opensearch Serverless Collection * Encryption Policy with AWS Managed KMS Key * Public Network Policy to Both Endpoints * Data Access Policy with all permissions to collection and all indexes
module "opensearch_serverless" {
source = "fdmsantos/opensearch-serverless/aws"
version = "x.x.x"
name = "demo-collection"
access_policy_rules = [
{
type = "collection"
permissions = ["All"]
principals = [data.aws_caller_identity.current.arn]
},
{
type = "index"
permissions = ["All"]
indexes = ["*"]
principals = [data.aws_caller_identity.current.arn]
}
]
}By default, the encryption policy use AWS managed KMS Key. To Use Customer Managed KMS Key use the variable encryption_policy_kms_key_arn
By default, the network policy is created with public access to dashboard and collection endpoints.
To change the network policy use variable network_policy_type. The supported values are:
| Value | Description |
|---|---|
| AllPublic | Public endpoints for Dashboard and Collection |
| AllPrivate | Private endpoints for Dashboard and Collection |
| PublicCollectionPrivateDashboard | Public endpoint for Collection and Private endpoint for Collection |
| PrivateCollectionPublicDashboard | Private endpoint for Collection and Public endpoint forCollection |
If the variable network_policy_type is different from "AllPublic", the module will create Opensearch Serverless Endpoint to private access.
In this case it's necessary configure the following variables: vpce_subnet_ids and vpce_vpc_id. vpce_security_group_ids is optional.
- To add existing security group, please use the variable
vpce_security_group_ids. - By Default, module creates a new security group. To disable this put the variable
vpce_create_security_group = false. - To choose the allowed sources for the created security group, you should use the variable
vpce_security_group_sources.- This variable supports two fields:
| Field | Allowed Values |
|---|---|
| type | IPv4, IPv6, PrefixLists, SGs |
| sources | List of sources to be allowed. For example: To type IPv4 should be list of IPv4 CIDR blocks |
- Example:
vpce_security_group_sources = [
{
type = "IPv4"
sources = ["0.0.0.0/0"]
},
{
type = "IPv6"
sources = ["::/0"]
}
]To configure data access policy use variable access_policy_rules. This variable is a list of data access rules.
Each rule contains the following fields:
| Field | Supported Values |
|---|---|
| type | collection;index |
| permissions | Collection Type: All;Create;Read;Update;Delete. Index Type: All;Create;Read;Update;Delete;ReadDocument;WriteDocument |
| principals | IAM Users;IAM Roles;SAML users;SAML Groups |
| principals | IAM Users;IAM Roles;SAML users;SAML Groups |
| indexes | List of indexes to be used on policy rule |
To create data lifecycle policy use variable create_data_lifecycle_policy = true. Configure the rules with variable data_lifecycle_policy_rules .
The default retention is Unlimited.
Example:
data_lifecycle_policy_rules = [
{
indexes = ["index1", "index2"]
retention = "Unlimited"
},
{
indexes = ["index3", "index4"]
retention = "81d"
},
{
indexes = ["index5"]
}
]To create security config use variable create_security_config = true.
create_security_config = true
saml_metadata = "${path.module}/saml-metadata.xml"
saml_user_attribute = "example"
saml_group_attribute = "example"
saml_session_timeout = 90- Complete - Creates an opensearch serverless collection with all features.
| Name | Version |
|---|---|
| terraform | >= 0.13.1 |
| aws | >= 5.31 |
| Name | Version |
|---|---|
| aws | >= 5.31 |
No modules.
