From fc59e2bacd5ef23080bb423c84c77afe401e4c66 Mon Sep 17 00:00:00 2001 From: Alexander Verhaar Date: Thu, 28 Mar 2024 14:23:21 +0100 Subject: [PATCH 1/8] Added labels --- .github/labels.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/labels.yaml diff --git a/.github/labels.yaml b/.github/labels.yaml new file mode 100644 index 0000000..914c52f --- /dev/null +++ b/.github/labels.yaml @@ -0,0 +1,25 @@ +--- +- name: bug + color: "c2e0c6" + description: Bug +- name: do-not-merge + color: "e99695" + description: Do not merge commit +- name: documentation + color: "feaef7" + description: Documentation +- name: enhancement + color: "8d6fc8" + description: Enhancement +- name: release/major + color: "d93f0b" + description: Major version +- name: release/minor + color: "fbca04" + description: Minor version +- name: release/patch + color: "0e8a16" + description: Patch version +- name: security + color: "db175c" + description: Security From 498d2a57b4bfd76d596627d6bcb23787c5d37e7f Mon Sep 17 00:00:00 2001 From: Alexander Verhaar Date: Thu, 28 Mar 2024 16:42:24 +0100 Subject: [PATCH 2/8] Added more checks --- .pre-commit-config.yaml | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 898eeb6..95761dd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,7 +1,34 @@ repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 + hooks: + - id: check-json + - id: check-merge-conflict + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + - id: pretty-format-json + args: + - --autofix + - id: detect-aws-credentials + args: + - --allow-missing-credentials + - id: detect-private-key - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.0 + rev: v1.88.4 hooks: - id: terraform_fmt - id: terraform_docs + args: + - --hook-config=--use-standard-markers=true - id: terraform_validate + - id: terraform_trivy + - repo: https://github.com/bridgecrewio/checkov + rev: 3.0.37 + hooks: + - id: checkov + verbose: false + args: [--download-external-modules, "true", --quiet, --compact] + additional_dependencies: + - "cyclonedx-python-lib==5.2.0" From 89fff74ac9cf7d39c04eba4645dda6d8ff734c91 Mon Sep 17 00:00:00 2001 From: Alexander Verhaar Date: Thu, 28 Mar 2024 16:45:01 +0100 Subject: [PATCH 3/8] Fix checkov findings --- .github/workflows/v1-func-create-tag-and-release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/v1-func-create-tag-and-release.yml b/.github/workflows/v1-func-create-tag-and-release.yml index 242e0d4..7aa1129 100644 --- a/.github/workflows/v1-func-create-tag-and-release.yml +++ b/.github/workflows/v1-func-create-tag-and-release.yml @@ -4,6 +4,9 @@ on: pull_request: types: [closed] +permissions: + contents: write + jobs: create-new-release: runs-on: ubuntu-latest From ab8a6b3f1c4d1542b5767e6709ce02c7d68fb5c5 Mon Sep 17 00:00:00 2001 From: Alexander Verhaar Date: Thu, 28 Mar 2024 16:48:20 +0100 Subject: [PATCH 4/8] Updated README.md --- README.md | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0f1e5fe..bc04bf8 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.9.0 | +| [aws](#provider\_aws) | 5.42.0 | ## Modules @@ -28,12 +28,15 @@ No modules. | [aws_cloudwatch_log_group.cw_search](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_cloudwatch_log_resource_policy.cw_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource | | [aws_elasticsearch_domain.opensearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) | resource | +| [aws_elasticsearch_domain_saml_options.opensearch_saml_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain_saml_options) | resource | | [aws_iam_policy_document.cw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [autotune\_enabled](#input\_autotune\_enabled) | Enable autotune options | `bool` | `false` | no | +| [autotune\_options](#input\_autotune\_options) | n/a | 
object({
    desired_state       = string
    rollback_on_disable = string
    maintenance_schedule = object({
      cron_expression = string
      duration        = number
      start_at        = string
    })
  })
| 
{
  "desired_state": "ENABLED",
  "maintenance_schedule": {
    "cron_expression": "cron(0 0 ? * 1 *)",
    "duration": 1,
    "start_at": "2000-01-01T00:00:00.00Z"
  },
  "rollback_on_disable": "NO_ROLLBACK"
}
