Add a new TF module that create a custom VPC (minimal-vpc)

Author: timoa

minimal-vpc/README.md

@@ -0,0 +1,31 @@
+# Terraform Elasticsearch Single Node on AWS
+
+Example of the creation of an AWS Elasticsearch single node with Terraform
+
+## Includes
+
+- Create an AWS Elasticsearch Service instance (managed by AWS)
+- Deploy the Elasticsearch instance under a custom VPC
+- Encryption with a KMS custom key (let you manage the usage of the KMS key)
+- Accessible only from your office/home public IP
+
+## Improvements
+
+This project is just a minimal example of how to deploy an AWS Elasticsearch service instance with a single node with the minimum of security.
+
+This Terraform module can also be improved by adding this changes:
+
+- Support for multiple environments (distinct name and tags between environment)
+- Support for Route 53 (by adding an alias to an existing Route 53 zone)
+
+```bash
+module "es-single-node" {
+  source = "git::https://github.com/timoa/terraform-elastic-single-node/minimal-vpc"
+
+  name                      = "es-single-node-example"
+
+  # Need to be greater than t2 since it doesn't support encryption
+  instance_type             = "m4.large.elasticsearch"
+
+}
+```

minimal-vpc/main.tf

@@ -0,0 +1,51 @@
+terraform {
+  required_version = ">= 0.12.8"
+}
+
+module "network" {
+  source = "./modules/network"
+
+  # Global
+  aws_region = var.aws_region
+
+  # VPC
+  vpc_cidr      = var.vpc_cidr
+  public_subnet = var.public_subnet
+
+  # Security
+  my_public_ip = var.my_public_ip
+
+  # Tags 
+  tags = var.tags
+
+}
+
+module "security" {
+  source = "./modules/security"
+
+  # Tags
+  tags = var.tags
+}
+
+module "elasticsearch" {
+  source = "./modules/elasticsearch"
+
+  # Network
+  vpc_id         = module.network.vpc_id
+  security_group = module.network.elasticsearch_sg_id
+  public_subnet  = module.network.public_subnets[0]
+
+  # Security
+  my_public_ip          = var.my_public_ip
+  encryption_kms_key_id = module.security.elasticsearch_kms_key_id
+
+  # Elasticsearch
+  domain_name           = var.domain_name
+  elasticsearch_version = var.elasticsearch_version
+  instance_type         = var.instance_type
+  volume_size           = var.volume_size
+
+  # Tags
+  tags = var.tags
+
+}

minimal-vpc/modules/elasticsearch/main.tf

@@ -0,0 +1,59 @@
+resource "aws_elasticsearch_domain" "elasticsearch" {
+  domain_name           = var.domain_name
+  elasticsearch_version = var.elasticsearch_version
+
+  encrypt_at_rest {
+    enabled    = "true"
+    kms_key_id = var.encryption_kms_key_id
+  }
+
+  cluster_config {
+    instance_type            = var.instance_type
+    instance_count           = "1"
+    dedicated_master_enabled = "false"
+    dedicated_master_count   = "0"
+    zone_awareness_enabled   = "false"
+  }
+
+  access_policies = <<CONFIG
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": "*"
+        },
+        "Action": "es:*",
+        "Resource": "${var.my_public_ip}/32"
+      }
+    ]
+  }
+  CONFIG
+
+  vpc_options {
+    security_group_ids = [var.security_group]
+    subnet_ids         = var.public_subnet
+  }
+
+  advanced_options = {
+    "rest.action.multi.allow_explicit_index" = "true"
+    "indices.query.bool.max_clause_count"    = "1024"
+  }
+
+  ebs_options {
+    ebs_enabled = true
+    volume_type = "gp2"
+    volume_size = var.volume_size
+  }
+
+  snapshot_options {
+    automated_snapshot_start_hour = "0"
+  }
+
+  # Tags
+  tags = "${merge(var.tags, map(
+    "Name", "elasticsearch-es",
+    "Domain", var.domain_name
+  ))}"
+}

