feat: add advanced security and domain config options

[RoseSecurity]

what

• This introduces new configuration options and refactors how key variables are set and passed to the Elasticsearch module. The main focus is on improving flexibility for domain and subdomain naming, advanced security options, and storage configuration, while making these options configurable via input variables

---

• Added new input variables elasticsearch_domain_name, elasticsearch_subdomain_name, and kibana_subdomain_name to allow custom naming, with validation on elasticsearch_domain_name for length and allowed characters. These are now passed to the Elasticsearch module using local values for better flexibility. (src/variables.tf, src/main.tf)
• Exposed advanced security configuration as input variables: advanced_security_options_enabled, advanced_security_options_anonymous_auth_enabled, advanced_security_options_internal_user_database_enabled, and advanced_security_options_master_user_name. These replace hardcoded values, allowing users to control security features through variables. (src/variables.tf, src/main.tf)
• Made node_to_node_encryption_enabled configurable instead of always enabled, and added a new cold_storage_enabled option to allow enabling cold storage support. (src/variables.tf, src/main.tf)

why

• General improvements to the component for a better user experience

references

• Module Variables

Summary by CodeRabbit

• New Features

  • More flexible Elasticsearch configuration: controllable node-to-node encryption, advanced security toggles (including anonymous auth and internal user DB), and configurable master username.
  • Configurable domain and subdomain naming with validation.
  • Optional cold storage support as a configurable deployment option.

• Tests

  • Hostname validation updated to expect new domain/subdomain pattern.

[coderabbitai]

Walkthrough

Introduces new variables and local subdomain names, updates the elasticsearch module wiring to use those locals and variables (including cold storage and multiple advanced security and encryption flags), and adjusts a test expectation for the domain hostname.

Changes

Cohort / File(s)	Summary
Variable declarations src/variables.tf	Added variables: elasticsearch_domain_name (with two validation blocks), node_to_node_encryption_enabled, advanced_security_options_enabled, advanced_security_options_anonymous_auth_enabled, advanced_security_options_internal_user_database_enabled, advanced_security_options_master_user_name, cold_storage_enabled. Updated kibana_subdomain_name to default = null.
Module wiring & locals src/main.tf	Added locals kibana_subdomain_name and elasticsearch_subdomain_name (using coalesce). Updated module "elasticsearch" inputs to wire elasticsearch_domain_name, elasticsearch_subdomain_name, kibana_subdomain_name and cold_storage_enabled, and replaced hardcoded security/encryption defaults with the new variables.
Tests test/component_test.go	Adjusted domain hostname assertion to expect hostnames starting with es. and ending with .components.cptest.test-automation.app; minor import/formatting changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Caller (module consumer)
  participant Loc as locals (src/main.tf)
  participant ES as module.elasticsearch

  Dev->>Loc: provide inputs (vars & defaults)
  Note right of Loc: compute\nkibana_subdomain_name\nelasticsearch_subdomain_name\n(using coalesce)
  Loc->>ES: pass wired inputs\n- elasticsearch_domain_name\n- elasticsearch_subdomain_name\n- kibana_subdomain_name\n- cold_storage_enabled\n- node_to_node_encryption_enabled\n- advanced_security_* flags
  ES->>ES: configure domain with provided flags
  ES-->>Dev: provisioned Elasticsearch domain metadata

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify elasticsearch_domain_name validation logic and error messages.
• Confirm coalesce usage for subdomain locals and that fallbacks are correct.
• Review mapping of new security/encryption variables into the module and any default implications.

Possibly related PRs

• feat: add SAML options and service type for OpenSearch #64 — modifies elasticsearch module wiring and adds module inputs/flags similar to this change.

Suggested labels

needs-test

Suggested reviewers

• gberenice
• oycyc

Poem

🐰 A hop, a tweak, the vars unfurl,
Subdomains set — give config a whirl,
Encryption on, security tuned right,
Cold storage waits for the coming night,
I nibble lines of Terraform delight. ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding advanced security options and domain/subdomain configuration capabilities to the Elasticsearch component.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch elasticsearch-general-component-improvements

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[RoseSecurity]

/terratest

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/variables.tf (1)

96-99: elasticsearch_subdomain_name should have default = null for consistency with kibana_subdomain_name.

Currently, elasticsearch_subdomain_name (line 96) is a required variable with no default. However, main.tf (line 13) uses coalesce(var.elasticsearch_subdomain_name, module.this.environment) to provide a fallback to the environment name. This fallback logic never executes because the variable is required.

