feat: serverless collection submodule (#59)

modules/collection/README.md

@@ -0,0 +1,65 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.15 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.15 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aoss"></a> [aoss](#module\_aoss) | terraform-aws-modules/opensearch/aws//modules/collection | ~> 1.5.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_opensearchserverless_security_config.saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_config) | resource |
+| [aws_opensearchserverless_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_vpc_endpoint) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_policy"></a> [access\_policy](#input\_access\_policy) | Access policy to apply to the collection | `any` | `{}` | no |
+| <a name="input_access_policy_collection_permissions"></a> [access\_policy\_collection\_permissions](#input\_access\_policy\_collection\_permissions) | Access policy permissions for the collection | `list(string)` | <pre>[<br/>  "aoss:*"<br/>]</pre> | no |
+| <a name="input_access_policy_index_permissions"></a> [access\_policy\_index\_permissions](#input\_access\_policy\_index\_permissions) | Access policy permissions for the collection index | `list(string)` | <pre>[<br/>  "aoss:*"<br/>]</pre> | no |
+| <a name="input_access_policy_principals"></a> [access\_policy\_principals](#input\_access\_policy\_principals) | Access policy principals | `list(string)` | `[]` | no |
+| <a name="input_allow_public_access"></a> [allow\_public\_access](#input\_allow\_public\_access) | Whether public access is to be given | `bool` | `false` | no |
+| <a name="input_collection_type"></a> [collection\_type](#input\_collection\_type) | Type of collection. Possible values are `SEARCH`, `TIMESERIES` or `VECTORSEARCH` | `string` | n/a | yes |
+| <a name="input_create_access_policy"></a> [create\_access\_policy](#input\_create\_access\_policy) | Determines whether an access policy will be created | `bool` | `true` | no |
+| <a name="input_create_encryption_policy"></a> [create\_encryption\_policy](#input\_create\_encryption\_policy) | Determines whether an encryption policy will be created | `bool` | `true` | no |
+| <a name="input_create_lifecycle_policy"></a> [create\_lifecycle\_policy](#input\_create\_lifecycle\_policy) | Determines whether an lifecycle policy will be created | `bool` | `false` | no |
+| <a name="input_create_network_policy"></a> [create\_network\_policy](#input\_create\_network\_policy) | Determines whether an network policy will be created | `bool` | `true` | no |
+| <a name="input_create_vpc_endpoint"></a> [create\_vpc\_endpoint](#input\_create\_vpc\_endpoint) | Whether a VPC endpoint is to be created for the collection | `bool` | `false` | no |
+| <a name="input_description"></a> [description](#input\_description) | Description for the OpenSearch Serverless collection. | `string` | n/a | yes |
+| <a name="input_encryption_kms_arn"></a> [encryption\_kms\_arn](#input\_encryption\_kms\_arn) | Encryption policy to apply to the collection | `string` | `null` | no |
+| <a name="input_lifecycle_policy_min_index_retention"></a> [lifecycle\_policy\_min\_index\_retention](#input\_lifecycle\_policy\_min\_index\_retention) | The minimum period, in days (d) or hours (h), to retain the document in the index. The lower bound is `24h` and the upper bound is `3650d` | `string` | `null` | no |
+| <a name="input_lifecycle_policy_no_min_index_retention"></a> [lifecycle\_policy\_no\_min\_index\_retention](#input\_lifecycle\_policy\_no\_min\_index\_retention) | If true, OpenSearch Serverless retains documents indefinitely | `bool` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name of the OpenSearch Serverless collection. | `string` | n/a | yes |
+| <a name="input_saml_enabled"></a> [saml\_enabled](#input\_saml\_enabled) | Whether SAML authentication is enabled | `bool` | `false` | no |
+| <a name="input_saml_group_attribute"></a> [saml\_group\_attribute](#input\_saml\_group\_attribute) | Group attribute for this SAML integration | `string` | `""` | no |
+| <a name="input_saml_metadata_content"></a> [saml\_metadata\_content](#input\_saml\_metadata\_content) | The metadata of the SAML application in xml format. | `string` | `""` | no |
+| <a name="input_saml_session_timeout"></a> [saml\_session\_timeout](#input\_saml\_session\_timeout) | Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440. | `number` | `60` | no |
+| <a name="input_saml_user_attribute"></a> [saml\_user\_attribute](#input\_saml\_user\_attribute) | User attribute for this SAML integration | `string` | `""` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | Security group IDs attached to the VPC endpoint. Needed only if `create_vpc_endpoint` is true | `list(string)` | `[]` | no |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | Subnet IDs in which the VPC endpoint is created. Needed only if `create_vpc_endpoint` is true | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A mapping of tags to assign to the resources | `map(string)` | `{}` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to deploy the cluster into. Need only if the VPC endpoint created. | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | ARN of the Opensearch Collection |
+| <a name="output_dashboard_endpoint"></a> [dashboard\_endpoint](#output\_dashboard\_endpoint) | Collection-specific endpoint used to access OpenSearch Dashboards |
+| <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | Collection-specific endpoint used to submit index, search, and data upload requests to an OpenSearch Serverless collection |
+| <a name="output_id"></a> [id](#output\_id) | ID of the Opensearch Collection |
+| <a name="output_vpc_endpoint_id"></a> [vpc\_endpoint\_id](#output\_vpc\_endpoint\_id) | VPC endpoint ID for the OpenSearch collection |