minimal-vpc/modules/elasticsearch/outputs.tf

@@ -0,0 +1,15 @@
+output "elasticsearch_endpoint" {
+  value = aws_elasticsearch_domain.elasticsearch.endpoint
+}
+
+output "elasticsearch_arn" {
+  value = aws_elasticsearch_domain.elasticsearch.arn
+}
+
+output "elasticsearch_domain_id" {
+  value = aws_elasticsearch_domain.elasticsearch.domain_id
+}
+
+output "elasticsearch_kibana_endpoint" {
+  value = aws_elasticsearch_domain.elasticsearch.kibana_endpoint
+}

minimal-vpc/modules/elasticsearch/variables.tf

@@ -0,0 +1,18 @@
+# Network
+variable "vpc_id" {}
+variable "security_group" {}
+variable "public_subnet" {}
+
+#Security
+variable "my_public_ip" {}
+variable "encryption_kms_key_id" {}
+
+# Elasticsearch
+variable "domain_name" {}
+variable "elasticsearch_version" {}
+variable "instance_type" {}
+variable "volume_size" {}
+
+variable tags {
+  type = "map"
+}

minimal-vpc/modules/network/main.tf

@@ -0,0 +1,66 @@
+/**
+ * Usage:
+ *
+ * module "network" {
+ *   source = "./modules/network"
+ *   
+ *   # Global
+ *   aws_region        = var.aws_region
+ *   
+ *   # VPC
+ *   vpc_cidr          = var.vpc_cidr
+ *   public_subnet     = var.public_subnet
+ *
+ * }
+ */
+
+module "vpc" {
+  source = "terraform-aws-modules/vpc/aws"
+
+  name = "elasticsearch-vpc"
+  cidr = var.vpc_cidr
+
+  azs            = ["${var.aws_region}a"]
+  public_subnets = [var.public_subnet]
+
+  enable_dns_hostnames = true
+  enable_nat_gateway   = false
+  single_nat_gateway   = false
+  enable_vpn_gateway   = false
+
+  # Tags
+  tags = merge(var.tags, map(
+    "Name", "elasticsearch-vpc"
+  ))
+
+}
+
+module "elasticsearch_sg" {
+  source = "terraform-aws-modules/security-group/aws"
+
+  name        = "elasticsearch-sg"
+  description = "Security group that allows access to Elasticsearch only from your IP and all egress traffic"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress_with_cidr_blocks = [
+    {
+      rule        = "https-443-tcp"
+      description = "Elasticsearch/Kibana"
+      cidr_blocks = "${var.my_public_ip}/32"
+    },
+  ]
+
+  egress_with_cidr_blocks = [
+    {
+      rule        = "all-all"
+      description = "Internet"
+      cidr_blocks = "0.0.0.0/0"
+    },
+  ]
+
+  # Tags
+  tags = merge(var.tags, map(
+    "Name", "elasticsearch-sg"
+  ))
+
+}

minimal-vpc/modules/network/outputs.tf

@@ -0,0 +1,14 @@
+output "vpc_id" {
+  description = "ID of the VPC"
+  value       = module.vpc.vpc_id
+}
+
+output "public_subnets" {
+  description = "ID of the VPC public subnet"
+  value       = [module.vpc.public_subnets]
+}
+
+output "elasticsearch_sg_id" {
+  description = "Elasticsearch security group ID"
+  value       = module.elasticsearch_sg.this_security_group_id
+}

minimal-vpc/modules/network/variables.tf

@@ -0,0 +1,10 @@
+variable "aws_region" {}
+
+variable "vpc_cidr" {}
+variable "public_subnet" {}
+
+variable "my_public_ip" {}
+
+variable tags {
+  type = "map"
+}

minimal-vpc/modules/security/main.tf

@@ -0,0 +1,14 @@
+resource "aws_kms_key" "elasticsearch_kms_key" {
+  description = "KMS key to encrypt the Elasticsearch volume"
+
+  # Tags
+  tags = merge(var.tags, map(
+    "Name", "elasticsearch-kms"
+  ))
+
+}
+
+resource "aws_kms_alias" "key" {
+  name          = "alias/elasticsearch-kms"
+  target_key_id = aws_kms_key.elasticsearch_kms_key.key_id
+}

minimal-vpc/modules/security/outputs.tf

@@ -0,0 +1,4 @@
+output "elasticsearch_kms_key_id" {
+  description = "Elasticsearch KMS Key ID"
+  value       = aws_kms_key.elasticsearch_kms_key.key_id
+}