Merge pull request #206 from CBIIT/os_module

Os module
CBIIT · Jun 26, 2024 · 6f4c6a9 · 6f4c6a9
2 parents 10d1f8f + 0ba467c
commit 6f4c6a9
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 21 deletions.
diff --git a/terraform/modules/cloudfront/kinesis.tf b/terraform/modules/cloudfront/kinesis.tf
@@ -22,8 +22,9 @@ resource "aws_iam_role_policy_attachment" "firehose_policy_attachment" {
 
 resource "aws_kinesis_firehose_delivery_stream" "firehose_stream" {
   name        = "aws-waf-logs-${var.resource_prefix}-kinesis-firehose-stream"
-  destination = "s3"
-  s3_configuration {
+  destination = "extended_s3"
+
+  extended_s3_configuration {
     role_arn   = aws_iam_role.firehose_role.arn
     bucket_arn = aws_s3_bucket.kinesis_log.arn
   }

diff --git a/terraform/modules/firehose-metrics/modules/kinesis-firehose-datastream/main.tf b/terraform/modules/firehose-metrics/modules/kinesis-firehose-datastream/main.tf
@@ -14,16 +14,16 @@ resource "aws_kinesis_firehose_delivery_stream" "kinesis" {
     request_configuration {
       content_encoding = var.content_encoding
     }
-  }
 
-  s3_configuration {
-    role_arn            = var.role_arn
-    bucket_arn          = var.s3_bucket_arn
-    prefix              = var.s3_object_prefix
-    error_output_prefix = var.s3_error_output_prefix
-    buffer_size         = var.buffer_size
-    buffer_interval     = var.buffer_interval
-    compression_format  = var.s3_compression_format
+    s3_configuration {
+      role_arn            = var.role_arn
+      bucket_arn          = var.s3_bucket_arn
+      prefix              = var.s3_object_prefix
+      error_output_prefix = var.s3_error_output_prefix
+      #buffer_size         = var.buffer_size
+      #buffer_interval     = var.buffer_interval
+      compression_format  = var.s3_compression_format
+    }
   }
 }
 

diff --git a/terraform/modules/opensearch/README.md b/terraform/modules/opensearch/README.md
@@ -48,6 +48,7 @@ No modules.
 | [aws_iam_policy_document.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.snapshot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 

diff --git a/terraform/modules/opensearch/data.tf b/terraform/modules/opensearch/data.tf
@@ -1,3 +1,5 @@
+data "aws_region" "current" {}
+
 data "aws_caller_identity" "current" {}
 
 data "aws_iam_policy_document" "logs" {
@@ -37,7 +39,7 @@ data "aws_iam_policy_document" "access_policy" {
       type        = "AWS"
       identifiers = ["*"]
     }
-    resources = ["${aws_opensearch_domain.this.arn}/*"]
+    resources = ["arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.resource_prefix}-opensearch/*"]
   }
 }
 
@@ -87,8 +89,8 @@ data "aws_iam_policy_document" "snapshot" {
     effect  = "Allow"
     actions = ["es:ESHttpPut"]
     resources = [
-      "${aws_opensearch_domain.this.arn}/*",
-      "${aws_opensearch_domain.this.arn}/*/*"
+      "arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.resource_prefix}-opensearch/*",
+      "arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.resource_prefix}-opensearch/*/*"
     ]
   }
 }
diff --git a/terraform/modules/opensearch/locals.tf b/terraform/modules/opensearch/locals.tf
@@ -1,10 +1,12 @@
 locals {
   access_policies       = var.create_access_policies ? data.aws_iam_policy_document.access_policy[0].json : var.access_policies
   permissions_boundary  = var.attach_permissions_boundary ? "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/PermissionBoundary_PowerUser" : null
-  security_group_ids    = var.create_security_group ? aws_security_group.this[0].id : var.security_group_ids
+  security_group_ids    = var.create_security_group ? [aws_security_group.this[0].id] : var.security_group_ids
   custom_instance_type  = var.instance_type == null && var.cluster_tshirt_size != null ? lookup(local.instance_type_lookup, var.cluster_tshirt_size, null) : var.instance_type
+  auto_tune_enabled     = var.auto_tune_enabled && !strcontains(local.custom_instance_type, "t2") && !strcontains(local.custom_instance_type, "t3") ? "ENABLED" : "DISABLED"
   custom_instance_count = var.instance_count == null ? 1 : var.instance_count
   custom_volume_size    = var.volume_size == null && var.cluster_tshirt_size != null ? lookup(local.volume_size_lookup, var.cluster_tshirt_size, null) : var.volume_size
+  cluster_subnet_ids    = local.custom_instance_count == 1 ? [tolist(var.subnet_ids)[0]] : var.subnet_ids
 
 
   instance_type_lookup = {

diff --git a/terraform/modules/opensearch/main.tf b/terraform/modules/opensearch/main.tf
@@ -6,7 +6,7 @@ resource "aws_opensearch_domain" "this" {
 
   cluster_config {
     instance_type  = local.custom_instance_type
-    instance_count = var.zone_awareness_enabled ? local.custom_instance_count : (local.custom_instance_count * 2)
+    instance_count = var.zone_awareness_enabled ? (local.custom_instance_count * 2) : local.custom_instance_count
 
     zone_awareness_enabled = var.zone_awareness_enabled
 
@@ -19,7 +19,7 @@ resource "aws_opensearch_domain" "this" {
     dedicated_master_type    = var.dedicated_master_enabled ? local.custom_instance_type : null
 
     warm_enabled = var.warm_enabled
-    warm_count   = var.warm_enabled ? 2 : 0
+    warm_count   = var.warm_enabled ? 2 : null
     warm_type    = var.warm_enabled ? local.custom_instance_type : null
 
     cold_storage_options {
@@ -28,7 +28,7 @@ resource "aws_opensearch_domain" "this" {
   }
 
   auto_tune_options {
-    desired_state = var.auto_tune_enabled ? "ENABLED" : "DISABLED"
+    desired_state = local.auto_tune_enabled
   }
 
   domain_endpoint_options {
@@ -52,7 +52,7 @@ resource "aws_opensearch_domain" "this" {
     content {
       enabled                  = true
       cloudwatch_log_group_arn = aws_cloudwatch_log_group.this[0].arn
-      log_type                 = each.value
+      log_type                 = log_publishing_options.value
     }
   }
 
@@ -69,7 +69,7 @@ resource "aws_opensearch_domain" "this" {
   }
 
   vpc_options {
-    subnet_ids         = var.subnet_ids
+    subnet_ids         = local.cluster_subnet_ids
     security_group_ids = local.security_group_ids
   }
 }
@@ -109,7 +109,7 @@ resource "aws_cloudwatch_log_resource_policy" "this" {
   count = var.create_cloudwatch_log_policy ? 1 : 0
 
   policy_name     = "${var.resource_prefix}-opensearch-log-policy"
-  policy_document = data.aws_iam_policy_document.logs.json
+  policy_document = data.aws_iam_policy_document.logs[0].json
 }
 
 resource "aws_iam_role" "snapshot" {