| no | | [availability\_zones](#input\_availability\_zones) | The number of availability zones for the OpenSearch cluster. Valid values: 1, 2 or 3. | `number` | `3` | no | | [cloudwatch\_log\_enabled](#input\_cloudwatch\_log\_enabled) | Enabled Cloudwatch. | `bool` | `true` | no | | [cloudwatch\_log\_kms\_key\_id](#input\_cloudwatch\_log\_kms\_key\_id) | The ARN of the KMS key to use when encrypting log data. | `string` | `null` | no | @@ -45,20 +48,35 @@ No modules. | [cognito\_identity\_pool\_id](#input\_cognito\_identity\_pool\_id) | ID of the Cognito identity pool to use. | `string` | `null` | no | | [cognito\_role\_arn](#input\_cognito\_role\_arn) | ARN of the IAM role that has the AmazonESCognitoAccess policy. | `string` | `null` | no | | [cognito\_user\_pool\_id](#input\_cognito\_user\_pool\_id) | ID of the Cognito user pool to use. | `string` | `null` | no | +| [cold\_enabled](#input\_cold\_enabled) | Enable cold storage. | `bool` | `false` | no | | [custom\_endpoint](#input\_custom\_endpoint) | FQDN of the custom endpoint | `string` | `null` | no | | [custom\_endpoint\_certificate\_arn](#input\_custom\_endpoint\_certificate\_arn) | ACM certificate ARN for your custom endpoint. | `string` | `null` | no | | [custom\_endpoint\_enabled](#input\_custom\_endpoint\_enabled) | Enable custom endpoint. | `bool` | `false` | no | | [ebs\_enabled](#input\_ebs\_enabled) | Enable EBS volumes for data nodes | `bool` | `false` | no | +| [ebs\_iops](#input\_ebs\_iops) | Baseline I/O performance of EBS volumes attached to data nodes. | `number` | `null` | no | | [ebs\_volume\_size](#input\_ebs\_volume\_size) | EBS Volume size in GiB | `number` | `null` | no | +| [ebs\_volume\_type](#input\_ebs\_volume\_type) | EBS volume type. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html | `string` | `null` | no | +| [enabled](#input\_enabled) | Enable OpenSearch. | `bool` | `true` | no | | [encrypt\_at\_rest](#input\_encrypt\_at\_rest) | Enable encryption at rest | `bool` | `true` | no | | [encrypt\_kms\_key\_id](#input\_encrypt\_kms\_key\_id) | KMS key id to encrypt OpenSearch domain with. | `string` | `null` | no | | [enforce\_https](#input\_enforce\_https) | Enforce HTTPS domain endpoint. | `string` | `null` | no | | [hot\_instance\_count](#input\_hot\_instance\_count) | The number of dedicated hot nodes in the cluster. | `number` | `3` | no | | [hot\_instance\_type](#input\_hot\_instance\_type) | The instance type for dedicated hot nodes in the cluster. | `string` | `"t3.small.elasticsearch"` | no | +| [internal\_user\_database\_enabled](#input\_internal\_user\_database\_enabled) | Enable internal user database. | `bool` | `true` | no | | [master\_instance\_count](#input\_master\_instance\_count) | The number of dedicated master nodes in the cluster. | `number` | `3` | no | | [master\_instance\_type](#input\_master\_instance\_type) | Instance type for the OpenSearch master nodes. | `string` | `"t3.small.elasticsearch"` | no | | [master\_user\_arn](#input\_master\_user\_arn) | ARN of the main user. | `string` | `null` | no | +| [master\_user\_name](#input\_master\_user\_name) | Name of the main user. | `string` | `null` | no | +| [master\_user\_password](#input\_master\_user\_password) | Password of the main user. | `string` | `null` | no | | [node\_to\_node\_encryption](#input\_node\_to\_node\_encryption) | Enable node-to-node encryption. | `bool` | `true` | no | +| [saml\_options\_enabled](#input\_saml\_options\_enabled) | Enable saml\_options | `bool` | `false` | no | +| [saml\_options\_idp\_entity\_id](#input\_saml\_options\_idp\_entity\_id) | URL of the entity id | `string` | `null` | no | +| [saml\_options\_idp\_metadata\_content](#input\_saml\_options\_idp\_metadata\_content) | Contents of the saml-metadata.xml file | `string` | `null` | no | +| [saml\_options\_master\_backend\_role](#input\_saml\_options\_master\_backend\_role) | (Optional) This backend role from the SAML IdP receives full permissions to the cluster, equivalent to a new master user. | `string` | `null` | no | +| [saml\_options\_master\_user\_name](#input\_saml\_options\_master\_user\_name) | (Optional) This username from the SAML IdP receives full permissions to the cluster, equivalent to a new master user. | `string` | `null` | no | +| [saml\_options\_roles\_key](#input\_saml\_options\_roles\_key) | (Optional) Element of the SAML assertion to use for backend roles. Default is roles. e.g. http://schemas.microsoft.com/ws/2008/06/identity/claims/groups | `string` | `null` | no | +| [saml\_options\_session\_timeout\_minutes](#input\_saml\_options\_session\_timeout\_minutes) | (Optional) Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440. | `number` | `null` | no | +| [saml\_options\_subject\_key](#input\_saml\_options\_subject\_key) | (Optional) Custom SAML attribute to use for user names. Default is an empty string. This will cause Elasticsearch to use the NameID element of the Subject, which is the default location for name identifiers in the SAML specification. | `string` | `null` | no | | [security\_group\_ids](#input\_security\_group\_ids) | List of VPC security group id's. | `list(string)` | `[]` | no | | [subnet\_ids](#input\_subnet\_ids) | The subnet id where to deploy the OpenSearch cluster. | `list(string)` | `[]` | no | | [tags](#input\_tags) | A mapping of tags to assign to the OpenSearch cluster. | `map(string)` | `{}` | no | @@ -78,4 +96,4 @@ No modules. | [kibana\_endpoint](#output\_kibana\_endpoint) | The endpoint URL of Kibana. | | [opensearch\_domain\_arn](#output\_opensearch\_domain\_arn) | Return ARN of the OpenSearch cluster domain. | | [opensearch\_domain\_id](#output\_opensearch\_domain\_id) | The domain id of the OpenSearch cluster. | - \ No newline at end of file + From 3b90bd637a5675606948c640f2e6782613907e96 Mon Sep 17 00:00:00 2001 From: Alexander Verhaar Date: Thu, 28 Mar 2024 16:49:42 +0100 Subject: [PATCH 5/8] Fix checkov findings --- .github/workflows/terraform.yml | 49 --------------------------------- example/README.md | 36 ++---------------------- example/main.tf | 3 +- main.tf | 2 +- variables.tf | 2 +- 5 files changed, 6 insertions(+), 86 deletions(-) delete mode 100644 .github/workflows/terraform.yml diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml deleted file mode 100644 index 0ff17e0..0000000 --- a/.github/workflows/terraform.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -name: "Terraform" - -on: - pull_request: - -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - -jobs: - terraform-fmt: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@master - - name: Terraform Format - uses: hashicorp/terraform-github-actions@master - with: - tf_actions_version: latest - tf_actions_subcommand: fmt - tf_actions_comment: true - - terraform-docs: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow - - name: Update module usage docs and push any changes back to PR branch - uses: Dirrk/terraform-docs@v1.0.8 - with: - tf_docs_args: "--sort-inputs-by-required" - tf_docs_git_commit_message: "terraform-docs: Update module usage" - tf_docs_git_push: "true" - tf_docs_output_file: README.md - tf_docs_output_method: inject - tf_docs_find_dir: . - continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow - - tfsec: - name: tfsec - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@master - - name: Terraform security scan - uses: triat/terraform-security-scan@v3.1.0 diff --git a/example/README.md b/example/README.md index 0d932ee..f4edd2f 100644 --- a/example/README.md +++ b/example/README.md @@ -1,35 +1,3 @@ -# Usage - -## Requirements +# Example -| Name | Version | -|------|---------| -| terraform | >= 1.0 | -| aws | >= 4.0 | -| elasticsearch | >=2.0.0 | - -## Providers - -| Name | Version | -|------|---------| -| aws | >= 4.0 | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| cluster\_domain | The hosted zone name of the OpenSearch cluster. | `string` | `""` | no | -| cluster\_name | The name of the OpenSearch cluster. | `string` | `"opensearch"` | no | -| security\_group\_ids | The security group id's to add to the OpenSearch security group. | `list(string)` | `[]` | no | -| subnet\_ids | The subnet id's to use for the OpenSearch cluster. | `list(string)` | `[]` | no | -| tags | Tags | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| cluster\_endpoint | The endpoint URL of the OpenSearch cluster. | -| cluster\_name | The name of the OpenSearch cluster. | -| cluster\_version | The version of the OpenSearch cluster. | - - +Look at the README.md in the root folder of this project diff --git a/example/main.tf b/example/main.tf index 230bbce..55b5443 100644 --- a/example/main.tf +++ b/example/main.tf @@ -14,7 +14,8 @@ module "opensearch" { cluster_name = var.cluster_name cluster_version = "OpenSearch_2.7" - subnet_ids = var.subnet_ids + subnet_ids = var.subnet_ids + #checkov:skip=CKV_AWS_248:This example doesn't contain a security group security_group_ids = var.security_group_ids warm_enabled = false diff --git a/main.tf b/main.tf index ffad22b..9d8c042 100644 --- a/main.tf +++ b/main.tf @@ -4,7 +4,7 @@ resource "aws_elasticsearch_domain" "opensearch" { count = var.enabled ? 