diff --git a/services/terraform/dev/main.tf b/services/terraform/dev/main.tf --- a/services/terraform/dev/main.tf +++ b/services/terraform/dev/main.tf @@ -31,6 +31,7 @@ dynamic "endpoints" { for_each = local.aws_settings.override_endpoint[*] content { + opensearch = endpoints.value dynamodb = endpoints.value s3 = endpoints.value secretsmanager = endpoints.value @@ -44,4 +45,5 @@ module "shared" { source = "../modules/shared" is_dev = true + vpc = null } diff --git a/services/terraform/modules/shared/opensearch.tf b/services/terraform/modules/shared/opensearch.tf new file mode 100644 --- /dev/null +++ b/services/terraform/modules/shared/opensearch.tf @@ -0,0 +1,69 @@ +variable "domain" { + default = "identity-search-domain" +} + +resource "aws_security_group" "identity-search" { + count = var.is_dev ? 0 : 1 + name = "${var.vpc_id}-opensearch-${var.domain}" + description = "Managed by Terraform" + vpc_id = var.is_dev ? null : var.vpc_id + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + + cidr_blocks = ["0.0.0.0/0"] + security_groups = ["${aws_security_group.search_index_lambda.id}"] + } +} + +resource "aws_opensearch_domain" "identity-search" { + domain_name = var.domain + engine_version = "OpenSearch_1.0" + + cluster_config { + instance_type = "t3.medium.search" + } + + vpc_options { + subnet_ids = var.subnet_ids + + security_group_ids = var.is_dev ? [] : [aws_security_group.identity-search[0].id] + } + + # domain_endpoint_options { + # custom_endpoint_enabled = true + # custom_endpoint = "opensearch.identity-search.com" + # } + + advanced_options = { + "rest.action.multi.allow_explicit_index" = "true" + } + + ebs_options { + ebs_enabled = true + volume_size = 10 + } +} + +# data "aws_iam_policy_document" "identity-search" { +# statement { +# effect = "Allow" +# +# principals { +# type = "*" +# identifiers = ["*"] +# } +# +# actions = ["es:*"] +# resources = ["arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.domain}/*"] +# # resources = ["${aws_opensearch_domain.identity-search.arn}"] +# +# condition { +# test = "IpAddress" +# variable = "aws:SourceIp" +# values = ["66.193.100.22/32"] +# } +# } +# } diff --git a/services/terraform/modules/shared/outputs.tf b/services/terraform/modules/shared/outputs.tf --- a/services/terraform/modules/shared/outputs.tf +++ b/services/terraform/modules/shared/outputs.tf @@ -14,3 +14,10 @@ table.name => table } } +<<<<<<< Updated upstream +======= + +output "opensearch_domain_identity" { + value = aws_opensearch_domain.identity-search +} +>>>>>>> Stashed changes diff --git a/services/terraform/modules/shared/variables.tf b/services/terraform/modules/shared/variables.tf --- a/services/terraform/modules/shared/variables.tf +++ b/services/terraform/modules/shared/variables.tf @@ -8,3 +8,9 @@ default = "" description = "Suffix added to all bucket names" } + +variable "vpc_id" {} + +variable "cidr_block" {} + +variable "subnet_ids" {} diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf --- a/services/terraform/remote/aws_iam.tf +++ b/services/terraform/remote/aws_iam.tf @@ -194,3 +194,8 @@ aws_iam_policy.manage_reports_ddb.arn ] } + +resource "aws_opensearch_domain_policy" "identity-search" { + domain_name = module.shared.opensearch_domain_identity.domain_name + access_policies = data.aws_iam_policy_document.identity-search.json +} diff --git a/services/terraform/remote/main.tf b/services/terraform/remote/main.tf --- a/services/terraform/remote/main.tf +++ b/services/terraform/remote/main.tf @@ -51,6 +51,13 @@ module "shared" { source = "../modules/shared" bucket_name_suffix = local.s3_bucket_name_suffix + + vpc_id = aws_vpc.default.id + cidr_block = aws_vpc.default.cidr_block + iam_role_arn = aws_iam_role.search_index_lambda_role.arn + subnet_ids = [ + aws_subnet.public_a.id, + ] } check "workspace_check" {