For consistency with kibana_subdomain_name (which now has default = null at line 104), add default = null to make elasticsearch_subdomain_name optional:

 variable "elasticsearch_subdomain_name" {
   type        = string
   description = "The name of the subdomain for Elasticsearch in the DNS zone (_e.g._ `elasticsearch`, `ui`, `ui-es`, `search-ui`)"
+  default     = null
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 36953a6 and 5b7aeec.

📒 Files selected for processing (2)

• src/main.tf (2 hunks)
• src/variables.tf (3 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

src/{main,variables,outputs,providers,versions,context}.tf

📄 CodeRabbit inference engine (AGENTS.md)

Keep the Terraform component source of truth in src/: main.tf, variables.tf, outputs.tf, providers.tf, versions.tf, context.tf

Files:

• src/main.tf
• src/variables.tf

**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

**/*.tf: Use 2-space indentation for Terraform files
Prefer lower_snake_case for Terraform variables and locals; keep resource/data names descriptive and aligned with Cloud Posse null-label patterns
Ensure Terraform files are formatted (terraform fmt -recursive) and contain no formatting violations
Comply with TFLint rules configured in .tflint.hcl; do not commit lint violations

Files:

• src/main.tf
• src/variables.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (4)

src/main.tf (2)

12-13: New subdomain locals use consistent coalesce pattern. ✓

The coalesce approach allows optional override via var.kibana_subdomain_name and var.elasticsearch_subdomain_name while falling back to module.this.environment. This aligns with the pattern for optional subdomain naming.

---

38-42: Module inputs properly wired to new variables and security options now configurable. ✓

The addition of elasticsearch_domain_name, subdomain overrides, cold_storage_enabled, and variable-driven security options (node_to_node_encryption_enabled, advanced_security_options_*) replaces hardcoded defaults with appropriate flexibility while maintaining sensible defaults via variables.

Also applies to: 49-53

src/variables.tf (2)

49-77: Security and encryption options properly parameterized with sensible defaults. ✓

The new variables (node_to_node_encryption_enabled, advanced_security_options_*) replace hardcoded values with appropriate flexibility:

• node_to_node_encryption_enabled: default = true maintains security posture from previous hard-coded behavior
• advanced_security_options_enabled: default = true enables security features by default
• advanced_security_options_anonymous_auth_enabled: default = false is appropriately restrictive
• advanced_security_options_internal_user_database_enabled: default = true maintains existing behavior
• advanced_security_options_master_user_name: default = "admin" provides reasonable default

All defaults maintain backward compatibility while enabling flexibility.

---

121-125: cold_storage_enabled variable added with appropriate default. ✓

The new cold_storage_enabled variable with default = false allows opt-in to cold storage support without affecting existing deployments.

[RoseSecurity]

/terratest

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

test/component_test.go (1)

53-53: Consider verifying the subdomain portion of the hostname.

The assertion now checks that domainHostname starts with "es." and ends with ".components.cptest.test-automation.app", which correctly validates the subdomain-based DNS pattern introduced in this PR. However, the middle portion (the actual subdomain) is not verified.

This means the test would pass for edge cases like:

• es..components.cptest.test-automation.app (empty subdomain)
• es.wrong-subdomain.components.cptest.test-automation.app (incorrect subdomain)

Consider capturing the subdomain value from the test setup and verifying it appears in the hostname, or at least assert that there is a non-empty subdomain between "es." and ".components.cptest.test-automation.app".

Example approach:

 domainHostname := atmos.Output(s.T(), options, "domain_hostname")
-assert.True(s.T(), strings.HasPrefix(domainHostname, "es.") && strings.HasSuffix(domainHostname, ".components.cptest.test-automation.app"))
+assert.True(s.T(), strings.HasPrefix(domainHostname, "es."))
+assert.True(s.T(), strings.HasSuffix(domainHostname, ".components.cptest.test-automation.app"))
+// Verify subdomain exists between prefix and suffix
+parts := strings.SplitN(strings.TrimPrefix(domainHostname, "es."), ".components.cptest.test-automation.app", 2)
+assert.NotEmpty(s.T(), parts[0], "subdomain portion should not be empty")

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5b7aeec and 2c17dc5.

📒 Files selected for processing (1)

• test/component_test.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

test/**/*_test.go

📄 CodeRabbit inference engine (AGENTS.md)

Place Go Terratest files under test/ and name them *_test.go

Files:

• test/component_test.go

test/**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

Use Go Terratest with github.com/cloudposse/test-helpers and Atmos fixtures for integration tests

Files:

• test/component_test.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary