diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 6685b96..be45176 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,10 +1,10 @@
repos:
-- repo: git://github.com/antonbabenko/pre-commit-terraform
- rev: v1.19.0
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.86.0
hooks:
- id: terraform_fmt
- id: terraform_docs
-- repo: git://github.com/pre-commit/pre-commit-hooks
- rev: v2.3.0
+- repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v4.5.0
hooks:
- id: check-merge-conflict
diff --git a/LICENSE b/LICENSE
index 9ac6b7e..39327c9 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
MIT License
-Copyright (c) 2017 FitnessKeeper, Inc.
+Copyright (c) 2018 The terraform-docs Authors.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index 906b578..880e713 100644
--- a/README.md
+++ b/README.md
@@ -113,46 +113,77 @@ module "es" {
```
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_elasticsearch_domain.es](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) | resource |
+| [aws_elasticsearch_domain.es_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) | resource |
+| [aws_elasticsearch_domain_policy.es_management_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain_policy) | resource |
+| [aws_elasticsearch_domain_policy.es_vpc_management_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain_policy) | resource |
+| [aws_iam_service_linked_role.es](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.es_management_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.es_vpc_management_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
## Inputs
| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| advanced\_options | Map of key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply. | map(string) | `{}` | no |
-| create\_iam\_service\_linked\_role | Whether to create IAM service linked role for AWS ElasticSearch service. Can be only one per AWS account. | bool | `"true"` | no |
-| dedicated\_master\_threshold | The number of instances above which dedicated master nodes will be used. Default: 10 | number | `"10"` | no |
-| dedicated\_master\_type | ES instance type to be used for dedicated masters (default same as instance_type) | string | `"false"` | no |
-| domain\_name | Domain name for Elasticsearch cluster | string | `"es-domain"` | no |
-| domain\_prefix | String to be prefixed to search domain. Default: tf- | string | `"tf-"` | no |
-| ebs\_volume\_size | Optionally use EBS volumes for data storage by specifying volume size in GB (default 0) | number | `"0"` | no |
-| ebs\_volume\_type | Storage type of EBS volumes, if used (default gp2) | string | `"gp2"` | no |
-| encrypt\_at\_rest | Enable encrption at rest (only specific instance family types support it: m4, c4, r4, i2, i3 default: false) | bool | `"false"` | no |
-| enforce\_https | Whether or not to require HTTPS. | bool | `"false"` | no |
-| es\_version | Version of Elasticsearch to deploy (default 5.1) | string | `"5.1"` | no |
-| es\_zone\_awareness | Enable zone awareness for Elasticsearch cluster (default false) | bool | `"false"` | no |
-| es\_zone\_awareness\_count | Number of availability zones used for data nodes (default 2) | number | `"2"` | no |
-| instance\_count | Number of data nodes in the cluster (default 6) | number | `"6"` | no |
-| instance\_type | ES instance type for data nodes in the cluster (default t2.small.elasticsearch) | string | `"t2.small.elasticsearch"` | no |
-| kms\_key\_id | KMS key used for elasticsearch | string | `""` | no |
-| log\_publishing\_options | List of maps of options for publishing slow logs to CloudWatch Logs. | list(map(string)) | `[]` | no |
-| management\_iam\_roles | List of IAM role ARNs from which to permit management traffic (default ['*']). Note that a client must match both the IP address and the IAM role patterns in order to be permitted access. | list(string) | `[ "*" ]` | no |
-| management\_public\_ip\_addresses | List of IP addresses from which to permit management traffic (default []). Note that a client must match both the IP address and the IAM role patterns in order to be permitted access. | list(string) | `[]` | no |
-| node\_to\_node\_encryption\_enabled | Whether to enable node-to-node encryption. | bool | `"false"` | no |
-| snapshot\_start\_hour | Hour at which automated snapshots are taken, in UTC (default 0) | number | `"0"` | no |
-| tags | tags to apply to all resources | map(string) | `{}` | no |
-| tls\_security\_policy | The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Example values: Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07. Terraform will only perform drift detection if a configuration value is provided. | string | `"null"` | no |
-| use\_prefix | Flag indicating whether or not to use the domain_prefix. Default: true | bool | `"true"` | no |
-| vpc\_options | A map of supported vpc options | map(list(string)) | `{ "security_group_ids": [], "subnet_ids": [] }` | no |
