AWS Opensearch Serverless Terraform module

Dynamic Terraform module, which creates a Opensearch Serverless Collection and related resources.

Table of Contents

• AWS Opensearch Serverless Terraform module
  • Table of Contents
  • Module versioning rule
  • Features
  • How to Use
    • Basic Example
    • Encryption Policy
    • Network Policy
      • VPC Access
        • Security Group
    • Data Access Policy
    • Data Lifecycle Policy
    • Security Config
  • Examples
  • Requirements
  • Providers
  • Modules
  • Resources
  • Inputs
  • Outputs
  • License

Module versioning rule

Module version	AWS Provider version
>= 1.x.x	=> 5.31

Features

• Encryption Policy
• Network Policy
• Data Access Policy
• Opensearch Serverless VPCE
• Data Lifecycle Policy
• Security Config

How to Use

Basic Example

This example will create: * Opensearch Serverless Collection * Encryption Policy with AWS Managed KMS Key * Public Network Policy to Both Endpoints * Data Access Policy with all permissions to collection and all indexes

module "opensearch_serverless" {
  source              = "fdmsantos/opensearch-serverless/aws"
  version             = "x.x.x"
  name                = "demo-collection"
  access_policy_rules = [
    {
      type        = "collection"
      permissions = ["All"]
      principals  = [data.aws_caller_identity.current.arn]
    },
    {
      type        = "index"
      permissions = ["All"]
      indexes     = ["*"]
      principals  = [data.aws_caller_identity.current.arn]
    }
  ]
}

Encryption Policy

By default, the encryption policy use AWS managed KMS Key. To Use Customer Managed KMS Key use the variable encryption_policy_kms_key_arn

Network Policy

By default, the network policy is created with public access to dashboard and collection endpoints. To change the network policy use variable network_policy_type. The supported values are:

Value	Description
AllPublic	Public endpoints for Dashboard and Collection
AllPrivate	Private endpoints for Dashboard and Collection
PublicCollectionPrivateDashboard	Public endpoint for Collection and Private endpoint for Collection
PrivateCollectionPublicDashboard	Private endpoint for Collection and Public endpoint forCollection

VPC Access

If the variable network_policy_type is different from "AllPublic", the module will create Opensearch Serverless Endpoint to private access. In this case it's necessary configure the following variables: vpce_subnet_ids and vpce_vpc_id. vpce_security_group_ids is optional.

Security Group

• To add existing security group, please use the variable vpce_security_group_ids.
• By Default, module creates a new security group. To disable this put the variable vpce_create_security_group = false.
• To choose the allowed sources for the created security group, you should use the variable vpce_security_group_sources.
  • This variable supports two fields:

Field	Allowed Values
type	IPv4, IPv6, PrefixLists, SGs
sources	List of sources to be allowed. For example: To type IPv4 should be list of IPv4 CIDR blocks

• Example:

vpce_security_group_sources = [
    {
      type    = "IPv4"
      sources = ["0.0.0.0/0"]
    },
    {
      type    = "IPv6"
      sources = ["::/0"]
    }
]

Data Access Policy

To configure data access policy use variable access_policy_rules. This variable is a list of data access rules. Each rule contains the following fields:

Field	Supported Values
type	collection;index
permissions	Collection Type: All;Create;Read;Update;Delete. Index Type: All;Create;Read;Update;Delete;ReadDocument;WriteDocument
principals	IAM Users;IAM Roles;SAML users;SAML Groups
principals	IAM Users;IAM Roles;SAML users;SAML Groups
indexes	List of indexes to be used on policy rule

Data Lifecycle Policy

To create data lifecycle policy use variable create_data_lifecycle_policy = true. Configure the rules with variable data_lifecycle_policy_rules . The default retention is Unlimited.

Example:

data_lifecycle_policy_rules = [
  {
     indexes = ["index1", "index2"]
     retention = "Unlimited"
  },
  {
     indexes = ["index3", "index4"]
     retention = "81d"
  },
  {
     indexes = ["index5"]
  }
]

Security Config

To create security config use variable create_security_config = true.

create_security_config = true
saml_metadata          = "${path.module}/saml-metadata.xml"
saml_user_attribute    = "example"
saml_group_attribute   = "example"
saml_session_timeout   = 90

Examples

• Complete - Creates an opensearch serverless collection with all features.

Requirements

Name	Version
terraform	>= 0.13.1
aws	>= 5.31

Providers

Name	Version
aws	>= 5.31

Modules

No modules.

