Merge pull request #35 from lgallard/feature/add_custom_endpoint_support

Feature/add custom endpoint support
lgallard · Apr 13, 2021 · db57ee6 · db57ee6
2 parents 6cedaa9 + eddce03
commit db57ee6
Show file tree

Hide file tree

Showing 8 changed files with 83 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 0.9.0 (April 12, 2021)
+
+
+ENHANCEMENTS:
+
+* Add `custom_endpoint` support
+* Update examples
+
 ## 0.8.0 (January 24, 2021)
 
 

diff --git a/README.md b/README.md
@@ -48,6 +48,13 @@ module "aws_es" {
     "rest.action.multi.allow_explicit_index" = "true"
   }
 
+  domain_endpoint_options = {
+    enforce_https                   = true
+    custom_endpoint_enabled         = true
+    custom_endpoint                 = "lgallardo.com"
+    custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:123456789101:certificate/abcd1234-ef11-abcd-1234-abcd1234efef"
+  }
+
   node_to_node_encryption_enabled                = "true"
   snapshot_options_automated_snapshot_start_hour = "23"
 
@@ -109,6 +116,20 @@ module "aws_es" {
 |------|---------|
 | aws | >= 2.69.0 |
 
+## Modules
+
+No Modules.
+
+## Resources
+
+| Name |
+|------|
+| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) |
+| [aws_cloudwatch_log_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) |
+| [aws_elasticsearch_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) |
+| [aws_iam_service_linked_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) |
+| [aws_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -139,6 +160,9 @@ module "aws_es" {
 | cognito\_options\_user\_pool\_id | ID of the Cognito User Pool to use | `string` | `""` | no |
 | create\_service\_link\_role | Create service link role for AWS Elasticsearch Service | `bool` | `true` | no |
 | domain\_endpoint\_options | Domain endpoint HTTP(S) related options. | `any` | `{}` | no |
+| domain\_endpoint\_options\_custom\_endpoint | Fully qualified domain for your custom endpoint | `string` | `null` | no |
+| domain\_endpoint\_options\_custom\_endpoint\_certificate\_arn | ACM certificate ARN for your custom endpoint | `string` | `null` | no |
+| domain\_endpoint\_options\_custom\_endpoint\_enabled | Whether to enable custom endpoint for the Elasticsearch domain | `bool` | `false` | no |
 | domain\_endpoint\_options\_enforce\_https | Whether or not to require HTTPS | `bool` | `false` | no |
 | domain\_endpoint\_options\_tls\_security\_policy | The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values: `Policy-Min-TLS-1-0-2019-07` and `Policy-Min-TLS-1-2-2019-07` | `string` | `"Policy-Min-TLS-1-2-2019-07"` | no |
 | domain\_name | Name of the domain | `string` | n/a | yes |

diff --git a/examples/advanced_security_options_master_user_arn/README.md b/examples/advanced_security_options_master_user_arn/README.md
@@ -23,7 +23,12 @@ module "aws_es" {
     }
   }
 
-  domain_endpoint_options_enforce_https = true
+  domain_endpoint_options = {
+    enforce_https                   = true
+    custom_endpoint_enabled         = true
+    custom_endpoint                 = "lgallardo.com"
+    custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:123456789101:certificate/abcd1234-ef11-abcd-1234-abcd1234efef"
+  }
 
   ebs_options = {
     ebs_enabled = "true"
@@ -48,7 +53,7 @@ module "aws_es" {
     region      = data.aws_region.current.name,
     account     = data.aws_caller_identity.current.account_id,
     domain_name = var.es_domain_name,
-    whitelist   = "${jsonencode(var.whitelist)}"
+    whitelist   = jsonencode(var.whitelist)
   })
 
   node_to_node_encryption_enabled                = "true"

diff --git a/examples/advanced_security_options_master_user_arn/main.tf b/examples/advanced_security_options_master_user_arn/main.tf
@@ -20,7 +20,12 @@ module "aws_es" {
     }
   }
 
-  domain_endpoint_options_enforce_https = true
+  domain_endpoint_options = {
+    enforce_https                   = true
+    custom_endpoint_enabled         = true
+    custom_endpoint                 = "lgallardo.com"
+    custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:123456789101:certificate/abcd1234-ef11-abcd-1234-abcd1234efef"
+  }
 
   ebs_options = {
     ebs_enabled = "true"

diff --git a/examples/advanced_security_options_master_user_name_pasword/README.md b/examples/advanced_security_options_master_user_name_pasword/README.md
@@ -26,7 +26,10 @@ module "aws_es" {
   }
 
   domain_endpoint_options = {
-    enforce_https = true
+    enforce_https                   = true
+    custom_endpoint_enabled         = true
+    custom_endpoint                 = "lgallardo.com"
+    custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:123456789101:certificate/abcd1234-ef11-abcd-1234-abcd1234efef"
   }
 
