Add Amazon Cognito authentication with Kibana

README.md

@@ -108,7 +108,10 @@ module "es" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| advanced\_options | Map of key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply. | map | `{}` | no |
+| advanced\_options | Map of key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply. Since an empty map also causes a perpetual diff, the default option for rest.action.multi.allow_explicit_index is specified here. | map | `{ "rest.action.multi.allow_explicit_index": "true" }` | no |
+| cognito\_identity\_pool\_id | Cognito identity pool for enabling Amazon Cognito authentication with Kibana. | string | `""` | no |
+| cognito\_role\_arn | IAM role that has the AmazonESCognitoAccess policy attached for enabling Amazon Cognito authentication with Kibana. Defaults to AWS managed policy. | string | `""` | no |
+| cognito\_user\_pool\_id | Optionally enable Amazon Cognito authentication with Kibana by specifying the Cognito user pool, Cognito identity pool, and role ARN. | string | `""` | no |
 | create\_iam\_service\_linked\_role | Whether to create IAM service linked role for AWS ElasticSearch service. Can be only one per AWS account. | string | `"true"` | no |
 | dedicated\_master\_threshold | The number of instances above which dedicated master nodes will be used. Default: 10 | string | `"10"` | no |
 | dedicated\_master\_type | ES instance type to be used for dedicated masters (default same as instance_type) | string | `"false"` | no |

cognito.tf

@@ -0,0 +1,32 @@
+data "aws_iam_policy" "cognito_access" {
+  count = "${var.cognito_role_arn == "" ? 1 : 0}"
+  arn   = "arn:aws:iam::aws:policy/AmazonESCognitoAccess"
+}
+
+resource "aws_iam_role" "cognito_access" {
+  count       = "${var.cognito_role_arn == "" ? 1 : 0}"
+  name_prefix = "CognitoAccessForAmazonES"
+  tags        = "${var.tags}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "es.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "cognito_role_attachment" {
+  count      = "${var.cognito_role_arn == "" ? 1 : 0}"
+  role       = "${aws_iam_role.cognito_access.name}"
+  policy_arn = "${data.aws_iam_policy.cognito_access.arn}"
+}

data.tf

@@ -1,4 +1,5 @@
 locals {
-  domain_name = "${var.use_prefix ? join("", list(var.domain_prefix, var.domain_name)) : var.domain_name}"
-  inside_vpc  = "${length(var.vpc_options["subnet_ids"]) > 0 ? 1 : 0}"
+  domain_name    = "${var.use_prefix ? join("", list(var.domain_prefix, var.domain_name)) : var.domain_name}"
+  inside_vpc     = "${length(var.vpc_options["subnet_ids"]) > 0 ? 1 : 0}"
+  enable_cognito = "${var.cognito_user_pool_id != "" && var.cognito_user_pool_id != ""}"
 }

main.tf

@@ -66,6 +66,13 @@ resource "aws_elasticsearch_domain" "es" {
     automated_snapshot_start_hour = "${var.snapshot_start_hour}"
   }
 
+  cognito_options {
+    enabled          = "${local.enable_cognito}"
+    user_pool_id     = "${var.cognito_user_pool_id}"
+    identity_pool_id = "${var.cognito_identity_pool_id}"
+    role_arn         = "${var.cognito_role_arn == "" ? aws_iam_role.cognito_access.arn : var.cognito_role_arn}"
+  }
+
   tags = "${merge(map("Domain", local.domain_name), var.tags)}"
 }
 

main_vpc.tf

@@ -65,6 +65,13 @@ resource "aws_elasticsearch_domain" "es_vpc" {
     volume_type = "${var.ebs_volume_type}"
   }
 
+  cognito_options {
+    enabled          = "${local.enable_cognito}"
+    user_pool_id     = "${var.cognito_user_pool_id}"
+    identity_pool_id = "${var.cognito_identity_pool_id}"
+    role_arn         = "${var.cognito_role_arn == "" ? aws_iam_role.cognito_access.arn : var.cognito_role_arn}"
+  }
+
   snapshot_options {
     automated_snapshot_start_hour = "${var.snapshot_start_hour}"
   }

variables.tf

@@ -102,8 +102,11 @@ variable "dedicated_master_threshold" {
 }
 
 variable "advanced_options" {
-  description = "Map of key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply."
-  default     = {}
+  description = "Map of key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply. Since an empty map also causes a perpetual diff, the default option for rest.action.multi.allow_explicit_index is specified here."
+
+  default = {
+    "rest.action.multi.allow_explicit_index" = "true"
+  }
 }
 
 variable "log_publishing_options" {
@@ -115,3 +118,18 @@ variable "node_to_node_encryption_enabled" {
   description = "Whether to enable node-to-node encryption."
   default     = false
 }
+
+variable "cognito_user_pool_id" {
+  description = "Optionally enable Amazon Cognito authentication with Kibana by specifying the Cognito user pool, Cognito identity pool, and role ARN."
+  default     = ""
+}
+
+variable "cognito_identity_pool_id" {
+  description = "Cognito identity pool for enabling Amazon Cognito authentication with Kibana."
+  default     = ""
+}
+
+variable "cognito_role_arn" {
+  description = "IAM role that has the AmazonESCognitoAccess policy attached for enabling Amazon Cognito authentication with Kibana. Defaults to AWS managed policy."
+  default     = ""
+}