diff --git a/README.md b/README.md index 0ded670..b588eb3 100644 --- a/README.md +++ b/README.md @@ -108,7 +108,10 @@ module "es" { | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| advanced\_options | Map of key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply. | map | `{}` | no | +| advanced\_options | Map of key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply. Since an empty map also causes a perpetual diff, the default option for rest.action.multi.allow_explicit_index is specified here. | map | `{ "rest.action.multi.allow_explicit_index": "true" }` | no | +| cognito\_identity\_pool\_id | Cognito identity pool for enabling Amazon Cognito authentication with Kibana. | string | `""` | no | +| cognito\_role\_arn | IAM role that has the AmazonESCognitoAccess policy attached for enabling Amazon Cognito authentication with Kibana. Defaults to AWS managed policy. | string | `""` | no | +| cognito\_user\_pool\_id | Optionally enable Amazon Cognito authentication with Kibana by specifying the Cognito user pool, Cognito identity pool, and role ARN. | string | `""` | no | | create\_iam\_service\_linked\_role | Whether to create IAM service linked role for AWS ElasticSearch service. Can be only one per AWS account. | string | `"true"` | no | | dedicated\_master\_threshold | The number of instances above which dedicated master nodes will be used. Default: 10 | string | `"10"` | no | | dedicated\_master\_type | ES instance type to be used for dedicated masters (default same as instance_type) | string | `"false"` | no | diff --git a/cognito.tf b/cognito.tf new file mode 100644 index 0000000..6ada10b --- /dev/null +++ b/cognito.tf @@ -0,0 +1,32 @@ +data "aws_iam_policy" "cognito_access" { + count = "${var.cognito_role_arn == "" ? 1 : 0}" + arn = "arn:aws:iam::aws:policy/AmazonESCognitoAccess" +} + +resource "aws_iam_role" "cognito_access" { + count = "${var.cognito_role_arn == "" ? 1 : 0}" + name_prefix = "CognitoAccessForAmazonES" + tags = "${var.tags}" + + assume_role_policy = < 0 ? 1 : 0}" + domain_name = "${var.use_prefix ? join("", list(var.domain_prefix, var.domain_name)) : var.domain_name}" + inside_vpc = "${length(var.vpc_options["subnet_ids"]) > 0 ? 1 : 0}" + enable_cognito = "${var.cognito_user_pool_id != "" && var.cognito_user_pool_id != ""}" } diff --git a/main.tf b/main.tf index 1f9a000..fa67808 100644 --- a/main.tf +++ b/main.tf @@ -66,6 +66,13 @@ resource "aws_elasticsearch_domain" "es" { automated_snapshot_start_hour = "${var.snapshot_start_hour}" } + cognito_options { + enabled = "${local.enable_cognito}" + user_pool_id = "${var.cognito_user_pool_id}" + identity_pool_id = "${var.cognito_identity_pool_id}" + role_arn = "${var.cognito_role_arn == "" ? aws_iam_role.cognito_access.arn : var.cognito_role_arn}" + } + tags = "${merge(map("Domain", local.domain_name), var.tags)}" } diff --git a/main_vpc.tf b/main_vpc.tf index ca9212d..2453078 100644 --- a/main_vpc.tf +++ b/main_vpc.tf @@ -65,6 +65,13 @@ resource "aws_elasticsearch_domain" "es_vpc" { volume_type = "${var.ebs_volume_type}" } + cognito_options { + enabled = "${local.enable_cognito}" + user_pool_id = "${var.cognito_user_pool_id}" + identity_pool_id = "${var.cognito_identity_pool_id}" + role_arn = "${var.cognito_role_arn == "" ? aws_iam_role.cognito_access.arn : var.cognito_role_arn}" + } + snapshot_options { automated_snapshot_start_hour = "${var.snapshot_start_hour}" } diff --git a/variables.tf b/variables.tf index e3fcc51..5e1c659 100644 --- a/variables.tf +++ b/variables.tf @@ -102,8 +102,11 @@ variable "dedicated_master_threshold" { } variable "advanced_options" { - description = "Map of key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply." - default = {} + description = "Map of key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply. Since an empty map also causes a perpetual diff, the default option for rest.action.multi.allow_explicit_index is specified here." + + default = { + "rest.action.multi.allow_explicit_index" = "true" + } } variable "log_publishing_options" { @@ -115,3 +118,18 @@ variable "node_to_node_encryption_enabled" { description = "Whether to enable node-to-node encryption." default = false } + +variable "cognito_user_pool_id" { + description = "Optionally enable Amazon Cognito authentication with Kibana by specifying the Cognito user pool, Cognito identity pool, and role ARN." + default = "" +} + +variable "cognito_identity_pool_id" { + description = "Cognito identity pool for enabling Amazon Cognito authentication with Kibana." + default = "" +} + +variable "cognito_role_arn" { + description = "IAM role that has the AmazonESCognitoAccess policy attached for enabling Amazon Cognito authentication with Kibana. Defaults to AWS managed policy." + default = "" +}