| Name | Type |
|---|---|
| aws_opensearchserverless_access_policy.this | resource |
| aws_opensearchserverless_collection.this | resource |
| aws_opensearchserverless_lifecycle_policy.this | resource |
| aws_opensearchserverless_security_config.this | resource |
| aws_opensearchserverless_security_policy.encryption | resource |
| aws_opensearchserverless_security_policy.network | resource |
| aws_opensearchserverless_vpc_endpoint.this | resource |
| aws_security_group.this | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_policy_description | Description of the access policy. | string |
null |
no |
| access_policy_name | The name of the data access policy. | string |
null |
no |
| access_policy_rules | Rules to apply on access policy. | list(object({ |
[] |
no |
| create_access_policy | Controls if data access policy should be created. | bool |
true |
no |
| create_data_lifecycle_policy | Controls if data lifecycle policy should be created. | bool |
false |
no |
| create_encryption_policy | Controls if encryption policy should be created. | bool |
true |
no |
| create_network_policy | Controls if network policy should be created. | bool |
true |
no |
| create_security_config | Controls if security config should be created. | bool |
false |
no |
| data_lifecycle_policy_description | Description of the data lifecycle policy. | string |
null |
no |
| data_lifecycle_policy_name | The name of the data lifecycle policy. | string |
null |
no |
| data_lifecycle_policy_rules | Rules to apply on data lifecycle policy. | list(object({ |
[] |
no |
| description | Description of the collection. | string |
null |
no |
| encryption_policy_description | Description of the encryption policy. | string |
null |
no |
| encryption_policy_kms_key_arn | MS Customer managed key arn to use in the encryption policy. | string |
null |
no |
| encryption_policy_name | The name of the encryption policy. | string |
null |
no |
| name | Name of the collection. | string |
n/a | yes |
| network_policy_description | Description of the network policy. | string |
null |
no |
| network_policy_name | The name of the network policy. | string |
null |
no |
| network_policy_type | Type of Network Policy. Supported Values are: AllPublic, AllPrivate, PublicCollectionPrivateDashboard, PrivateCollectionPublicDashboard | string |
"AllPublic" |
no |
| saml_group_attribute | Specify an attribute for group to map user groups or roles from your assertion. | string |
null |
no |
| saml_metadata | The XML IdP metadata file generated from your identity provider. Needs to be path to a file. | string |
null |
no |
| saml_session_timeout | Session timeout, in minutes. Minimum is 5 minutes and maximum is 720 minutes (12 hours). Default is 60 minutes. | number |
60 |
no |
| saml_user_attribute | Specify a custom attribute for user ID if your assertion does not use NameID as the default attribute. | string |
null |
no |
| security_config_description | Description of the security config. | string |
null |
no |
| security_config_name | The name of the security config. | string |
null |
no |
| tags | A map of tags to assign to the collection. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | map(string) |
{} |
no |
| type | Type of collection. One of SEARCH, TIMESERIES, or VECTORSEARCH. Defaults to TIMESERIES. | string |
"TIMESERIES" |
no |
| use_standby_replicas | Indicates whether standby replicas should be used for a collection. | bool |
true |
no |
| vpce_create_security_group | Creates a security group for VPCE. | bool |
true |
no |
| vpce_name | Name of the interface endpoint. | string |
null |
no |
| vpce_security_group_description | Security Group description for VPCE. | string |
null |
no |
| vpce_security_group_ids | One or more security groups that define the ports, protocols, and sources for inbound traffic that you are authorizing into your endpoint. Up to 5 security groups can be provided. | list(string) |
null |
no |
| vpce_security_group_name | Security Group name for VPCE. | string |
null |
no |
| vpce_security_group_sources | Sources for inbound traffic to Opensearch Serverless | list(object({ |
[] |
no |
| vpce_subnet_ids | One or more subnet IDs from which you'll access OpenSearch Serverless. Up to 6 subnets can be provided. | list(string) |
[] |
no |
| vpce_vpc_id | ID of the VPC from which you'll access OpenSearch Serverless. | string |
null |
no |
| Name | Description |
|---|---|
| access_policy_name | Name of the data access policy. |
| access_policy_version | Version of the data access policy. |
| collection_arn | Amazon Resource Name (ARN) of the collection. |
| collection_endpoint | Collection-specific endpoint used to submit index, search, and data upload requests to an OpenSearch Serverless collection. |
| collection_id | Unique identifier for the collection. |
| dashboard_endpoint | Collection-specific endpoint used to access OpenSearch Dashboards. |
| data_lifecycle_policy_name | Name of the data lifecycle policy. |
| data_lifecycle_policy_version | Version of the data lifecycle access policy. |
| encryption_policy_name | Name of the encryption policy. |
| encryption_policy_version | Version of the encryption policy. |
| kms_key_arn | The ARN of the Amazon Web Services KMS key used to encrypt the collection. |
| network_policy_name | Name of the network policy. |
| network_policy_version | Version of the network policy. |
| security_config_name | Name of the security config. |
| security_config_version | Version of the security config. |
| security_group_id | Id of the security group. |
| security_group_name | Name of the security group. |
| vpce_id | Id of the vpce. |
| vpce_name | Name of the interface endpoint. |
Apache 2 Licensed. See LICENSE for full details.