fix: option to disable index slow logs

README.md

@@ -1,6 +1,5 @@
 # Opensearch
 
-<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -75,7 +74,7 @@ No modules.
 | <a name="input_instance_count"></a> [instance\_count](#input\_instance\_count) | The number of dedicated hot nodes in the cluster. | `number` | `3` | no |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | The type of EC2 instances to run for each hot node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing | `string` | `"t3.small.search"` | no |
 | <a name="input_internal_user_database_enabled"></a> [internal\_user\_database\_enabled](#input\_internal\_user\_database\_enabled) | Whether the internal user database is enabled | `bool` | `false` | no |
-| <a name="input_log_publishing_options"></a> [log\_publishing\_options](#input\_log\_publishing\_options) | Configuration block for publishing slow and application logs to CloudWatch Logs. | <pre>map(object({<br>    enabled                  = optional(bool, true)<br>    cloudwatch_log_group_arn = optional(string, "")<br>  }))</pre> | `{}` | no |
+| <a name="input_log_publishing_options"></a> [log\_publishing\_options](#input\_log\_publishing\_options) | Configuration block for publishing slow and application logs to CloudWatch Logs. | <pre>map(object({<br>    enabled                  = optional(bool, true)<br>    cloudwatch_log_group_arn = optional(string, "")<br>  }))</pre> | <pre>{<br>  "audit_logs": {<br>    "enabled": false<br>  },<br>  "index_slow_logs": {<br>    "enabled": true<br>  }<br>}</pre> | no |
 | <a name="input_maintenance_schedule"></a> [maintenance\_schedule](#input\_maintenance\_schedule) | configuration for auto tune maintenance schedule | `map(any)` | `{}` | no |
 | <a name="input_master_instance_count"></a> [master\_instance\_count](#input\_master\_instance\_count) | The number of dedicated master nodes in the cluster. | `number` | `3` | no |
 | <a name="input_master_instance_enabled"></a> [master\_instance\_enabled](#input\_master\_instance\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster. | `bool` | `true` | no |
@@ -120,4 +119,3 @@ No modules.
 | <a name="output_vpc_endpoint_dns_names"></a> [vpc\_endpoint\_dns\_names](#output\_vpc\_endpoint\_dns\_names) | VPC endpoint DNS names |
 | <a name="output_vpc_endpoint_endpoint"></a> [vpc\_endpoint\_endpoint](#output\_vpc\_endpoint\_endpoint) | The connection endpoint ID for connecting to the domain |
 | <a name="output_vpc_endpoint_id"></a> [vpc\_endpoint\_id](#output\_vpc\_endpoint\_id) | The unique identifier of the endpoint |
-<!-- END_TF_DOCS -->

cloudwatch.tf

@@ -5,7 +5,7 @@ locals {
 resource "aws_cloudwatch_log_group" "aos" {
   #checkov:skip=CKV_AWS_158:rely on aws default encryption
   #checkov:skip=CKV_AWS_338:Ensure CloudWatch log groups retains logs for at least 1 year
-  for_each = { for k, v in local.log_publishing_options : k => v if v.enabled }
+  for_each = { for k, v in var.log_publishing_options : k => v if v.enabled && v.cloudwatch_log_group_arn == "" }
 
   name              = "${local.log_prefix}/${each.key}"
   retention_in_days = var.cloudwatch_log_group_retention_days

examples/opensearch/data.tf

@@ -1,21 +1,3 @@
-data "aws_caller_identity" "current" {
-}
-
-data "aws_region" "current" {
-}
-
-data "aws_cloudformation_export" "vpc" {
-  name = var.cf_export_vpc
-}
-
-data "aws_cloudformation_export" "pub_subnet_a" {
-  name = var.cf_export_pub_subnet_a
-}
-
-data "aws_cloudformation_export" "pub_subnet_b" {
-  name = var.cf_export_pub_subnet_b
-}
-
 data "aws_cloudformation_export" "web_subnet_a" {
   name = var.cf_export_web_subnet_a
 }

examples/opensearch/iam.tf

@@ -1,26 +1,3 @@
-data "aws_iam_policy_document" "os_access_policy" {
-  statement {
-    sid = "Allow-Whitelisted-IPs"
-
-    effect = "Allow"
-
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
-
-    actions = ["es:*"]
-
-    resources = ["arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.domain_name}/*"]
-
-    condition {
-      test     = "IpAddress"
-      variable = "aws:SourcedIp"
-      values   = var.whitelist_ips
-    }
-  }
-}
-
 data "aws_iam_policy_document" "log_publish_policy" {
   statement {
     sid = "OS-Log-Publish-Policy"

examples/opensearch/main.tf

@@ -57,6 +57,15 @@ module "opensearch" {
   encrypt_at_rest_enabled         = true
   encrypt_kms_key_id              = aws_kms_key.objects.id
 
