From b1d0b57ef3ee57c0fda490f5b71b265a5607124b Mon Sep 17 00:00:00 2001 From: abhinavkumarsph <122246745+abhinavkumarsph@users.noreply.github.com> Date: Tue, 3 Dec 2024 15:04:04 +0800 Subject: [PATCH] feat: serverless collection submodule (#59) --- modules/collection/README.md | 65 ++++++++++++++ modules/collection/endpoint.tf | 8 ++ modules/collection/locals.tf | 19 ++++ modules/collection/main.tf | 45 ++++++++++ modules/collection/outputs.tf | 24 +++++ modules/collection/variables.tf | 152 ++++++++++++++++++++++++++++++++ modules/collection/versions.tf | 10 +++ 7 files changed, 323 insertions(+) create mode 100644 modules/collection/README.md create mode 100644 modules/collection/endpoint.tf create mode 100644 modules/collection/locals.tf create mode 100644 modules/collection/main.tf create mode 100644 modules/collection/outputs.tf create mode 100644 modules/collection/variables.tf create mode 100644 modules/collection/versions.tf diff --git a/modules/collection/README.md b/modules/collection/README.md new file mode 100644 index 0000000..9ecf491 --- /dev/null +++ b/modules/collection/README.md @@ -0,0 +1,65 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.4 | +| [aws](#requirement\_aws) | >= 5.15 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.15 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aoss](#module\_aoss) | terraform-aws-modules/opensearch/aws//modules/collection | ~> 1.5.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_opensearchserverless_security_config.saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_config) | resource | +| [aws_opensearchserverless_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_vpc_endpoint) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_policy](#input\_access\_policy) | Access policy to apply to the collection | `any` | `{}` | no | +| [access\_policy\_collection\_permissions](#input\_access\_policy\_collection\_permissions) | Access policy permissions for the collection | `list(string)` |
[| no | +| [access\_policy\_index\_permissions](#input\_access\_policy\_index\_permissions) | Access policy permissions for the collection index | `list(string)` |
"aoss:*"
]
[| no | +| [access\_policy\_principals](#input\_access\_policy\_principals) | Access policy principals | `list(string)` | `[]` | no | +| [allow\_public\_access](#input\_allow\_public\_access) | Whether public access is to be given | `bool` | `false` | no | +| [collection\_type](#input\_collection\_type) | Type of collection. Possible values are `SEARCH`, `TIMESERIES` or `VECTORSEARCH` | `string` | n/a | yes | +| [create\_access\_policy](#input\_create\_access\_policy) | Determines whether an access policy will be created | `bool` | `true` | no | +| [create\_encryption\_policy](#input\_create\_encryption\_policy) | Determines whether an encryption policy will be created | `bool` | `true` | no | +| [create\_lifecycle\_policy](#input\_create\_lifecycle\_policy) | Determines whether an lifecycle policy will be created | `bool` | `false` | no | +| [create\_network\_policy](#input\_create\_network\_policy) | Determines whether an network policy will be created | `bool` | `true` | no | +| [create\_vpc\_endpoint](#input\_create\_vpc\_endpoint) | Whether a VPC endpoint is to be created for the collection | `bool` | `false` | no | +| [description](#input\_description) | Description for the OpenSearch Serverless collection. | `string` | n/a | yes | +| [encryption\_kms\_arn](#input\_encryption\_kms\_arn) | Encryption policy to apply to the collection | `string` | `null` | no | +| [lifecycle\_policy\_min\_index\_retention](#input\_lifecycle\_policy\_min\_index\_retention) | The minimum period, in days (d) or hours (h), to retain the document in the index. The lower bound is `24h` and the upper bound is `3650d` | `string` | `null` | no | +| [lifecycle\_policy\_no\_min\_index\_retention](#input\_lifecycle\_policy\_no\_min\_index\_retention) | If true, OpenSearch Serverless retains documents indefinitely | `bool` | `null` | no | +| [name](#input\_name) | Name of the OpenSearch Serverless collection. | `string` | n/a | yes | +| [saml\_enabled](#input\_saml\_enabled) | Whether SAML authentication is enabled | `bool` | `false` | no | +| [saml\_group\_attribute](#input\_saml\_group\_attribute) | Group attribute for this SAML integration | `string` | `""` | no | +| [saml\_metadata\_content](#input\_saml\_metadata\_content) | The metadata of the SAML application in xml format. | `string` | `""` | no | +| [saml\_session\_timeout](#input\_saml\_session\_timeout) | Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440. | `number` | `60` | no | +| [saml\_user\_attribute](#input\_saml\_user\_attribute) | User attribute for this SAML integration | `string` | `""` | no | +| [security\_group\_ids](#input\_security\_group\_ids) | Security group IDs attached to the VPC endpoint. Needed only if `create_vpc_endpoint` is true | `list(string)` | `[]` | no | +| [subnet\_ids](#input\_subnet\_ids) | Subnet IDs in which the VPC endpoint is created. Needed only if `create_vpc_endpoint` is true | `list(string)` | `[]` | no | +| [tags](#input\_tags) | (Optional) A mapping of tags to assign to the resources | `map(string)` | `{}` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID to deploy the cluster into. Need only if the VPC endpoint created. | `string` | `""` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | ARN of the Opensearch Collection | +| [dashboard\_endpoint](#output\_dashboard\_endpoint) | Collection-specific endpoint used to access OpenSearch Dashboards | +| [endpoint](#output\_endpoint) | Collection-specific endpoint used to submit index, search, and data upload requests to an OpenSearch Serverless collection | +| [id](#output\_id) | ID of the Opensearch Collection | +| [vpc\_endpoint\_id](#output\_vpc\_endpoint\_id) | VPC endpoint ID for the OpenSearch collection | diff --git a/modules/collection/endpoint.tf b/modules/collection/endpoint.tf new file mode 100644 index 0000000..c95b467 --- /dev/null +++ b/modules/collection/endpoint.tf @@ -0,0 +1,8 @@ +resource "aws_opensearchserverless_vpc_endpoint" "this" { + count = var.create_vpc_endpoint ? 1 : 0 + + name = "${var.name}-vpce" + vpc_id = var.vpc_id + subnet_ids = var.subnet_ids + security_group_ids = var.security_group_ids +} diff --git a/modules/collection/locals.tf b/modules/collection/locals.tf new file mode 100644 index 0000000..eee2f51 --- /dev/null +++ b/modules/collection/locals.tf @@ -0,0 +1,19 @@ +locals { + encryption_policy = { + "Rules" = [ + { + "Resource" = [ + "collection/${var.name}" + ], + "ResourceType" = "collection" + } + ], + "AWSOwnedKey" = var.encryption_kms_arn == null ? true : false + "KmsARN" = var.encryption_kms_arn + } + + network_policy = { + AllowFromPublic = var.allow_public_access + SourceVPCEs = var.create_vpc_endpoint ? [aws_opensearchserverless_vpc_endpoint.this[0].id] : [] + } +} diff --git a/modules/collection/main.tf b/modules/collection/main.tf new file mode 100644 index 0000000..36378c5 --- /dev/null +++ b/modules/collection/main.tf @@ -0,0 +1,45 @@ +module "aoss" { + source = "terraform-aws-modules/opensearch/aws//modules/collection" + version = "~> 1.5.0" + + name = var.name + description = var.description + type = var.collection_type + + create_access_policy = var.create_access_policy + access_policy_collection_permissions = var.access_policy_collection_permissions + access_policy_index_permissions = var.access_policy_index_permissions + access_policy_principals = var.access_policy_principals + access_policy = var.access_policy + + create_network_policy = var.create_network_policy + network_policy = local.network_policy + + create_encryption_policy = var.create_encryption_policy + encryption_policy = local.encryption_policy + + create_lifecycle_policy = var.create_lifecycle_policy + lifecycle_policy_min_index_retention = var.lifecycle_policy_min_index_retention + lifecycle_policy_no_min_index_retention = var.lifecycle_policy_no_min_index_retention + + tags = var.tags +} + +resource "aws_opensearchserverless_security_config" "saml" { + count = var.saml_enabled ? 1 : 0 + + name = "${var.name}-saml" + type = "saml" + description = "SAML config for ${var.name}" + + saml_options { + metadata = var.saml_metadata_content + group_attribute = var.saml_group_attribute + user_attribute = var.saml_user_attribute + session_timeout = var.saml_session_timeout + } + + depends_on = [ + module.aoss, + ] +} diff --git a/modules/collection/outputs.tf b/modules/collection/outputs.tf new file mode 100644 index 0000000..6d46b9c --- /dev/null +++ b/modules/collection/outputs.tf @@ -0,0 +1,24 @@ +output "id" { + description = "ID of the Opensearch Collection" + value = module.aoss.id +} + +output "arn" { + description = "ARN of the Opensearch Collection" + value = module.aoss.arn +} + +output "endpoint" { + description = "Collection-specific endpoint used to submit index, search, and data upload requests to an OpenSearch Serverless collection" + value = module.aoss.endpoint +} + +output "dashboard_endpoint" { + description = "Collection-specific endpoint used to access OpenSearch Dashboards" + value = module.aoss.dashboard_endpoint +} + +output "vpc_endpoint_id" { + description = "VPC endpoint ID for the OpenSearch collection" + value = var.create_vpc_endpoint ? aws_opensearchserverless_vpc_endpoint.this[0].id : null +} diff --git a/modules/collection/variables.tf b/modules/collection/variables.tf new file mode 100644 index 0000000..02bfafe --- /dev/null +++ b/modules/collection/variables.tf @@ -0,0 +1,152 @@ +variable "name" { + type = string + description = "Name of the OpenSearch Serverless collection." +} + +variable "collection_type" { + type = string + description = "Type of collection. Possible values are `SEARCH`, `TIMESERIES` or `VECTORSEARCH`" +} + +variable "description" { + type = string + description = "Description for the OpenSearch Serverless collection." +} + +variable "allow_public_access" { + type = bool + description = "Whether public access is to be given" + default = false +} + +variable "vpc_id" { + description = "VPC ID to deploy the cluster into. Need only if the VPC endpoint created." + type = string + default = "" +} + +variable "subnet_ids" { + description = "Subnet IDs in which the VPC endpoint is created. Needed only if `create_vpc_endpoint` is true" + type = list(string) + default = [] +} + +variable "security_group_ids" { + description = "Security group IDs attached to the VPC endpoint. Needed only if `create_vpc_endpoint` is true" + type = list(string) + default = [] +} + +variable "create_vpc_endpoint" { + type = bool + description = "Whether a VPC endpoint is to be created for the collection" + default = false +} + +variable "tags" { + description = "(Optional) A mapping of tags to assign to the resources" + type = map(string) + default = {} +} + +########### +# Policies +########### +variable "create_encryption_policy" { + description = "Determines whether an encryption policy will be created" + type = bool + default = true +} + +variable "encryption_kms_arn" { + description = "Encryption policy to apply to the collection" + type = string + default = null +} + +variable "create_network_policy" { + description = "Determines whether an network policy will be created" + type = bool + default = true +} + +variable "create_access_policy" { + description = "Determines whether an access policy will be created" + type = bool + default = true +} + +variable "access_policy_index_permissions" { + description = "Access policy permissions for the collection index" + type = list(string) + default = ["aoss:*"] +} + +variable "access_policy_collection_permissions" { + description = "Access policy permissions for the collection" + type = list(string) + default = ["aoss:*"] +} + +variable "access_policy_principals" { + description = "Access policy principals" + type = list(string) + default = [] +} + +variable "access_policy" { + description = "Access policy to apply to the collection" + type = any + default = {} +} + +variable "create_lifecycle_policy" { + description = "Determines whether an lifecycle policy will be created" + type = bool + default = false +} + +variable "lifecycle_policy_min_index_retention" { + description = "The minimum period, in days (d) or hours (h), to retain the document in the index. The lower bound is `24h` and the upper bound is `3650d`" + type = string + default = null +} + +variable "lifecycle_policy_no_min_index_retention" { + description = "If true, OpenSearch Serverless retains documents indefinitely" + type = bool + default = null +} + +######## +# SAML +######## +variable "saml_enabled" { + description = "Whether SAML authentication is enabled" + type = bool + default = false +} + +variable "saml_metadata_content" { + description = "The metadata of the SAML application in xml format." + type = string + default = "" +} + +variable "saml_session_timeout" { + description = "Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440." + type = number + default = 60 +} + +variable "saml_group_attribute" { + description = "Group attribute for this SAML integration" + type = string + default = "" +} + +variable "saml_user_attribute" { + description = "User attribute for this SAML integration" + type = string + default = "" +} diff --git a/modules/collection/versions.tf b/modules/collection/versions.tf new file mode 100644 index 0000000..9ac3096 --- /dev/null +++ b/modules/collection/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.4" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.15" + } + } +}
"aoss:*"
]