feat: add advanced security and domain config options (#69)

* feat: add advanced security and domain config options

- Added variables for advanced security options, including anonymous
  auth, internal user database, and master user name, allowing more
  flexible Elasticsearch/Kibana security configuration.
- Introduced variables for Elasticsearch domain name and subdomain
  names, with validation for domain name format.
- Added support for enabling cold storage and node-to-node encryption
  via new variables.
- Updated module usage to reference new and updated variables.

* test: update domainHostname assertion in TestBasic

Update the assertion for domainHostname in the TestBasic suite to check
for the "es." prefix and ".components.cptest.test-automation.app" suffix,
ensuring the output matches the expected hostname format.

---------

Co-authored-by: Andriy Knysh <aknysh@users.noreply.github.com>

Author: RoseSecurity

src/main.tf

@@ -9,6 +9,8 @@ locals {
   elasticsearch_domain_endpoint = format(local.elasticsearch_endpoint_format, "elasticsearch_domain_endpoint")
   elasticsearch_kibana_endpoint = format(local.elasticsearch_endpoint_format, "elasticsearch_kibana_endpoint")
   elasticsearch_admin_password  = format(local.elasticsearch_endpoint_format, "password")
+  kibana_subdomain_name         = coalesce(var.kibana_subdomain_name, module.this.environment)
+  elasticsearch_subdomain_name  = coalesce(var.elasticsearch_subdomain_name, module.this.environment)
 
   create_password        = local.enabled && length(var.elasticsearch_password) == 0
   elasticsearch_password = local.create_password ? one(random_password.elasticsearch_password[*].result) : var.elasticsearch_password
@@ -33,18 +35,22 @@ module "elasticsearch" {
   dedicated_master_count         = var.dedicated_master_enabled ? var.dedicated_master_count : null
   dedicated_master_type          = var.dedicated_master_enabled ? var.dedicated_master_type : null
   create_iam_service_linked_role = var.create_iam_service_linked_role
-  kibana_subdomain_name          = module.this.environment
+  elasticsearch_domain_name      = var.elasticsearch_domain_name
+  elasticsearch_subdomain_name   = local.elasticsearch_subdomain_name
+  kibana_subdomain_name          = local.kibana_subdomain_name
   ebs_volume_size                = var.ebs_volume_size
+  cold_storage_enabled           = var.cold_storage_enabled
   dns_zone_id                    = local.dns_zone_id
   kibana_hostname_enabled        = var.kibana_hostname_enabled
   domain_hostname_enabled        = var.domain_hostname_enabled
   iam_role_arns                  = var.elasticsearch_iam_role_arns
   iam_actions                    = var.elasticsearch_iam_actions
 
-  node_to_node_encryption_enabled                          = true
-  advanced_security_options_enabled                        = true
-  advanced_security_options_internal_user_database_enabled = true
-  advanced_security_options_master_user_name               = "admin"
+  node_to_node_encryption_enabled                          = var.node_to_node_encryption_enabled
+  advanced_security_options_enabled                        = var.advanced_security_options_enabled
+  advanced_security_options_anonymous_auth_enabled         = var.advanced_security_options_anonymous_auth_enabled
+  advanced_security_options_internal_user_database_enabled = var.advanced_security_options_internal_user_database_enabled
+  advanced_security_options_master_user_name               = var.advanced_security_options_master_user_name
   advanced_security_options_master_user_password           = local.elasticsearch_password
 
   allowed_cidr_blocks = [module.vpc.outputs.vpc_cidr]

src/variables.tf

@@ -25,11 +25,57 @@ variable "elasticsearch_version" {
   description = "Version of Elasticsearch or Opensearch to deploy (_e.g._ `7.1`, `6.8`, `6.7`, `6.5`, `6.4`, `6.3`, `6.2`, `6.0`, `5.6`, `5.5`, `5.3`, `5.1`, `2.3`, `1.5`"
 }
 
