Skip to content

Commit

Permalink
ignore smallish changes to the infra
Browse files Browse the repository at this point in the history 
Allows node sizes/counts/versions to be updated without annoying terraform.

Fixes signalsciences/sigsci#16312
  • Loading branch information
@ted-fastly
ted-fastly committed Jun 11, 2019
1 parent b382d2c commit ebeabf8
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 24 deletions.
32 changes: 20 additions & 12 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ data "aws_iam_policy_document" "es_management_access" {
"es:ESHttpGet",
"es:ESHttpHead",
"es:ESHttpPost",
"es:ESHttpPut"
"es:ESHttpPut",
]

resources = [
Expand All @@ -32,12 +32,13 @@ data "aws_iam_policy_document" "es_management_access" {
values = ["${distinct(compact(var.management_public_ip_addresses))}"]
}
}

statement {
actions = [
"es:ESHttpDelete",
]

resources = [ "${formatlist("${aws_elasticsearch_domain.es.arn}/%s-*/*/*", var.deny_del_indices_prefixes)}" ]
resources = ["${formatlist("${aws_elasticsearch_domain.es.arn}/%s-*/*/*", var.deny_del_indices_prefixes)}"]

principals {
type = "AWS"
Expand All @@ -57,6 +58,7 @@ data "aws_iam_policy_document" "es_management_access" {
resource "aws_cloudwatch_log_group" "index_slow_log" {
name = "${var.index_slow_log_cloudwatch_log_group}"
}

resource "aws_cloudwatch_log_group" "search_slow_log" {
name = "${var.search_slow_log_cloudwatch_log_group}"
}
Expand All @@ -66,15 +68,16 @@ resource "aws_cloudwatch_log_group" "es_app_log" {
}

data "aws_iam_policy_document" "elasticsearch-log-publishing-policy" {
count = "${(var.index_slow_log_enabled || var.search_slow_log_enabled || var.es_app_log_enable) ? 1 : 0}"
count = "${(var.index_slow_log_enabled || var.search_slow_log_enabled || var.es_app_log_enable) ? 1 : 0}"

statement {
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
]

resources = [ "arn:aws:logs:*" ]
resources = ["arn:aws:logs:*"]

principals {
identifiers = ["es.amazonaws.com"]
Expand All @@ -95,19 +98,25 @@ resource "aws_elasticsearch_domain" "es" {
elasticsearch_version = "${var.es_version}"
depends_on = ["aws_cloudwatch_log_resource_policy.elasticsearch-log-publishing-policy"]

lifecycle {
ignore_changes = ["elasticsearch_version", "instance_type", "instance_count"]
}

log_publishing_options = [{
log_type = "INDEX_SLOW_LOGS"
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.index_slow_log.arn}"
enabled = "${var.index_slow_log_enabled}"
}, {
log_type = "INDEX_SLOW_LOGS"
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.index_slow_log.arn}"
enabled = "${var.index_slow_log_enabled}"
},
{
log_type = "SEARCH_SLOW_LOGS"
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.search_slow_log.arn}"
enabled = "${var.search_slow_log_enabled}"
}, {
},
{
log_type = "ES_APPLICATION_LOGS"
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.es_app_log.arn}"
enabled = "${var.es_app_log_enable}"
}
},
]

cluster_config {
Expand Down Expand Up @@ -136,8 +145,7 @@ resource "aws_elasticsearch_domain" "es" {
}

resource "aws_elasticsearch_domain_policy" "es_management_access" {
count = "${length(var.vpc_options["subnet_ids"]) > 0 ? 0 : 1}"
count = "${length(var.vpc_options["subnet_ids"]) > 0 ? 0 : 1}"
domain_name = "${local.domain_name}"
access_policies = "${data.aws_iam_policy_document.es_management_access.json}"
}

24 changes: 15 additions & 9 deletions main_vpc.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ data "aws_iam_policy_document" "es_vpc_management_access" {
"es:ESHttpGet",
"es:ESHttpHead",
"es:ESHttpPost",
"es:ESHttpPut"
"es:ESHttpPut",
]

resources = [
Expand All @@ -35,7 +35,7 @@ data "aws_iam_policy_document" "es_vpc_management_access" {

statement {
actions = [
"es:ESHttpDelete"
"es:ESHttpDelete",
]

resources = ["*"]
Expand All @@ -52,7 +52,7 @@ data "aws_iam_policy_document" "es_vpc_management_access" {
"es:ESHttpDelete",
]

resources = [ "${formatlist("${aws_elasticsearch_domain.es_vpc.arn}/%s-*/*/*", var.deny_del_indices_prefixes)}" ]
resources = ["${formatlist("${aws_elasticsearch_domain.es_vpc.arn}/%s-*/*/*", var.deny_del_indices_prefixes)}"]

principals {
type = "AWS"
Expand All @@ -68,6 +68,10 @@ resource "aws_elasticsearch_domain" "es_vpc" {
elasticsearch_version = "${var.es_version}"
depends_on = ["aws_cloudwatch_log_resource_policy.elasticsearch-log-publishing-policy"]

lifecycle {
ignore_changes = ["elasticsearch_version", "instance_type", "instance_count"]
}

encrypt_at_rest = {
enabled = "${var.encrypt_at_rest}"
kms_key_id = "${var.kms_key_id}"
Expand All @@ -78,18 +82,20 @@ resource "aws_elasticsearch_domain" "es_vpc" {
}

log_publishing_options = [{
log_type = "INDEX_SLOW_LOGS"
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.index_slow_log.arn}"
enabled = "${var.index_slow_log_enabled}"
}, {
log_type = "INDEX_SLOW_LOGS"
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.index_slow_log.arn}"
enabled = "${var.index_slow_log_enabled}"
},
{
log_type = "SEARCH_SLOW_LOGS"
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.search_slow_log.arn}"
enabled = "${var.search_slow_log_enabled}"
}, {
},
{
log_type = "ES_APPLICATION_LOGS"
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.es_app_log.arn}"
enabled = "${var.es_app_log_enable}"
}
},
]

cluster_config {
Expand Down
5 changes: 2 additions & 3 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ variable "index_slow_log_cloudwatch_log_group" {

variable "index_slow_log_enabled" {
description = "Enable the index slow logging (default false)"
default = true
default = true
}

variable "search_slow_log_cloudwatch_log_group" {
Expand All @@ -144,9 +144,8 @@ variable "es_app_log_enable" {
}

variable "node_to_node_encryption" {
default = true
default = true
}


# vim: set et fenc=utf-8 ff=unix ft=terraform sts=2 sw=2 ts=2 :

0 comments on commit ebeabf8

Please sign in to comment.