Resources

Name	Type
aws_opensearchserverless_access_policy.this	resource
aws_opensearchserverless_collection.this	resource
aws_opensearchserverless_lifecycle_policy.this	resource
aws_opensearchserverless_security_config.this	resource
aws_opensearchserverless_security_policy.encryption	resource
aws_opensearchserverless_security_policy.network	resource
aws_opensearchserverless_vpc_endpoint.this	resource
aws_security_group.this	resource

Inputs

Name	Description	Type	Default	Required
access_policy_description	Description of the access policy.	string	null	no
access_policy_name	The name of the data access policy.	string	null	no
access_policy_rules	Rules to apply on access policy.	list(object({ type = string permissions = list(string) principals = list(string) indexes = optional(list(string), []) }))	[]	no
create_access_policy	Controls if data access policy should be created.	bool	true	no
create_data_lifecycle_policy	Controls if data lifecycle policy should be created.	bool	false	no
create_encryption_policy	Controls if encryption policy should be created.	bool	true	no
create_network_policy	Controls if network policy should be created.	bool	true	no
create_security_config	Controls if security config should be created.	bool	false	no
data_lifecycle_policy_description	Description of the data lifecycle policy.	string	null	no
data_lifecycle_policy_name	The name of the data lifecycle policy.	string	null	no
data_lifecycle_policy_rules	Rules to apply on data lifecycle policy.	list(object({ indexes = list(string) retention = optional(string, "Unlimited") }))	[]	no
description	Description of the collection.	string	null	no
encryption_policy_description	Description of the encryption policy.	string	null	no
encryption_policy_kms_key_arn	MS Customer managed key arn to use in the encryption policy.	string	null	no
encryption_policy_name	The name of the encryption policy.	string	null	no
name	Name of the collection.	string	n/a	yes
network_policy_description	Description of the network policy.	string	null	no
network_policy_name	The name of the network policy.	string	null	no
network_policy_type	Type of Network Policy. Supported Values are: AllPublic, AllPrivate, PublicCollectionPrivateDashboard, PrivateCollectionPublicDashboard	string	"AllPublic"	no
saml_group_attribute	Specify an attribute for group to map user groups or roles from your assertion.	string	null	no
saml_metadata	The XML IdP metadata file generated from your identity provider. Needs to be path to a file.	string	null	no
saml_session_timeout	Session timeout, in minutes. Minimum is 5 minutes and maximum is 720 minutes (12 hours). Default is 60 minutes.	number	60	no
saml_user_attribute	Specify a custom attribute for user ID if your assertion does not use NameID as the default attribute.	string	null	no
security_config_description	Description of the security config.	string	null	no
security_config_name	The name of the security config.	string	null	no
tags	A map of tags to assign to the collection. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.	map(string)	{}	no
type	Type of collection. One of SEARCH, TIMESERIES, or VECTORSEARCH. Defaults to TIMESERIES.	string	"TIMESERIES"	no
use_standby_replicas	Indicates whether standby replicas should be used for a collection.	bool	true	no
vpce_create_security_group	Creates a security group for VPCE.	bool	true	no
vpce_name	Name of the interface endpoint.	string	null	no
vpce_security_group_description	Security Group description for VPCE.	string	null	no
vpce_security_group_ids	One or more security groups that define the ports, protocols, and sources for inbound traffic that you are authorizing into your endpoint. Up to 5 security groups can be provided.	list(string)	null	no
vpce_security_group_name	Security Group name for VPCE.	string	null	no
vpce_security_group_sources	Sources for inbound traffic to Opensearch Serverless	list(object({ type = string sources = list(string) }))	[]	no
vpce_subnet_ids	One or more subnet IDs from which you'll access OpenSearch Serverless. Up to 6 subnets can be provided.	list(string)	[]	no
vpce_vpc_id	ID of the VPC from which you'll access OpenSearch Serverless.	string	null	no

Outputs

Name	Description
access_policy_name	Name of the data access policy.
access_policy_version	Version of the data access policy.
collection_arn	Amazon Resource Name (ARN) of the collection.
collection_endpoint	Collection-specific endpoint used to submit index, search, and data upload requests to an OpenSearch Serverless collection.
collection_id	Unique identifier for the collection.
dashboard_endpoint	Collection-specific endpoint used to access OpenSearch Dashboards.
data_lifecycle_policy_name	Name of the data lifecycle policy.
data_lifecycle_policy_version	Version of the data lifecycle access policy.
encryption_policy_name	Name of the encryption policy.
encryption_policy_version	Version of the encryption policy.
kms_key_arn	The ARN of the Amazon Web Services KMS key used to encrypt the collection.
network_policy_name	Name of the network policy.
network_policy_version	Version of the network policy.
security_config_name	Name of the security config.
security_config_version	Version of the security config.
security_group_id	Id of the security group.
security_group_name	Name of the security group.
vpce_id	Id of the vpce.
vpce_name	Name of the interface endpoint.

License

Apache 2 Licensed. See LICENSE for full details.