+variable "elasticsearch_domain_name" {
+  type        = string
+  default     = ""
+  description = "The name of the Elasticsearch domain. Must be at least 3 and no more than 28 characters long. Valid characters are a-z (lowercase letters), 0-9, and - (hyphen)."
+
+  validation {
+    condition     = var.elasticsearch_domain_name == "" || (length(var.elasticsearch_domain_name) >= 3 && length(var.elasticsearch_domain_name) <= 28)
+    error_message = "The elasticsearch_domain_name must meet following conditions: 1) be empty string or 2) must start with a lowercase alphabet and be at least 3 and no more than 28 characters long. Valid characters are a-z (lowercase letters), 0-9, and - (hyphen)."
+  }
+
+  validation {
+    condition     = var.elasticsearch_domain_name == "" || can(regex("^[a-z][a-z0-9-]*$", var.elasticsearch_domain_name))
+    error_message = "The elasticsearch_domain_name must meet following conditions: 1) be empty string or 2) must start with a lowercase alphabet and be at least 3 and no more than 28 characters long. Valid characters are a-z (lowercase letters), 0-9, and - (hyphen)."
+  }
+}
+
 variable "encrypt_at_rest_enabled" {
   type        = bool
   description = "Whether to enable encryption at rest"
 }
 
+variable "node_to_node_encryption_enabled" {
+  type        = bool
+  description = "Whether to enable node-to-node encryption"
+  default     = true
+}
+
+variable "advanced_security_options_enabled" {
+  type        = bool
+  description = "AWS Elasticsearch Kibana enhanced security plugin enabling (forces new resource)"
+  default     = true
+}
+
+variable "advanced_security_options_anonymous_auth_enabled" {
+  type        = bool
+  default     = false
+  description = "Whether Anonymous auth is enabled. Enables fine-grained access control on an existing domain"
+}
+
+variable "advanced_security_options_internal_user_database_enabled" {
+  type        = bool
+  description = "Whether to enable or not internal Kibana user database for ELK OpenDistro security plugin"
+  default     = true
+}
+
+variable "advanced_security_options_master_user_name" {
+  type        = string
+  description = "Master user username (applicable if advanced_security_options_internal_user_database_enabled set to true)"
+  default     = "admin"
+}
+
 variable "dedicated_master_enabled" {
   type        = bool
   description = "Indicates whether dedicated master nodes are enabled for the cluster"
@@ -55,6 +101,7 @@ variable "elasticsearch_subdomain_name" {
 variable "kibana_subdomain_name" {
   type        = string
   description = "The name of the subdomain for Kibana in the DNS zone (_e.g._ `kibana`, `ui`, `ui-es`, `search-ui`, `kibana.elasticsearch`)"
+  default     = null
 }
 
 variable "create_iam_service_linked_role" {
@@ -71,6 +118,12 @@ variable "ebs_volume_size" {
   description = "EBS volumes for data storage in GB"
 }
 
+variable "cold_storage_enabled" {
+  type        = bool
+  description = "Enables cold storage support."
+  default     = false
+}
+
 variable "domain_hostname_enabled" {
   type        = bool
   description = "Explicit flag to enable creating a DNS hostname for ES. If `true`, then `var.dns_zone_id` is required."

test/component_test.go

@@ -9,6 +9,7 @@ import (
 	// "github.com/aws/aws-sdk-go-v2/service/docdb"
 	"github.com/cloudposse/test-helpers/pkg/atmos"
 	helper "github.com/cloudposse/test-helpers/pkg/atmos/component-helper"
+
 	// awshelper "github.com/cloudposse/test-helpers/pkg/aws"
 	"github.com/gruntwork-io/terratest/modules/aws"
 	"github.com/gruntwork-io/terratest/modules/random"
@@ -49,7 +50,7 @@ func (s *ComponentSuite) TestBasic() {
 	assert.True(s.T(), strings.HasPrefix(kibanaEndpoint, "vpc-eg-default-ue2-test-e-"))
 
 	domainHostname := atmos.Output(s.T(), options, "domain_hostname")
-	assert.True(s.T(), strings.HasPrefix(domainHostname, "eg-default-ue2-test-e-"))
+	assert.True(s.T(), strings.HasPrefix(domainHostname, "es.") && strings.HasSuffix(domainHostname, ".components.cptest.test-automation.app"))
 
 	kibanaHostname := atmos.Output(s.T(), options, "kibana_hostname")
 	assert.True(s.T(), strings.HasSuffix(kibanaHostname, "components.cptest.test-automation.app"))
@@ -74,7 +75,6 @@ func (s *ComponentSuite) TestBasic() {
 // 	s.VerifyEnabledFlag(component, stack, nil)
 // }
 
-
 func TestRunSuite(t *testing.T) {
 	suite := new(ComponentSuite)