   ebs_options = {
@@ -52,7 +55,7 @@ module "aws_es" {
     region      = data.aws_region.current.name,
     account     = data.aws_caller_identity.current.account_id,
     domain_name = var.es_domain_name,
-    whitelist   = "${jsonencode(var.whitelist)}"
+    whitelist   = jsonencode(var.whitelist)
   })
 
   node_to_node_encryption_enabled                = "true"

diff --git a/examples/advanced_security_options_master_user_name_pasword/main.tf b/examples/advanced_security_options_master_user_name_pasword/main.tf
@@ -23,7 +23,10 @@ module "aws_es" {
   }
 
   domain_endpoint_options = {
-    enforce_https = true
+    enforce_https                   = true
+    custom_endpoint_enabled         = true
+    custom_endpoint                 = "lgallardo.com"
+    custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:123456789101:certificate/abcd1234-ef11-abcd-1234-abcd1234efef"
   }
 
   ebs_options = {
@@ -49,7 +52,7 @@ module "aws_es" {
     region      = data.aws_region.current.name,
     account     = data.aws_caller_identity.current.account_id,
     domain_name = var.es_domain_name,
-    whitelist   = jsonencode(var.whitelist)}
+    whitelist   = jsonencode(var.whitelist)
   })
 
   node_to_node_encryption_enabled                = "true"

diff --git a/main.tf b/main.tf
@@ -33,8 +33,11 @@ resource "aws_elasticsearch_domain" "es_domain" {
   dynamic "domain_endpoint_options" {
     for_each = local.domain_endpoint_options
     content {
-      enforce_https       = lookup(domain_endpoint_options.value, "enforce_https")
-      tls_security_policy = lookup(domain_endpoint_options.value, "tls_security_policy")
+      enforce_https                   = lookup(domain_endpoint_options.value, "enforce_https")
+      tls_security_policy             = lookup(domain_endpoint_options.value, "tls_security_policy")
+      custom_endpoint_enabled         = lookup(domain_endpoint_options.value, "custom_endpoint_enabled")
+      custom_endpoint                 = lookup(domain_endpoint_options.value, "custom_endpoint")
+      custom_endpoint_certificate_arn = lookup(domain_endpoint_options.value, "custom_endpoint_certificate_arn")
     }
   }
 
@@ -168,6 +171,11 @@ locals {
   domain_endpoint_options_default = {
     enforce_https       = lookup(var.domain_endpoint_options, "enforce_https", null) == null ? var.domain_endpoint_options_enforce_https : lookup(var.domain_endpoint_options, "enforce_https")
     tls_security_policy = lookup(var.domain_endpoint_options, "tls_security_policy", null) == null ? var.domain_endpoint_options_tls_security_policy : lookup(var.domain_endpoint_options, "tls_security_policy")
+
+    # custom_endpoint
+    custom_endpoint_enabled         = lookup(var.domain_endpoint_options, "custom_endpoint_enabled", null) == null ? var.domain_endpoint_options_custom_endpoint_enabled : lookup(var.domain_endpoint_options, "custom_endpoint_enabled")
+    custom_endpoint                 = lookup(var.domain_endpoint_options, "custom_endpoint", null) == null ? var.domain_endpoint_options_custom_endpoint : lookup(var.domain_endpoint_options, "custom_endpoint")
+    custom_endpoint_certificate_arn = lookup(var.domain_endpoint_options, "custom_endpoint_certificate_arn", null) == null ? var.domain_endpoint_options_custom_endpoint_certificate_arn : lookup(var.domain_endpoint_options, "custom_endpoint_certificate_arn")
   }
 
   domain_endpoint_options = lookup(local.domain_endpoint_options_default, "enforce_https", false) == false ? [] : [local.domain_endpoint_options_default]

diff --git a/variables.tf b/variables.tf
@@ -81,6 +81,24 @@ variable "domain_endpoint_options_tls_security_policy" {
   default     = "Policy-Min-TLS-1-2-2019-07"
 }
 
+variable "domain_endpoint_options_custom_endpoint_enabled" {
+  description = "Whether to enable custom endpoint for the Elasticsearch domain"
+  type        = bool
+  default     = false
+}
+
+variable "domain_endpoint_options_custom_endpoint" {
+  description = "Fully qualified domain for your custom endpoint"
+  type        = string
+  default     = null
+}
+
+variable "domain_endpoint_options_custom_endpoint_certificate_arn" {
+  description = "ACM certificate ARN for your custom endpoint"
+  type        = string
+  default     = null
+}
+
 # Advanced options
 variable "advanced_options" {
   description = "Key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply"