Document VPC based ES clusters

It's necessary to have already created the elasticsearch.amazonaws.com service linked role before attempting to create a VPC based ES cluster. This can either be done separately from the ES cluster creation (useful if you have multiple ES clusters in an AWS account because the service linked role can only be created once) or the aws_elastcisearch_domain resource needs to wait for it to be created by using depends_on. See the discussion on hashicorp#5218 for more information.
tomelliff · Jan 17, 2019 · 59ceb40 · 59ceb40
1 parent c308ad1
commit 59ceb40
Showing 1 changed file with 99 additions and 0 deletions.
diff --git a/website/docs/r/elasticsearch_domain.html.markdown b/website/docs/r/elasticsearch_domain.html.markdown
@@ -108,6 +108,101 @@ resource "aws_elasticsearch_domain" "example" {
   }
 }
 ```
+### VPC based ES
+
+```hcl
+variable "vpc" {}
+
+variable "domain" {
+  default = "tf-test"
+}
+
+data "aws_vpc" "selected" {
+  tags {
+    Name = "${var.vpc}"
+  }
+}
+
+data "aws_subnet_ids" "selected" {
+  vpc_id = "${data.aws_vpc.selected.id}"
+
+  tags {
+    Tier = "private"
+  }
+}
+
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_security_group" "es" {
+  name        = "${var.vpc}-elasticsearch-${var.domain}"
+  description = "Managed by Terraform"
+  vpc_id      = "${data.aws_vpc.selected.id}"
+
+  ingress {
+    from_port = 443
+    to_port   = 443
+    protocol  = "tcp"
+
+    cidr_blocks = [
+      "${data.aws_vpc.selected.cidr_blocks}",
+    ]
+  }
+}
+
+resource "aws_iam_service_linked_role" "es" {
+  aws_service_name = "elasticsearch.amazonaws.com"
+}
+
+resource "aws_elasticsearch_domain" "es" {
+  domain_name           = "${var.domain}"
+  elasticsearch_version = "6.3"
+
+  cluster_config {
+    instance_type = "m4.large.elasticsearch"
+  }
+
+  vpc_options {
+    subnet_ids = [
+      "${data.aws_subnet_ids.selected.ids[0]}",
+      "${data.aws_subnet_ids.selected.ids[1]}",
+    ]
+
+    security_group_ids = ["${aws_security_group.elasticsearch.id}"]
+  }
+
+  advanced_options {
+    "rest.action.multi.allow_explicit_index" = "true"
+  }
+
+  access_policies = <<CONFIG
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Action": "es:*",
+			"Principal": "*",
+			"Effect": "Allow",
+			"Resource": "arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.domain}/*"
+		}
+	]
+}
+CONFIG
+
+  snapshot_options {
+    automated_snapshot_start_hour = 23
+  }
+
+  tags {
+    Domain = "TestDomain"
+  }
+
+  depends_on = [
+    "aws_iam_service_linked_role.es",
+  ]
+}
+```
 
 ## Argument Reference
 
@@ -160,6 +255,10 @@ The following arguments are supported:
 
 AWS documentation: [VPC Support for Amazon Elasticsearch Service Domains](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html)
 
+**Note** you must have created the service linked role for the Elasticsearch service to use the `vpc_options`.
+If you need to create the service linked role at the same time as the Elasticsearch domain then you must use `depends_on` to make sure that the role is created before the Elasticsearch domain.
+See the [VPC based ES domain example](#vpc-based-es) above.
+
 * `security_group_ids` - (Optional) List of VPC Security Group IDs to be applied to the Elasticsearch domain endpoints. If omitted, the default Security Group for the VPC will be used.
 * `subnet_ids` - (Required) List of VPC Subnet IDs for the Elasticsearch domain endpoints to be created in.