+|------|-------------|------|---------|:--------:|
+| [advanced\_options](#input\_advanced\_options) | Map of key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply. | `map(string)` | `{}` | no |
+| [advanced\_security\_options\_enabled](#input\_advanced\_security\_options\_enabled) | Whether advanced security is enabled. | `bool` | `true` | no |
+| [advanced\_security\_options\_internal\_user\_database\_enabled](#input\_advanced\_security\_options\_internal\_user\_database\_enabled) | Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin | `bool` | `false` | no |
+| [advanced\_security\_options\_master\_user\_name](#input\_advanced\_security\_options\_master\_user\_name) | Master user username (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to true) | `string` | `null` | no |
+| [advanced\_security\_options\_master\_user\_password](#input\_advanced\_security\_options\_master\_user\_password) | Master user password (applicable if advanced\_security\_options\_internal\_user\_database\_enabled set to true) | `string` | `null` | no |
+| [create\_iam\_service\_linked\_role](#input\_create\_iam\_service\_linked\_role) | Whether to create IAM service linked role for AWS ElasticSearch service. Can be only one per AWS account. | `bool` | `true` | no |
+| [dedicated\_master\_threshold](#input\_dedicated\_master\_threshold) | The number of instances above which dedicated master nodes will be used. Default: 10 | `number` | `10` | no |
+| [dedicated\_master\_type](#input\_dedicated\_master\_type) | ES instance type to be used for dedicated masters (default same as instance\_type) | `string` | `"false"` | no |
+| [domain\_name](#input\_domain\_name) | Domain name for Elasticsearch cluster | `string` | `"es-domain"` | no |
+| [domain\_prefix](#input\_domain\_prefix) | String to be prefixed to search domain. Default: tf- | `string` | `"tf-"` | no |
+| [ebs\_volume\_size](#input\_ebs\_volume\_size) | Optionally use EBS volumes for data storage by specifying volume size in GB (default 0) | `number` | `0` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | Storage type of EBS volumes, if used (default gp2) | `string` | `"gp2"` | no |
+| [encrypt\_at\_rest](#input\_encrypt\_at\_rest) | Enable encrption at rest (only specific instance family types support it: m4, c4, r4, i2, i3 default: false) | `bool` | `false` | no |
+| [enforce\_https](#input\_enforce\_https) | Whether or not to require HTTPS. | `bool` | `false` | no |
+| [es\_version](#input\_es\_version) | Version of Elasticsearch to deploy (default 5.1) | `string` | `"5.1"` | no |
+| [es\_zone\_awareness](#input\_es\_zone\_awareness) | Enable zone awareness for Elasticsearch cluster (default false) | `bool` | `false` | no |
+| [es\_zone\_awareness\_count](#input\_es\_zone\_awareness\_count) | Number of availability zones used for data nodes (default 2) | `number` | `2` | no |
+| [instance\_count](#input\_instance\_count) | Number of data nodes in the cluster (default 6) | `number` | `6` | no |
+| [instance\_type](#input\_instance\_type) | ES instance type for data nodes in the cluster (default t2.small.elasticsearch) | `string` | `"t2.small.elasticsearch"` | no |
+| [kms\_key\_id](#input\_kms\_key\_id) | KMS key used for elasticsearch | `string` | `""` | no |
+| [log\_publishing\_options](#input\_log\_publishing\_options) | List of maps of options for publishing slow logs to CloudWatch Logs. | `list(map(string))` | `[]` | no |
+| [management\_iam\_roles](#input\_management\_iam\_roles) | List of IAM role ARNs from which to permit management traffic (default ['*']). Note that a client must match both the IP address and the IAM role patterns in order to be permitted access. | `list(string)` | [
"*"
]
| no |
+| [management\_public\_ip\_addresses](#input\_management\_public\_ip\_addresses) | List of IP addresses from which to permit management traffic (default []). Note that a client must match both the IP address and the IAM role patterns in order to be permitted access. | `list(string)` | `[]` | no |
+| [master\_user\_arn](#input\_master\_user\_arn) | The ARN for the master user of the cluster. If not specified, then it defaults to using the IAM user that is making the request. | `string` | `""` | no |
+| [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether to enable node-to-node encryption. | `bool` | `false` | no |
+| [snapshot\_start\_hour](#input\_snapshot\_start\_hour) | Hour at which automated snapshots are taken, in UTC (default 0) | `number` | `0` | no |
+| [tags](#input\_tags) | tags to apply to all resources | `map(string)` | `{}` | no |
+| [tls\_security\_policy](#input\_tls\_security\_policy) | The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Example values: Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07. Terraform will only perform drift detection if a configuration value is provided. | `string` | `null` | no |
