lot1-kickoff/modules/opensearch/opensearch-cluster.tf

resource "kubernetes_manifest" "opensearch_securityconfig_secret" {
  depends_on = [kubernetes_namespace.opensearch_cluster]

  computed_fields = ["stringData"]
  manifest = yamldecode(<<YAML
  apiVersion: v1
  kind: Secret
  metadata:
    name: securityconfig-secret
    namespace: "${var.namespace_prefix}opensearch-cluster"
  type: Opaque
  stringData:
    action_groups.yml: |-
       _meta:
         type: "actiongroups"
         config_version: 2
    internal_users.yml: |-
      _meta:
        type: "internalusers"
        config_version: 2
      admin:
        hash: "${var.admin_hash}"
        reserved: true
        backend_roles:
        - "admin"
        description: "Demo admin user"
      dashboarduser:
        hash: "${var.admin_hash}"
        reserved: true
        description: "Demo OpenSearch Dashboards user"
    nodes_dn.yml: |-
      _meta:
        type: "nodesdn"
        config_version: 2
    whitelist.yml: |-
      _meta:
        type: "whitelist"
        config_version: 2
    tenants.yml: |-
      _meta:
        type: "tenants"
        config_version: 2
    roles_mapping.yml: |-
      _meta:
        type: "rolesmapping"
        config_version: 2
      all_access:
        reserved: false
        backend_roles:
        - "admin"
        description: "Maps admin to all_access"
      own_index:
        reserved: false
        users:
        - "*"
        description: "Allow full access to an index named like the username"
      readall:
        reserved: false
        backend_roles:
        - "readall"
      manage_snapshots:
        reserved: false
        backend_roles:
        - "snapshotrestore"
      dashboard_server:
        reserved: true
        users:
        - "dashboarduser"
    roles.yml: |-
      _meta:
        type: "roles"
        config_version: 2
      dashboard_read_only:
        reserved: true
      security_rest_api_access:
        reserved: true
      # Allows users to view monitors, destinations and alerts
      alerting_read_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opendistro/alerting/alerts/get'
          - 'cluster:admin/opendistro/alerting/destination/get'
          - 'cluster:admin/opendistro/alerting/monitor/get'
          - 'cluster:admin/opendistro/alerting/monitor/search'
      # Allows users to view and acknowledge alerts
      alerting_ack_alerts:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opendistro/alerting/alerts/*'
      # Allows users to use all alerting functionality
      alerting_full_access:
        reserved: true
        cluster_permissions:
          - 'cluster_monitor'
          - 'cluster:admin/opendistro/alerting/*'
        index_permissions:
          - index_patterns:
              - '*'
            allowed_actions:
              - 'indices_monitor'
              - 'indices:admin/aliases/get'
              - 'indices:admin/mappings/get'
      # Allow users to read Anomaly Detection detectors and results
      anomaly_read_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opendistro/ad/detector/info'
          - 'cluster:admin/opendistro/ad/detector/search'
          - 'cluster:admin/opendistro/ad/detectors/get'
          - 'cluster:admin/opendistro/ad/result/search'
          - 'cluster:admin/opendistro/ad/tasks/search'
          - 'cluster:admin/opendistro/ad/detector/validate'
          - 'cluster:admin/opendistro/ad/result/topAnomalies'
      # Allows users to use all Anomaly Detection functionality
      anomaly_full_access:
        reserved: true
        cluster_permissions:
          - 'cluster_monitor'
          - 'cluster:admin/opendistro/ad/*'
        index_permissions:
          - index_patterns:
              - '*'
            allowed_actions:
              - 'indices_monitor'
              - 'indices:admin/aliases/get'
              - 'indices:admin/mappings/get'
      # Allows users to read Notebooks
      notebooks_read_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opendistro/notebooks/list'
          - 'cluster:admin/opendistro/notebooks/get'
      # Allows users to all Notebooks functionality
      notebooks_full_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opendistro/notebooks/create'
          - 'cluster:admin/opendistro/notebooks/update'
          - 'cluster:admin/opendistro/notebooks/delete'
          - 'cluster:admin/opendistro/notebooks/get'
          - 'cluster:admin/opendistro/notebooks/list'
      # Allows users to read observability objects
      observability_read_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opensearch/observability/get'
      # Allows users to all Observability functionality
      observability_full_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opensearch/observability/create'
          - 'cluster:admin/opensearch/observability/update'
          - 'cluster:admin/opensearch/observability/delete'
          - 'cluster:admin/opensearch/observability/get'
      # Allows users to read and download Reports
      reports_instances_read_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opendistro/reports/instance/list'
          - 'cluster:admin/opendistro/reports/instance/get'
          - 'cluster:admin/opendistro/reports/menu/download'
      # Allows users to read and download Reports and Report-definitions
      reports_read_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opendistro/reports/definition/get'
          - 'cluster:admin/opendistro/reports/definition/list'
          - 'cluster:admin/opendistro/reports/instance/list'
          - 'cluster:admin/opendistro/reports/instance/get'
          - 'cluster:admin/opendistro/reports/menu/download'
      # Allows users to all Reports functionality
      reports_full_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opendistro/reports/definition/create'
          - 'cluster:admin/opendistro/reports/definition/update'
          - 'cluster:admin/opendistro/reports/definition/on_demand'
          - 'cluster:admin/opendistro/reports/definition/delete'
          - 'cluster:admin/opendistro/reports/definition/get'
          - 'cluster:admin/opendistro/reports/definition/list'
          - 'cluster:admin/opendistro/reports/instance/list'
          - 'cluster:admin/opendistro/reports/instance/get'
          - 'cluster:admin/opendistro/reports/menu/download'
      # Allows users to use all asynchronous-search functionality
      asynchronous_search_full_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opendistro/asynchronous_search/*'
        index_permissions:
          - index_patterns:
              - '*'
            allowed_actions:
              - 'indices:data/read/search*'
      # Allows users to read stored asynchronous-search results
      asynchronous_search_read_access:
        reserved: true
        cluster_permissions:
          - 'cluster:admin/opendistro/asynchronous_search/get'
      # Allows user to use all index_management actions - ism policies, rollups, transforms
      index_management_full_access:
        reserved: true
        cluster_permissions:
          - "cluster:admin/opendistro/ism/*"
          - "cluster:admin/opendistro/rollup/*"
          - "cluster:admin/opendistro/transform/*"
        index_permissions:
          - index_patterns:
              - '*'
            allowed_actions:
              - 'indices:admin/opensearch/ism/*'
      # Allows users to use all cross cluster replication functionality at leader cluster
      cross_cluster_replication_leader_full_access:
        reserved: true
        index_permissions:
          - index_patterns:
              - '*'
            allowed_actions:
              - "indices:admin/plugins/replication/index/setup/validate"
              - "indices:data/read/plugins/replication/changes"
              - "indices:data/read/plugins/replication/file_chunk"
      # Allows users to use all cross cluster replication functionality at follower cluster
      cross_cluster_replication_follower_full_access:
        reserved: true
        cluster_permissions:
          - "cluster:admin/plugins/replication/autofollow/update"
        index_permissions:
          - index_patterns:
              - '*'
            allowed_actions:
              - "indices:admin/plugins/replication/index/setup/validate"
              - "indices:data/write/plugins/replication/changes"
              - "indices:admin/plugins/replication/index/start"
              - "indices:admin/plugins/replication/index/pause"
              - "indices:admin/plugins/replication/index/resume"
              - "indices:admin/plugins/replication/index/stop"
              - "indices:admin/plugins/replication/index/update"
              - "indices:admin/plugins/replication/index/status_check"
    config.yml: |-
      _meta:
        type: "config"
        config_version: "2"
      config:
        dynamic:
          http:
            anonymous_auth_enabled: false
          authc:
            basic_internal_auth_domain:
              http_enabled: true
              transport_enabled: true
              order: "4"
              http_authenticator:
                type: basic
                challenge: true
              authentication_backend:
                type: intern
YAML
  )
}