+  log_publishing_options = {
+    audit_logs = {
+      enabled = true
+    }
+    index_slow_logs = {
+      enabled = false
+    }
+  }
+
   tags = {
     Domain = "TestDomain"
     Name   = var.domain_name

examples/opensearch/variables.tf

@@ -4,12 +4,6 @@ variable "domain_name" {
   default     = "opensearch-test-cluster"
 }
 
-variable "whitelist_ips" {
-  description = "Whitelisted IPs which needed access to OpenSearch Cluster"
-  type        = list(string)
-  default     = ["202.27.16.0/20"]
-}
-
 variable "engine_version" {
   description = "OpenSearch engine version"
   type        = string
@@ -28,36 +22,6 @@ variable "instance_type" {
   default     = "t3.small.search"
 }
 
-variable "cf_export_vpc" {
-  description = "cf_export_vpc"
-  type        = string
-  default     = "vpcID-ap-southeast-1"
-}
-
-variable "cf_export_db_subnet_a" {
-  description = "cf_export_db_subnet_a"
-  type        = string
-  default     = "subnetIDDBA1-ap-southeast-1"
-}
-
-variable "cf_export_db_subnet_b" {
-  description = "cf_export_db_subnet_b"
-  type        = string
-  default     = "subnetIDDBB1-ap-southeast-1"
-}
-
-variable "cf_export_app_subnet_a" {
-  description = "cf_export_app_subnet_a"
-  type        = string
-  default     = "subnetIDAppA-ap-southeast-1"
-}
-
-variable "cf_export_app_subnet_b" {
-  description = "cf_export_app_subnet_b"
-  type        = string
-  default     = "subnetIDAppB-ap-southeast-1"
-}
-
 variable "cf_export_web_subnet_a" {
   description = "cf_export_web_subnet_a"
   type        = string
@@ -70,19 +34,6 @@ variable "cf_export_web_subnet_b" {
   default     = "subnetIDWebB-ap-southeast-1"
 }
 
-variable "cf_export_pub_subnet_a" {
-  description = "cf_export_pub_subnet_a"
-  type        = string
-  default     = "subnetIDPublicA-ap-southeast-1"
-}
-
-variable "cf_export_pub_subnet_b" {
-  description = "cf_export_pub_subnet_b"
-  type        = string
-  default     = "subnetIDPublicB-ap-southeast-1"
-}
-
-
 variable "cf_export_app_sg_id" {
   description = "app security group id"
   type        = string

main.tf

@@ -1,5 +1,6 @@
 resource "aws_opensearch_domain" "this" {
   #checkov:skip=CKV2_AWS_52
+  #checkov:skip=CKV_AWS_248:Ensure that Elasticsearch is not using the default Security Group
   #checkov:skip=CKV_AWS_317:Ensure Elasticsearch Domain Audit Logging is enabled
   # service linked role must exist and default cloudwatch log_group created.
   depends_on = [
@@ -91,7 +92,7 @@ resource "aws_opensearch_domain" "this" {
   }
 
   dynamic "log_publishing_options" {
-    for_each = { for k, v in local.log_publishing_options : k => v if v.enabled }
+    for_each = { for k, v in var.log_publishing_options : k => v if v.enabled }
     content {
       log_type                 = upper(log_publishing_options.key)
       enabled                  = log_publishing_options.value.enabled
@@ -124,8 +125,8 @@ resource "aws_opensearch_domain" "this" {
         dynamic "window_start_time" {
           for_each = var.enable_off_peak_window_options ? [1] : []
           content {
-            hours   = lookup(var.off_peak_window_options, "hours")
-            minutes = lookup(var.off_peak_window_options, "minutes")
+            hours   = var.off_peak_window_options["hours"]
+            minutes = var.off_peak_window_options["minutes"]
           }
         }
       }

variables.tf

@@ -369,7 +369,15 @@ variable "log_publishing_options" {
     enabled                  = optional(bool, true)
     cloudwatch_log_group_arn = optional(string, "")
   }))
-  default = {}
+
+  default = {
+    audit_logs = {
+      enabled = false
+    }
+    index_slow_logs = {
+      enabled = true
+    }
+  }
 }
 
 variable "cloudwatch_log_group_retention_days" {