Amazon Elasticsearch

Deploy and manage Amazon Elasticsearch Service

View on GitHub

Reference

Inputs

• advanced_options — Key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes).

• advanced_security_options — Enable fine grain access control

• alarm_sns_topic_arns — ARNs of the SNS topics associated with the CloudWatch alarms for the Elasticsearch cluster.

• allow_connections_from_cidr_blocks — The list of network CIDR blocks to allow network access to Aurora from. One of allow_connections_from_cidr_blocks or allow_connections_from_security_groups must be specified for the database to be reachable.

• allow_connections_from_security_groups — The list of IDs or Security Groups to allow network access to Aurora from. All security groups must either be in the VPC specified by vpc_id, or a peered VPC with the VPC specified by vpc_id. One of allow_connections_from_cidr_blocks or allow_connections_from_security_groups must be specified for the database to be reachable.

• automated_snapshot_start_hour — Hour during which the service takes an automated daily snapshot of the indices in the domain. This setting has no effect on Elasticsearch 5.3 and later.

• availability_zone_count — Number of Availability Zones for the domain to use with zone_awareness_enabled. Defaults to 2. Valid values: 2 or 3.

• create_service_linked_role — Whether or not the Service Linked Role for Elasticsearch should be created within this module. Normally the service linked role is created automatically by AWS when creating the Elasticsearch domain in the web console, but API does not implement this logic. You can either have AWS automatically manage this by creating a domain manually in the console, or manage it in terraform using the landing zone modules or this variable.

• custom_endpoint — Fully qualified domain for your custom endpoint.

• custom_endpoint_certificate_arn — ACM certificate ARN for your custom endpoint.

• custom_endpoint_enabled — Whether to enable custom endpoint for the Elasticsearch domain.

• custom_tags — A map of custom tags to apply to the ElasticSearch Domain. The key is the tag name and the value is the tag value.

• dedicated_master_count — The number of dedicated master nodes to run. We recommend setting this to 3 for production deployments. Only used if dedicated_master_enabled is true.

• dedicated_master_enabled — Whether to deploy separate nodes specifically for performing cluster management tasks (e.g. tracking number of nodes, monitoring health, replicating changes). This increases the stability of large clusters and is required for clusters with more than 10 nodes.

• dedicated_master_type — The instance type for the dedicated master nodes. These nodes can use a different instance type than the rest of the cluster. Only used if dedicated_master_enabled is true.

• domain_name — The name of the Elasticsearch cluster. It must be unique to your account and region, start with a lowercase letter, contain between 3 and 28 characters, and contain only lowercase letters a-z, the numbers 0-9, and the hyphen (-).

• ebs_enabled — Set to false to disable EBS volumes. This is useful for nodes that have optimized instance storage, like hosts running the i3 instance type.

• elasticsearch_version — The version of Elasticsearch to deploy.

• enable_cloudwatch_alarms — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arns.

• enable_encryption_at_rest — False by default because encryption at rest is not included in the free tier. When true, the Elasticsearch domain storage will be encrypted at rest using the KMS key described with encryption_kms_key_id. We strongly recommend configuring a custom KMS key instead of using the shared service key for a better security posture when configuring encryption at rest.

• enable_node_to_node_encryption — Whether to enable node-to-node encryption.

• encryption_kms_key_id — The ID of the KMS key to use to encrypt the Elasticsearch domain storage. Only used if enable_encryption_at_rest. When null, uses the aws/es service KMS key.

• iam_principal_arns — The ARNS of the IAM users and roles to which to allow full access to the Elasticsearch cluster. Setting this to a restricted list is useful when using a public access cluster.

• instance_count — The number of instances to deploy in the Elasticsearch cluster. This must be an even number if zone_awareness_enabled is true.

• instance_type — The instance type to use for Elasticsearch data nodes (e.g., t2.small.elasticsearch, or m4.large.elasticsearch). For supported instance types see https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html.

• internal_user_database_enabled — Whether the internal user database is enabled. Enable this to use master accounts. Only used if advanced_security_options is set to true.

• iops — The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Must be between 1000 and 4000. Applicable only if volume_type is io1.

• is_public — Whether the cluster is publicly accessible.

• master_user_arn — ARN of the master user. Only used if advanced_security_options and internal_user_database_enabled are set to true.

• master_user_name — Master account user name. Only used if advanced_security_options and internal_user_database_enabled are set to true.

• master_user_password — Master account user password. Only used if advanced_security_options and internal_user_database_enabled are set to true. WARNING: this password will be stored in Terraform state.

• subnet_ids — List of VPC Subnet IDs for the Elasticsearch domain endpoints to be created in. If zone_awareness_enabled is true, the first 2 or 3 provided subnet ids are used, depending on availability_zone_count. Otherwise only the first one is used.

• tls_security_policy — The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values are Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07. Terraform performs drift detection if this is configured.

• update_timeout — How long to wait for updates to the ES cluster before timing out and reporting an error.

• volume_size — The size in GiB of the EBS volume for each node in the cluster (e.g. 10, or 512). For volume size limits see https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-limits.html.

• volume_type — The type of EBS volumes to use in the cluster. Must be one of: standard, gp2, io1, sc1, or st1. For a comparison of EBS volume types, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html.

• vpc_id — The id of the VPC to deploy into. It must be in the same region as the Elasticsearch domain and its tenancy must be set to Default. If zone_awareness_enabled is false, the Elasticsearch cluster will have an endpoint in one subnet of the VPC; otherwise it will have endpoints in two subnets.

• zone_awareness_enabled — Whether to deploy the Elasticsearch nodes across two Availability Zones instead of one. Note that if you enable this, the instance_count MUST be an even number.

Outputs

• cluster_arn — The ARN of the Elasticsearch cluster created by this module.

• cluster_domain_id — The domain ID of the Elasticsearch cluster created by this module.

• cluster_domain_name — The name of the Elasticsearch domain.

• cluster_endpoint — The endpoint of the Elasticsearch cluster created by this module.

• cluster_security_group_id — If the domain was created inside a VPC, the ID of the security group created by this module for securing the Elasticsearch cluster.

• kibana_endpoint — Domain-specific endpoint for Kibana without https scheme.