+| [use\_prefix](#input\_use\_prefix) | Flag indicating whether or not to use the domain\_prefix. Default: true | `bool` | `true` | no |
+| [vpc\_options](#input\_vpc\_options) | A map of supported vpc options | `map(list(string))` | {
"security_group_ids": [],
"subnet_ids": []
} | no |
## Outputs
| Name | Description |
|------|-------------|
-| arn | Amazon Resource Name (ARN) of the domain |
-| domain\_id | Unique identifier for the domain |
-| domain\_name | The name of the Elasticsearch domain |
-| endpoint | Domain-specific endpoint used to submit index, search, and data upload requests |
-| kibana\_endpoint | Domain-specific endpoint for kibana without https scheme |
-
+| [arn](#output\_arn) | Amazon Resource Name (ARN) of the domain |
+| [domain\_id](#output\_domain\_id) | Unique identifier for the domain |
+| [domain\_name](#output\_domain\_name) | The name of the Elasticsearch domain |
+| [endpoint](#output\_endpoint) | Domain-specific endpoint used to submit index, search, and data upload requests |
+| [kibana\_endpoint](#output\_kibana\_endpoint) | Domain-specific endpoint for kibana without https scheme |
## Authors
diff --git a/data.tf b/data.tf
index 8c5d308..fd68304 100644
--- a/data.tf
+++ b/data.tf
@@ -1,3 +1,5 @@
+data "aws_caller_identity" "current" {}
+
locals {
domain_name = var.use_prefix ? join("", [var.domain_prefix, var.domain_name]) : var.domain_name
inside_vpc = length(var.vpc_options["subnet_ids"]) > 0 ? true : false
diff --git a/main.tf b/main.tf
index 73da9da..a92eb2e 100644
--- a/main.tf
+++ b/main.tf
@@ -61,6 +61,20 @@ resource "aws_elasticsearch_domain" "es" {
advanced_options = var.advanced_options
+ dynamic "advanced_security_options" {
+ for_each = var.advanced_security_options_enabled ? [true] : []
+ content {
+ enabled = var.advanced_security_options_enabled
+ internal_user_database_enabled = var.advanced_security_options_internal_user_database_enabled
+
+ master_user_options {
+ master_user_arn = var.advanced_security_options_internal_user_database_enabled ? null : (var.master_user_arn != "" ? var.master_user_arn : data.aws_caller_identity.current.arn)
+ master_user_name = var.advanced_security_options_internal_user_database_enabled ? var.advanced_security_options_master_user_name : null
+ master_user_password = var.advanced_security_options_internal_user_database_enabled ? var.advanced_security_options_master_user_password : null
+ }
+ }
+ }
+
dynamic "log_publishing_options" {
for_each = var.log_publishing_options
content {
diff --git a/main_vpc.tf b/main_vpc.tf
index 73c1dfe..5603f75 100644
--- a/main_vpc.tf
+++ b/main_vpc.tf
@@ -62,6 +62,20 @@ resource "aws_elasticsearch_domain" "es_vpc" {
advanced_options = var.advanced_options
+ dynamic "advanced_security_options" {
+ for_each = var.advanced_security_options_enabled ? [true] : []
+ content {
+ enabled = var.advanced_security_options_enabled
+ internal_user_database_enabled = var.advanced_security_options_internal_user_database_enabled
+
+ master_user_options {
+ master_user_arn = var.advanced_security_options_internal_user_database_enabled ? null : (var.master_user_arn != "" ? var.master_user_arn : data.aws_caller_identity.current.arn)
+ master_user_name = var.advanced_security_options_internal_user_database_enabled ? var.advanced_security_options_master_user_name : null
+ master_user_password = var.advanced_security_options_internal_user_database_enabled ? var.advanced_security_options_master_user_password : null
+ }
+ }
+ }
+
dynamic "log_publishing_options" {
for_each = var.log_publishing_options
content {
diff --git a/variables.tf b/variables.tf
index fb342f1..4833c17 100644
--- a/variables.tf
+++ b/variables.tf
@@ -128,6 +128,36 @@ variable "advanced_options" {
default = {}
}
+variable "advanced_security_options_enabled" {
+ description = "Whether advanced security is enabled."
+ type = bool
+ default = true
+}
+
+variable "advanced_security_options_internal_user_database_enabled" {
+ description = "Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin"
+ type = bool
+ default = false
+}
+
+variable "advanced_security_options_master_user_name" {
+ description = "Master user username (applicable if advanced_security_options_internal_user_database_enabled set to true)"
+ type = string
+ default = null
+}
+
+variable "advanced_security_options_master_user_password" {
+ description = "Master user password (applicable if advanced_security_options_internal_user_database_enabled set to true)"
+ type = string
+ default = null
+}
+
+variable "master_user_arn" {
+ description = "The ARN for the master user of the cluster. If not specified, then it defaults to using the IAM user that is making the request."
+ type = string
+ default = ""
+}
+
variable "log_publishing_options" {
description = "List of maps of options for publishing slow logs to CloudWatch Logs."
type = list(map(string))