resource "kubernetes_secret" "opensearch_admin_credential_secrets" {
  depends_on = [kubernetes_namespace.opensearch_cluster]

  metadata {
    name = "admin-credentials-secret"
    namespace  = "${var.namespace_prefix}opensearch-cluster"
  }

  data = {
    username = "admin"
    password = var.admin_password
   }

  type = "Opaque"
}

resource "helm_release" "opensearch-cluster" {
  depends_on = [helm_release.opensearch-operator, kubernetes_namespace.opensearch_cluster, kubernetes_manifest.opensearch_cluster_certificate, kubernetes_manifest.opensearch_dashboard_certificate]

  chart      = "opensearch-cluster"
  name       = "opensearch-cluster"
  namespace  = "${var.namespace_prefix}opensearch-cluster"
  create_namespace = false
  repository = "https://opensearch-project.github.io/opensearch-k8s-operator/"
  version    = "2.5.1"

  values = [
    file("./envs/${var.env}/opensearch-cluster.yaml")
  ]
}

resource "kubernetes_manifest" "opensearch_dashboard_ingress" {
  depends_on = [helm_release.opensearch-cluster]
  manifest = yamldecode(<<YAML
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: opensearch-dashboard-ingress
      namespace: "${var.namespace_prefix}opensearch-cluster"
      annotations:
        kubernetes.io/ingress.class: nginx
        cert-manager.io/cluster-issuer: cert-manager-webhook-duckdns-staging
    spec:
      ingressClassName: nginx
      tls:
      - hosts:
        - "opensearch-cluster-dashboards.${var.domain}"
        secretName: "opensearch-cluster-dashboards-tls-secret-staging"
      rules:
        - host: "opensearch-cluster-dashboards.${var.domain}"
          http:
            paths:
              - pathType: Prefix
                path: "/"
                backend:
                  service:
                    name: opensearch-cluster-dashboards
                    port:
                      number: 5601
  YAML
  )
}

resource "kubernetes_manifest" "opensearch_ingress" {
  depends_on = [helm_release.opensearch-cluster]
  manifest = yamldecode(<<YAML
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: opensearch-ingress
      namespace: "${var.namespace_prefix}opensearch-cluster"
      annotations:
        nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
        kubernetes.io/ingress.class: nginx
        cert-manager.io/cluster-issuer: cert-manager-webhook-duckdns-staging
    spec:
      ingressClassName: nginx
      tls:
      - hosts:
        - "opensearch-cluster.${var.domain}"
        secretName: "opensearch-cluster-tls-secret-staging"
      rules:
        - host: "opensearch-cluster.${var.domain}"
          http:
            paths:
              - pathType: Prefix
                path: "/"
                backend:
                  service:
                    name: opensearch-cluster
                    port:
                      number: 9200
  YAML
  )
}