cyberlabrs
terraform-aws-opensearch
HCL

Terraform module to provision an OpenSearch cluster with SAML and Cognito authentication.

Last updated Jan 21, 2026
33
Stars
12
Forks
2
Issues
0
Stars/day
Attention Score
9
Language breakdown
HCL 100.0%
Files click to expand
README

AWS OpenSearch Terraform Module

Requirements

No requirements.

Providers

| Name | Version | |------|---------| | aws | >= 4.52.0 | | random | >= 3.4.3 | | time | >= 0.9.1 |

Usage

OpenSearch with basic setup with domain level access policy

module "opensearch" {
  source  = "cyberlabrs/opensearch/aws"
  name    = "basic-os"
  region  = "eu-central-1"

access_policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "AWS" : ["arn:aws:iam::acc-number:role/xxx"] }, "Action" : "es:*", "Resource" : "arn:aws:es:region:acc-number:domain/domain-name/*" } ] })

}

OpenSearch with basic setup with fine grained access control with default policy with internal_user enabled

module "opensearch" {
  source                                         = "cyberlabrs/opensearch/aws"
  name                                           = "basic-os"
  region                                         = "eu-central-1"
  advancedsecurityoptions_enabled              = true
  defaultpolicyforfinegrainedaccesscontrol = true
  internaluserdatabase_enabled                 = true
  nodetonode_encryption                        = true
  encryptatrest = {
    enabled = true
  }
}

OpenSearch with basic setup with fine grained access control with default policy with internal_user enabled inside VPC

module "opensearch" {
  source                                         = "cyberlabrs/opensearch/aws"
  name                                           = "vpc-os"
  region                                         = "eu-central-1"
  advancedsecurityoptions_enabled              = true
  defaultpolicyforfinegrainedaccesscontrol = true
  internaluserdatabase_enabled                 = true
  inside_vpc                                     = true
  vpc                                            = "vpc-xxxxxxxx"
  subnet_ids                                     = ["subnet-1xxx", "subnet-2xxx"]
  allowed_cidrs                                  = ["xxxxxx"]
  nodetonode_encryption                        = true
  encryptatrest = {
    enabled = true
  }
}

OpenSearch with basic setup with fine grained access control with Cognito authentication (need to go to AWS Cognito User Pool to create a new user to login to Dashboard)

module "opensearch" {
  source                                         = "cyberlabrs/opensearch/aws"
  name                                           = "basic-os"
  region                                         = "eu-central-1"
  advancedsecurityoptions_enabled              = true
  defaultpolicyforfinegrainedaccesscontrol = true
  cognito_enabled                                = true
  nodetonode_encryption                        = true
  encryptatrest = {
    enabled = true
  }

# custom endpoint if needed custom_endpoint = "xxxxxx" customendpointenabled = true customendpointcertificate_arn = "xxxx"

# route53 zone if needed zoneid = "zoneid" }

Modules

No modules.

Resources

| Name | Type | |------|------| | awscognitoidentitypool.identity_pool | resource | | awscognitoidentitypoolrolesattachment.roles_attachment | resource | | awscognitouserpool.user_pool | resource | | awscognitouserpooldomain.userpooldomain | resource | | awsiampolicy.cognitoespolicy | resource | | awsiamrole.authenticated | resource | | awsiamrole.cognitoesrole | resource | | awsiam_role.unauthenticated | resource | | awsiamrolepolicy.unauthenticated | resource | | awsiamrolepolicyattachment.cognitoesattach | resource | | awsiamservicelinkedrole.es | resource | | awsopensearchdomain.opensearch | resource | | awsroute53record.domain_record | resource | | awssecuritygroup.es | resource | | randompassword.password | resource | | awsssmparameter.opensearchmasteruser | resource | | timesleep.role_dependency | resource | | awscalleridentity.current | data source | | awsiampolicydocument.esassumepolicy | data source | | awssubnet.selected | data source | | awsvpc.selected | data source |

