Initial Commit

access_policy.json

+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "es:*",
+        "Condition": {
+            "IpAddress": {
+              "aws:SourceIp": [ "${other_ips}" ]
+            }
+          }
+    },
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "es:*",
+        "Condition": {
+            "IpAddress": {
+              "aws:SourceIp": ${nat_ips}
+            }
+          }
+      }
+    ]
+}
\ No newline at end of file

main.tf

+variable environment {}
+variable name {}
+
+variable nat_gateway_ips {}
+variable access_ips {}
+variable private_dns_zone {}
+variable private_dns_address {}
+variable public_dns_zone {}
+variable public_dns_address {}
+
+variable elasticsearch_version {default = "1.5"}
+variable automated_snapshot_start_hour {default = "02"}
+
+# EBS options
+variable ebs_enabled {default = "true"}
+variable ebs_volume_type {default = "gp2"}
+variable ebs_volume_size {default = "20"}
+
+# Cluster config 
+# If zone awareness is enabled then an even number of data nodes is required. 
+# Dedicated master count should be greater than 1
+variable instance_type {default = "t2.micro.elasticsearch"}
+variable instance_count {default = "2"}
+variable zone_awareness_enabled {default = "true"}
+variable dedicated_master_enabled {default = "true"}
+variable dedicated_master_type {default = "t2.micro.elasticsearch"}
+variable dedicated_master_count {default = "2"}
+
+
+data "template_file" "access_policy" {
+  template = "${file("${path.module}/access_policy.json")}"
+  vars {
+    nat_ips    = "${jsonencode(split(",", var.nat_gateway_ips))}"
+    other_ips = "${var.access_ips}"
+  }
+}
+
+
+# Add var for domain name
+resource "aws_elasticsearch_domain" "elasticsearch" {
+  domain_name = "es-${var.name}-${var.environment}"
+  elasticsearch_version = "${var.elasticsearch_version}"
+
+  ebs_options {
+    ebs_enabled = "${var.ebs_enabled}"
+    volume_type = "${var.ebs_volume_type}"
+    volume_size = "${var.ebs_volume_size}"
+    #iops - (Optional) The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the Provisioned IOPS EBS volume type.
+  }
+  snapshot_options {
+    automated_snapshot_start_hour = "${var.automated_snapshot_start_hour}"
+  }
+  access_policies = "${data.template_file.access_policy.rendered}"
+
+  cluster_config {
+    instance_type             = "${var.instance_type}"
+    instance_count            = "${var.instance_count}"
+    zone_awareness_enabled    = "${var.zone_awareness_enabled}"
+    dedicated_master_enabled  = "${var.dedicated_master_enabled}"
+    dedicated_master_type     = "${var.dedicated_master_type}"
+    dedicated_master_count    = "${var.dedicated_master_count}"
+  }
+
+  tags {
+    Name        = "${var.name}-${var.environment}-elasticsearch"
+    environment = "${var.name}-${var.environment}"
+    version     = "${var.elasticsearch_version}"
+  }
+
+  lifecycle {
+    # TODO: Remove this to update access policies for ElasticSearch LUL.
+    # It is in place because of diff errors for this field causing ElasticSearch rebuilds on every provisioning
+    ignore_changes = ["access_policies"]
+  }
+}
+
+
+
+resource "aws_route53_record" "public" {
+  zone_id = "${var.public_dns_zone}"
+  name = "${var.public_dns_address}"
+  type = "CNAME"
+  ttl = 60
+  records = ["${aws_elasticsearch_domain.elasticsearch.endpoint}"]
+}
+
+resource "aws_route53_record" "private" {
+  zone_id = "${var.private_dns_zone}"
+  name = "${var.private_dns_address}"
+  type = "CNAME"
+  ttl = 60
+  records = ["${aws_elasticsearch_domain.elasticsearch.endpoint}"]
+}