From 208a62470b14985c97250c355a740fd793e9d1ad Mon Sep 17 00:00:00 2001 From: abhinavkumarsph Date: Tue, 21 May 2024 10:31:41 +0800 Subject: [PATCH 1/5] fix: option to disable index slow logs --- README.md | 4 +--- cloudwatch.tf | 2 +- examples/opensearch/main.tf | 9 +++++++++ locals.tf | 11 ----------- main.tf | 2 +- variables.tf | 10 +++++++++- 6 files changed, 21 insertions(+), 17 deletions(-) delete mode 100644 locals.tf diff --git a/README.md b/README.md index 563b732..062a2e4 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,5 @@ # Opensearch - ## Requirements | Name | Version | @@ -75,7 +74,7 @@ No modules. | [instance\_count](#input\_instance\_count) | The number of dedicated hot nodes in the cluster. | `number` | `3` | no | | [instance\_type](#input\_instance\_type) | The type of EC2 instances to run for each hot node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing | `string` | `"t3.small.search"` | no | | [internal\_user\_database\_enabled](#input\_internal\_user\_database\_enabled) | Whether the internal user database is enabled | `bool` | `false` | no | -| [log\_publishing\_options](#input\_log\_publishing\_options) | Configuration block for publishing slow and application logs to CloudWatch Logs. | 
map(object({
    enabled                  = optional(bool, true)
    cloudwatch_log_group_arn = optional(string, "")
  }))
| `{}` | no | +| [log\_publishing\_options](#input\_log\_publishing\_options) | Configuration block for publishing slow and application logs to CloudWatch Logs. | 
map(object({
    enabled                  = optional(bool, true)
    cloudwatch_log_group_arn = optional(string, "")
  }))
| 
{
  "audit_logs": {
    "enabled": false
  },
  "index_slow_logs": {
    "enabled": true
  }
}
| no | | [maintenance\_schedule](#input\_maintenance\_schedule) | configuration for auto tune maintenance schedule | `map(any)` | `{}` | no | | [master\_instance\_count](#input\_master\_instance\_count) | The number of dedicated master nodes in the cluster. | `number` | `3` | no | | [master\_instance\_enabled](#input\_master\_instance\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster. | `bool` | `true` | no | @@ -120,4 +119,3 @@ No modules. | [vpc\_endpoint\_dns\_names](#output\_vpc\_endpoint\_dns\_names) | VPC endpoint DNS names | | [vpc\_endpoint\_endpoint](#output\_vpc\_endpoint\_endpoint) | The connection endpoint ID for connecting to the domain | | [vpc\_endpoint\_id](#output\_vpc\_endpoint\_id) | The unique identifier of the endpoint | - diff --git a/cloudwatch.tf b/cloudwatch.tf index 5dea72c..6433a8e 100644 --- a/cloudwatch.tf +++ b/cloudwatch.tf @@ -5,7 +5,7 @@ locals { resource "aws_cloudwatch_log_group" "aos" { #checkov:skip=CKV_AWS_158:rely on aws default encryption #checkov:skip=CKV_AWS_338:Ensure CloudWatch log groups retains logs for at least 1 year - for_each = { for k, v in local.log_publishing_options : k => v if v.enabled } + for_each = { for k, v in var.log_publishing_options : k => v if v.enabled && v.cloudwatch_log_group_arn == "" } name = "${local.log_prefix}/${each.key}" retention_in_days = var.cloudwatch_log_group_retention_days diff --git a/examples/opensearch/main.tf b/examples/opensearch/main.tf index 2c192b8..9b679d2 100644 --- a/examples/opensearch/main.tf +++ b/examples/opensearch/main.tf @@ -57,6 +57,15 @@ module "opensearch" { encrypt_at_rest_enabled = true encrypt_kms_key_id = aws_kms_key.objects.id + log_publishing_options = { + audit_logs = { + enabled = true + } + index_slow_logs = { + enabled = false + } + } + tags = { Domain = "TestDomain" Name = var.domain_name diff --git a/locals.tf b/locals.tf deleted file mode 100644 index 10aa4e1..0000000 --- a/locals.tf +++ /dev/null @@ -1,11 +0,0 @@ -locals { - log_publishing_options_default = { - audit_logs = { - enabled = false - } - index_slow_logs = { - enabled = true - } - } - log_publishing_options = merge(local.log_publishing_options_default, var.log_publishing_options) -} diff --git a/main.tf b/main.tf index cba3482..17f4736 100644 --- a/main.tf +++ b/main.tf @@ -91,7 +91,7 @@ resource "aws_opensearch_domain" "this" { } dynamic "log_publishing_options" { - for_each = { for k, v in local.log_publishing_options : k => v if v.enabled } + for_each = { for k, v in var.log_publishing_options : k => v if v.enabled } content { log_type = upper(log_publishing_options.key) enabled = log_publishing_options.value.enabled diff --git a/variables.tf b/variables.tf index 8325f90..eda191d 100644 --- a/variables.tf +++ b/variables.tf @@ -369,7 +369,15 @@ variable "log_publishing_options" { enabled = optional(bool, true) cloudwatch_log_group_arn = optional(string, "") })) - default = {} + + default = { + audit_logs = { + enabled = false + } + index_slow_logs = { + enabled = true + } + } } variable "cloudwatch_log_group_retention_days" { From c3403533c73e3bab1cd1c6c017952398264309de Mon Sep 17 00:00:00 2001 From: abhinavkumarsph Date: Tue, 21 May 2024 10:48:18 +0800 Subject: [PATCH 2/5] chore: tf lint --- examples/opensearch/data.tf | 12 ------------ main.tf | 4 ++-- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/examples/opensearch/data.tf b/examples/opensearch/data.tf index dda75ef..3793e14 100644 --- a/examples/opensearch/data.tf +++ b/examples/opensearch/data.tf @@ -4,18 +4,6 @@ data "aws_caller_identity" "current" { data "aws_region" "current" { } -data "aws_cloudformation_export" "vpc" { - name = var.cf_export_vpc -} - -data "aws_cloudformation_export" "pub_subnet_a" { - name = var.cf_export_pub_subnet_a -} - -data "aws_cloudformation_export" "pub_subnet_b" { - name = var.cf_export_pub_subnet_b -} - data "aws_cloudformation_export" "web_subnet_a" { name = var.cf_export_web_subnet_a } diff --git a/main.tf b/main.tf index 17f4736..73b58b4 100644 --- a/main.tf +++ b/main.tf @@ -124,8 +124,8 @@ resource "aws_opensearch_domain" "this" { dynamic "window_start_time" { for_each = var.enable_off_peak_window_options ? [1] : [] content { - hours = lookup(var.off_peak_window_options, "hours") - minutes = lookup(var.off_peak_window_options, "minutes") + hours = var.off_peak_window_options["hours"] + minutes = var.off_peak_window_options["minutes"] } } } From fc9414adc26ef22d2ece48d62b9bf264725edea8 Mon Sep 17 00:00:00 2001 From: abhinavkumarsph Date: Tue, 21 May 2024 10:52:41 +0800 Subject: [PATCH 3/5] chore: tf lint --- examples/opensearch/iam.tf | 23 --------------- examples/opensearch/variables.tf | 49 -------------------------------- 2 files changed, 72 deletions(-) diff --git a/examples/opensearch/iam.tf b/examples/opensearch/iam.tf index d7a22bf..05f3ba8 100644 --- a/examples/opensearch/iam.tf +++ b/examples/opensearch/iam.tf @@ -1,26 +1,3 @@ -data "aws_iam_policy_document" "os_access_policy" { - statement { - sid = "Allow-Whitelisted-IPs" - - effect = "Allow" - - principals { - type = "*" - identifiers = ["*"] - } - - actions = ["es:*"] - - resources = ["arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.domain_name}/*"] - - condition { - test = "IpAddress" - variable = "aws:SourcedIp" - values = var.whitelist_ips - } - } -} - data "aws_iam_policy_document" "log_publish_policy" { statement { sid = "OS-Log-Publish-Policy" diff --git a/examples/opensearch/variables.tf b/examples/opensearch/variables.tf index 9b01801..681599c 100644 --- a/examples/opensearch/variables.tf +++ b/examples/opensearch/variables.tf @@ -4,12 +4,6 @@ variable "domain_name" { default = "opensearch-test-cluster" } -variable "whitelist_ips" { - description = "Whitelisted IPs which needed access to OpenSearch Cluster" - type = list(string) - default = ["202.27.16.0/20"] -} - variable "engine_version" { description = "OpenSearch engine version" type = string @@ -28,36 +22,6 @@ variable "instance_type" { default = "t3.small.search" } -variable "cf_export_vpc" { - description = "cf_export_vpc" - type = string - default = "vpcID-ap-southeast-1" -} - -variable "cf_export_db_subnet_a" { - description = "cf_export_db_subnet_a" - type = string - default = "subnetIDDBA1-ap-southeast-1" -} - -variable "cf_export_db_subnet_b" { - description = "cf_export_db_subnet_b" - type = string - default = "subnetIDDBB1-ap-southeast-1" -} - -variable "cf_export_app_subnet_a" { - description = "cf_export_app_subnet_a" - type = string - default = "subnetIDAppA-ap-southeast-1" -} - -variable "cf_export_app_subnet_b" { - description = "cf_export_app_subnet_b" - type = string - default = "subnetIDAppB-ap-southeast-1" -} - variable "cf_export_web_subnet_a" { description = "cf_export_web_subnet_a" type = string @@ -70,19 +34,6 @@ variable "cf_export_web_subnet_b" { default = "subnetIDWebB-ap-southeast-1" } -variable "cf_export_pub_subnet_a" { - description = "cf_export_pub_subnet_a" - type = string - default = "subnetIDPublicA-ap-southeast-1" -} - -variable "cf_export_pub_subnet_b" { - description = "cf_export_pub_subnet_b" - type = string - default = "subnetIDPublicB-ap-southeast-1" -} - - variable "cf_export_app_sg_id" { description = "app security group id" type = string From 54e7c66c35ef16cf24c2f90d0caa07fe2d88e133 Mon Sep 17 00:00:00 2001 From: abhinavkumarsph Date: Tue, 21 May 2024 10:55:15 +0800 Subject: [PATCH 4/5] chore: tf lint --- examples/opensearch/data.tf | 6 ------ examples/opensearch/main.tf | 1 + 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/examples/opensearch/data.tf b/examples/opensearch/data.tf index 3793e14..1641bb9 100644 --- a/examples/opensearch/data.tf +++ b/examples/opensearch/data.tf @@ -1,9 +1,3 @@ -data "aws_caller_identity" "current" { -} - -data "aws_region" "current" { -} - data "aws_cloudformation_export" "web_subnet_a" { name = var.cf_export_web_subnet_a } diff --git a/examples/opensearch/main.tf b/examples/opensearch/main.tf index 9b679d2..d476ea3 100644 --- a/examples/opensearch/main.tf +++ b/examples/opensearch/main.tf @@ -21,6 +21,7 @@ resource "aws_cloudwatch_log_resource_policy" "opensearch" { } module "opensearch" { + #checkov:skip=CKV_AWS_248:Ensure that Elasticsearch is not using the default Security Group source = "../../" domain_name = var.domain_name From 18344d5ee61193086fa48d634a489e0cb2261f34 Mon Sep 17 00:00:00 2001 From: abhinavkumarsph Date: Tue, 21 May 2024 10:59:18 +0800 Subject: [PATCH 5/5] chore: tf lint --- examples/opensearch/main.tf | 1 - main.tf | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/opensearch/main.tf b/examples/opensearch/main.tf index d476ea3..9b679d2 100644 --- a/examples/opensearch/main.tf +++ b/examples/opensearch/main.tf @@ -21,7 +21,6 @@ resource "aws_cloudwatch_log_resource_policy" "opensearch" { } module "opensearch" { - #checkov:skip=CKV_AWS_248:Ensure that Elasticsearch is not using the default Security Group source = "../../" domain_name = var.domain_name diff --git a/main.tf b/main.tf index 73b58b4..e724f52 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,6 @@ resource "aws_opensearch_domain" "this" { #checkov:skip=CKV2_AWS_52 + #checkov:skip=CKV_AWS_248:Ensure that Elasticsearch is not using the default Security Group #checkov:skip=CKV_AWS_317:Ensure Elasticsearch Domain Audit Logging is enabled # service linked role must exist and default cloudwatch log_group created. depends_on = [