modules/collection/endpoint.tf

@@ -0,0 +1,8 @@
+resource "aws_opensearchserverless_vpc_endpoint" "this" {
+  count = var.create_vpc_endpoint ? 1 : 0
+
+  name               = "${var.name}-vpce"
+  vpc_id             = var.vpc_id
+  subnet_ids         = var.subnet_ids
+  security_group_ids = var.security_group_ids
+}

modules/collection/locals.tf

@@ -0,0 +1,19 @@
+locals {
+  encryption_policy = {
+    "Rules" = [
+      {
+        "Resource" = [
+          "collection/${var.name}"
+        ],
+        "ResourceType" = "collection"
+      }
+    ],
+    "AWSOwnedKey" = var.encryption_kms_arn == null ? true : false
+    "KmsARN"      = var.encryption_kms_arn
+  }
+
+  network_policy = {
+    AllowFromPublic = var.allow_public_access
+    SourceVPCEs     = var.create_vpc_endpoint ? [aws_opensearchserverless_vpc_endpoint.this[0].id] : []
+  }
+}

modules/collection/main.tf

@@ -0,0 +1,45 @@
+module "aoss" {
+  source  = "terraform-aws-modules/opensearch/aws//modules/collection"
+  version = "~> 1.5.0"
+
+  name        = var.name
+  description = var.description
+  type        = var.collection_type
+
+  create_access_policy                 = var.create_access_policy
+  access_policy_collection_permissions = var.access_policy_collection_permissions
+  access_policy_index_permissions      = var.access_policy_index_permissions
+  access_policy_principals             = var.access_policy_principals
+  access_policy                        = var.access_policy
+
+  create_network_policy = var.create_network_policy
+  network_policy        = local.network_policy
+
+  create_encryption_policy = var.create_encryption_policy
+  encryption_policy        = local.encryption_policy
+
+  create_lifecycle_policy                 = var.create_lifecycle_policy
+  lifecycle_policy_min_index_retention    = var.lifecycle_policy_min_index_retention
+  lifecycle_policy_no_min_index_retention = var.lifecycle_policy_no_min_index_retention
+
+  tags = var.tags
+}
+
+resource "aws_opensearchserverless_security_config" "saml" {
+  count = var.saml_enabled ? 1 : 0
+
+  name        = "${var.name}-saml"
+  type        = "saml"
+  description = "SAML config for ${var.name}"
+
+  saml_options {
+    metadata        = var.saml_metadata_content
+    group_attribute = var.saml_group_attribute
+    user_attribute  = var.saml_user_attribute
+    session_timeout = var.saml_session_timeout
+  }
+
+  depends_on = [
+    module.aoss,
+  ]
+}

modules/collection/outputs.tf

@@ -0,0 +1,24 @@
+output "id" {
+  description = "ID of the Opensearch Collection"
+  value       = module.aoss.id
+}
+
+output "arn" {
+  description = "ARN of the Opensearch Collection"
+  value       = module.aoss.arn
+}
+
+output "endpoint" {
+  description = "Collection-specific endpoint used to submit index, search, and data upload requests to an OpenSearch Serverless collection"
+  value       = module.aoss.endpoint
+}
+
+output "dashboard_endpoint" {
+  description = "Collection-specific endpoint used to access OpenSearch Dashboards"
+  value       = module.aoss.dashboard_endpoint
+}
+
+output "vpc_endpoint_id" {
+  description = "VPC endpoint ID for the OpenSearch collection"
+  value       = var.create_vpc_endpoint ? aws_opensearchserverless_vpc_endpoint.this[0].id : null
+}