Inputs

| Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\policy | Access policy to OpenSearch. If defaultpolicyforfinegrainedaccess_control is enabled, this policy would be overwritten. | string | null | no | | advanced\_options | Key-value string pairs to specify advanced configuration options. | map(string) | {} | no | | advanced\security\options\_enabled | If advanced security options is enabled. | bool | false | no | | allowed\_cidrs | Allowed cidrs in security group. | list(string) | [] | no | | aws\service\name\for\linked\_role | AWS service name for linked role. | string | "opensearchservice.amazonaws.com" | no | | cluster\_config | Auto tune options from documentation. | any | {} | no | | cognito\_enabled | Cognito authentification enabled for OpenSearch. | bool | false | no | | cognito\role\arn | Cognito role ARN. We need to enable advancedsecurityoptions_enabled. | string | "" | no | | create\a\record | Create A record for custom domain. | bool | true | no | | create\linked\role | Should linked role be created | bool | true | no | | custom\_endpoint | Custom endpoint https. | string | "" | no | | custom\endpoint\certificate\_arn | Custom endpoint certificate. | string | null | no | | custom\endpoint\enabled | If custom endpoint is enabled. | bool | false | no | | default\policy\for\fine\grained\access\control | Default policy for fine grained access control would be created. | bool | false | no | | domain\endpoint\options\enforce\https | Enforce https. | bool | true | no | | ebs\_enabled | EBS enabled | bool | true | no | | encrypt\at\rest | Encrypt at rest. | any | {} | no | | engine\version | Engine version of elasticsearch. | string | "OpenSearch1.3" | no | | identity\pool\id | Cognito identity pool id. | string | "" | no | | implicit\create\cognito | Cognito will be created inside module. If this is not enables and we want cognito authentication, we need to create cognito resources outside of module. | bool | true | no | | inside\_vpc | OpenSearch inside VPC. | bool | false | no | | instance\_type | Instance type. | string | "t3.small.search" | no | | internal\user\database\_enabled | Internal user database enabled. This should be enabled if we want authentication with master username and master password. | bool | false | no | | iops | Baseline input/output (I/O) performance of EBS volumes attached to data nodes. | number | null | no | | log\publishing\options | Encrypt at rest. | any | {} | no | | master\_password | Master password for accessing OpenSearch. If not specified password will be randomly generated. Password will be stored in AWS System Manager -> Parameter Store | string | "" | no | | master\user\arn | Master user ARN for accessing OpenSearch. If this is set, advancedsecurityoptionsenabled must be set to true and internaluserdatabaseenabled should be set to false. | string | "" | no | | master\user\name | Master username for accessing OpenSearch. | string | "admin" | no | | name | Name of OpenSearch domain and suffix of all other resources. | string | n/a | yes | | node\to\node\_encryption | Is node to node encryption enabled. | bool | false | no | | region | AWS region. | string | n/a | yes | | sg\_ids | Use any pre-existing SGs. | string | "" | no | | default\security\group\_name | Default security group name. | string | "" | no | | subnet\_ids | CIDS blocks of subnets. | list(string) | [] | no | | tags | Tags. | map(any) | {} | no | | throughput | Specifies the throughput. | number | null | no | | tls\security\policy | TLS security policy. | string | "Policy-Min-TLS-1-2-2019-07" | no | | user\pool\id | Cognito user pool id. | string | "" | no | | volume\_size | Volume size of ebs storage. | number | 10 | no | | volume\_type | Volume type of ebs storage. | string | "gp2" | no | | custom\es\cognito\role\name | Custom name for Opensearch Cognito role name | string | null | no | | vpc | VPC ID | string | "" | no | | createdefaultsg | Creates default security group if value is true | bool | true | no | | zone\_id | Route 53 Zone id. | string | "" | no | | auto\software\update\_enabled | Whether automatic service software updates are enabled for the domain. Defaults to false. | bool | false | no |

Outputs

| Name | Description | |------|-------------| | arn | ARN of the domain | | availability\zones | If the domain was created inside a VPC, the names of the availability zones the configured subnet\ids were created inside | | cognito\_map | cognito info | | domain\_id | Unique identifier for the domain | | domain\_name | Name of the Elasticsearch domain | | endpoint | Domain-specific endpoint used to submit index, search, and data upload requests | | identity\pool\id | Cognito identity pool ID | | kibana\_endpoint | Domain-specific endpoint for kibana without https scheme | | os\username | Master username for OpenSearch | | os\_password | Master user password for OpenSearch | | tags\_all | Map of tags assigned to the resource, including those inherited from the provider | | user\pool\id | Cognito user pool ID | | vpc\_id | If the domain was created inside a VPC, the ID of the VPC |

Authors

Module is maintained by Andrija Vojnović with help from CyberLab Team.

License

Apache 2 Licensed. See LICENSE for full details.

🔗 More in this category

© 2026 GitRepoTrend · cyberlabrs/terraform-aws-opensearch · Updated daily from GitHub