1 : 0 cluster_config { - dedicated_master_enabled = var.master_instance_count > 0 + dedicated_master_enabled = true dedicated_master_count = var.master_instance_count dedicated_master_type = var.master_instance_type diff --git a/variables.tf b/variables.tf index 0ad8ab7..c876016 100644 --- a/variables.tf +++ b/variables.tf @@ -155,7 +155,7 @@ variable "custom_endpoint_certificate_arn" { variable "internal_user_database_enabled" { description = "Enable internal user database." type = bool - default = false + default = true } variable "master_user_arn" { From 4f6075c7b9603884d78ae907dccc9a6a7e93caa2 Mon Sep 17 00:00:00 2001 From: Alexander Verhaar Date: Fri, 29 Mar 2024 09:54:24 +0100 Subject: [PATCH 6/8] Remove trivy --- .github/workflows/ci-checks-tf.yml | 2 +- .pre-commit-config.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci-checks-tf.yml b/.github/workflows/ci-checks-tf.yml index 6135c29..9c32f55 100644 --- a/.github/workflows/ci-checks-tf.yml +++ b/.github/workflows/ci-checks-tf.yml @@ -13,7 +13,7 @@ permissions: jobs: pre-commit: runs-on: ubuntu-latest - container: ghcr.io/antonbabenko/pre-commit-terraform:v1.79.1 + container: ghcr.io/antonbabenko/pre-commit-terraform:v1.88.4 steps: - uses: actions/checkout@v3 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 95761dd..cca466a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -23,7 +23,6 @@ repos: args: - --hook-config=--use-standard-markers=true - id: terraform_validate - - id: terraform_trivy - repo: https://github.com/bridgecrewio/checkov rev: 3.0.37 hooks: From 9d6296ba1f2c7aba55f9f082a0ec04cb356da71c Mon Sep 17 00:00:00 2001 From: Alexander Verhaar Date: Tue, 14 May 2024 11:16:09 +0200 Subject: [PATCH 7/8] Trigger Github Action From e151655c2a60349f2f4af95601309bfb887340c0 Mon Sep 17 00:00:00 2001 From: Alexander Verhaar Date: Tue, 14 May 2024 11:56:45 +0200 Subject: [PATCH 8/8] Updated versions --- .pre-commit-config.yaml | 2 +- README.md | 23 ++++++++++------------- versions.tf | 2 +- 3 files changed, 12 insertions(+), 15 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cca466a..e237779 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,7 +16,7 @@ repos: - --allow-missing-credentials - id: detect-private-key - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.88.4 + rev: v1.89.1 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/README.md b/README.md index bc04bf8..5585c58 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,16 @@ -# terraform-aws-mcaf-opensearch - ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.0 | -| [aws](#requirement\_aws) | >= 4.0.0 | +| [aws](#requirement\_aws) | 5.49.0 | | [elasticsearch](#requirement\_elasticsearch) | >= 2.0.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.42.0 | +| [aws](#provider\_aws) | 5.49.0 | ## Modules @@ -22,14 +20,14 @@ No modules. | Name | Type | |------|------| -| [aws_cloudwatch_log_group.cw_application](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_log_group.cw_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_log_group.cw_index](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_log_group.cw_search](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_log_resource_policy.cw_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource | -| [aws_elasticsearch_domain.opensearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) | resource | -| [aws_elasticsearch_domain_saml_options.opensearch_saml_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain_saml_options) | resource | -| [aws_iam_policy_document.cw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_cloudwatch_log_group.cw_application](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.cw_audit](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.cw_index](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.cw_search](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_resource_policy.cw_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/cloudwatch_log_resource_policy) | resource | +| [aws_elasticsearch_domain.opensearch](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/elasticsearch_domain) | resource | +| [aws_elasticsearch_domain_saml_options.opensearch_saml_options](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/resources/elasticsearch_domain_saml_options) | resource | +| [aws_iam_policy_document.cw_policy](https://registry.terraform.io/providers/hashicorp/aws/5.49.0/docs/data-sources/iam_policy_document) | data source | ## Inputs @@ -96,4 +94,3 @@ No modules. | [kibana\_endpoint](#output\_kibana\_endpoint) | The endpoint URL of Kibana. | | [opensearch\_domain\_arn](#output\_opensearch\_domain\_arn) | Return ARN of the OpenSearch cluster domain. | | [opensearch\_domain\_id](#output\_opensearch\_domain\_id) | The domain id of the OpenSearch cluster. | - diff --git a/versions.tf b/versions.tf index 49fa410..63fd78e 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = "5.49.0" } elasticsearch = { source = "phillbaker/elasticsearch"