modules/collection/variables.tf

@@ -0,0 +1,152 @@
+variable "name" {
+  type        = string
+  description = "Name of the OpenSearch Serverless collection."
+}
+
+variable "collection_type" {
+  type        = string
+  description = "Type of collection. Possible values are `SEARCH`, `TIMESERIES` or `VECTORSEARCH`"
+}
+
+variable "description" {
+  type        = string
+  description = "Description for the OpenSearch Serverless collection."
+}
+
+variable "allow_public_access" {
+  type        = bool
+  description = "Whether public access is to be given"
+  default     = false
+}
+
+variable "vpc_id" {
+  description = "VPC ID to deploy the cluster into. Need only if the VPC endpoint created."
+  type        = string
+  default     = ""
+}
+
+variable "subnet_ids" {
+  description = "Subnet IDs in which the VPC endpoint is created. Needed only if `create_vpc_endpoint` is true"
+  type        = list(string)
+  default     = []
+}
+
+variable "security_group_ids" {
+  description = "Security group IDs attached to the VPC endpoint. Needed only if `create_vpc_endpoint` is true"
+  type        = list(string)
+  default     = []
+}
+
+variable "create_vpc_endpoint" {
+  type        = bool
+  description = "Whether a VPC endpoint is to be created for the collection"
+  default     = false
+}
+
+variable "tags" {
+  description = "(Optional) A mapping of tags to assign to the resources"
+  type        = map(string)
+  default     = {}
+}
+
+###########
+# Policies
+###########
+variable "create_encryption_policy" {
+  description = "Determines whether an encryption policy will be created"
+  type        = bool
+  default     = true
+}
+
+variable "encryption_kms_arn" {
+  description = "Encryption policy to apply to the collection"
+  type        = string
+  default     = null
+}
+
+variable "create_network_policy" {
+  description = "Determines whether an network policy will be created"
+  type        = bool
+  default     = true
+}
+
+variable "create_access_policy" {
+  description = "Determines whether an access policy will be created"
+  type        = bool
+  default     = true
+}
+
+variable "access_policy_index_permissions" {
+  description = "Access policy permissions for the collection index"
+  type        = list(string)
+  default     = ["aoss:*"]
+}
+
+variable "access_policy_collection_permissions" {
+  description = "Access policy permissions for the collection"
+  type        = list(string)
+  default     = ["aoss:*"]
+}
+
+variable "access_policy_principals" {
+  description = "Access policy principals"
+  type        = list(string)
+  default     = []
+}
+
+variable "access_policy" {
+  description = "Access policy to apply to the collection"
+  type        = any
+  default     = {}
+}
+
+variable "create_lifecycle_policy" {
+  description = "Determines whether an lifecycle policy will be created"
+  type        = bool
+  default     = false
+}
+
+variable "lifecycle_policy_min_index_retention" {
+  description = "The minimum period, in days (d) or hours (h), to retain the document in the index. The lower bound is `24h` and the upper bound is `3650d`"
+  type        = string
+  default     = null
+}
+
+variable "lifecycle_policy_no_min_index_retention" {
+  description = "If true, OpenSearch Serverless retains documents indefinitely"
+  type        = bool
+  default     = null
+}
+
+########
+# SAML
+########
+variable "saml_enabled" {
+  description = "Whether SAML authentication is enabled"
+  type        = bool
+  default     = false
+}
+
+variable "saml_metadata_content" {
+  description = "The metadata of the SAML application in xml format."
+  type        = string
+  default     = ""
+}
+
+variable "saml_session_timeout" {
+  description = "Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440."
+  type        = number
+  default     = 60
+}
+
+variable "saml_group_attribute" {
+  description = "Group attribute for this SAML integration"
+  type        = string
+  default     = ""
+}
+
+variable "saml_user_attribute" {
+  description = "User attribute for this SAML integration"
+  type        = string
+  default     = ""
+}

modules/collection/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.4"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.15"
+    }
+  }
+}