Started to work on elasticsearch module

Author: Dmitry Berezovsky

modules/elasticsearch/ec2.tf

@@ -0,0 +1,107 @@
+resource "aws_instance" "elasticsearch_instance" {
+  count = "${var.instances_count}"
+  depends_on = ["aws_ebs_volume.elasticsearch_volume"]
+  ami = "${var.ami_id}"
+  instance_type = "${var.instance_type}"
+  subnet_id = "${element(var.vpc_subnets, count.index)}"
+  key_name = "${var.instance_key_name}"
+  iam_instance_profile = "${aws_iam_instance_profile.elasticsearch.name}"
+  vpc_security_group_ids = ["${concat(var.security_groups, list(aws_security_group.elasticsearch.id))}"]
+  associate_public_ip_address = false
+  source_dest_check = false
+  disable_api_termination = "${var.enable_termination_protection}"
+  instance_initiated_shutdown_behavior = "stop"
+
+  tags {
+    Env = "${var.env_name}"
+    Name = "${var.env_name}: ${var.verbose_name} Elasticsearch ${count.index}"
+  }
+  user_data = <<USER_DATA_END
+#cloud-config
+write_files:
+- path: /usr/bin/install-unix-tools
+  encoding: b64
+  content: ${base64encode(file("${path.module}/../resources/install-unix-tools.sh"))}
+  owner: root:root
+  permissions: '0755'
+- path: /etc/dive-in-docker.conf
+  content: elasticsearch
+- path: /etc/ecs/ecs.config
+  content: |
+    ECS_CLUSTER=${var.ecs_cluster_name}
+    ECS_AVAILABLE_LOGGING_DRIVERS=["json-file","syslog","journald","gelf","awslogs"]
+- path: /etc/sysctl.d/01-elasticsearch.conf
+  content: |
+    vm.max_map_count = 262144
+runcmd:
+  - [ cloud-init-per, once, "install-unix-tools", "install-unix-tools", "-t", "1.0", "full"]
+  - [ cloud-init-per, once, "set-hostname", "aws-set-hostname", "${lower(var.verbose_name)}graylog-elasticsearch-{count.index}", "-s"]
+  - [ cloud-init-per, once, "read-custom-syslog", "sysctl", "-p", "/etc/sysctl.d/01-elasticsearch.conf"]
+  - [ cloud-init-per, once, "docker-stop", "service", "docker", "stop"]
+  - [ cloud-init-per, once, "mount-ebs", "mount-ebs", "${var.data_volume_device}", "${var.data_volume_path}", "0777" ]
+  - [ cloud-init-per, once, "docker-start", "service", "docker", "start"]
+  - [ cloud-init-per, once, "start-ecs", "start", "ecs"]
+USER_DATA_END
+}
+
+resource "aws_ebs_volume" "elasticsearch_volume" {
+  count = "${length(var.instances_count)}"
+  availability_zone = "${element(var.availability_zones, count.index)}"
+  size = "${var.storage_size}"
+
+  tags {
+    Env = "${var.env_name}"
+    Name = "${var.env_name}: ${var.verbose_name} Elasticseach Volume ${count.index}"
+  }
+}
+
+resource "aws_volume_attachment" "elasticsearch_volume_attachement" {
+  count = "${length(var.instances_count)}"
+  device_name = "${var.data_volume_device}"
+  force_detach = true
+  volume_id = "${element(aws_ebs_volume.elasticsearch_volume.*.id, count.index)}"
+  instance_id = "${element(aws_instance.elasticsearch_instance.*.id, count.index)}"
+}
+
+
+resource "aws_security_group" "elasticsearch" {
+  name = "${lower(var.env_name)}-${lower(var.verbose_name)}-elasticsearch"
+  vpc_id = "${var.vpc_id}"
+
+  # Elasticsearch native transport protocol
+  ingress {
+    from_port = 9300
+    to_port = 9300
+    protocol = "tcp"
+    cidr_blocks = ["${var.native_trusted_networks}"]
+  }
+
+  # Elasticsearch HTTP service
+  ingress {
+    from_port = 9200
+    to_port = 9200
+    protocol = "tcp"
+    cidr_blocks = ["${var.http_trusted_networks}"]
+  }
+
+  # Elasticsearch native transport protocol
+  egress {
+    from_port = 9300
+    to_port = 9300
+    protocol = "tcp"
+    cidr_blocks = ["${var.native_trusted_networks}"]
+  }
+
+  # Elasticsearch HTTP service
+  egress {
+    from_port = 9200
+    to_port = 9200
+    protocol = "tcp"
+    cidr_blocks = ["${var.http_trusted_networks}"]
+  }
+
+  tags {
+    Env = "${var.env_name}"
+    Name = "${var.env_name}: ${var.verbose_name} Elasticsearch"
+  }
+}

modules/elasticsearch/ecs.tf

@@ -0,0 +1,15 @@
+data "template_file" "elasticsearch_master_config" {
+  template = "${file("${path.module}/resources/elasticsearch.json")}"
+  vars {
+    container_name = "elasticsearch-master"
+    elasticsearch_version = "${var.elasticsearch_version}"
+    memory = "${var.container_memory_limit}"
+    node_name = "${var.verbose_name}-elasticsearch-master"
+    elasticsearch-cluster-name = "${var.elasticsearch_cluster_name}"
+    volume_name = "elasticseach-data"
+    native_transport_port = 9300
+    http_service_port = 9200
+    extra-options = ""
+  }
+}
+

modules/elasticsearch/iam.tf

@@ -0,0 +1,62 @@
+resource "aws_iam_instance_profile" "elasticsearch" {
+  name = "${lower(var.env_name)}-${var.verbose_name}-elasticsearch"
+  role = "${aws_iam_role.elasticsearch_role.name}"
+}
+
+resource "aws_iam_role" "elasticsearch_role" {
+  name = "${lower(var.env_name)}-${var.verbose_name}-elasticsearch"
+  assume_role_policy = "${data.aws_iam_policy_document.ec2_assume_policy}"
+}
+
+resource "aws_iam_role_policy" "docker_policy" {
+  name = "${lower(var.env_name)}-docker-policy"
+  role = "${aws_iam_role.elasticsearch_role.id}"
+  policy = "${data.aws_iam_policy_document.docker_policy.json}"
+}
+
+data "aws_iam_policy_document" "ec2_assume_policy" {
+  statement {
+    effect = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+  statement {
+    effect = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "Service"
+      identifiers = ["ecs.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "docker_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecs:CreateCluster",
+      "ecs:DeregisterContainerInstance",
+      "ecs:DiscoverPollEndpoint",
+      "ecs:Poll",
+      "ecs:RegisterContainerInstance",
+      "ecs:StartTelemetrySession",
+      "ecs:Submit*",
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+
+      "ec2:AuthorizeSecurityGroupIngress",
+      "ec2:Describe*",
+      "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+      "elasticloadbalancing:Describe*",
+      "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
+    ]
+    resources = ["*"]
+  }
+}

modules/elasticsearch/output.tf

@@ -0,0 +1,19 @@
+output "private_ips" {
+  value = ["${aws_instance.elasticsearch_instance.*.private_ip}"]
+}
+
+output "instance_ids" {
+  value = ["${aws_instance.elasticsearch_instance.*.id}"]
+}
+
+output "elasticsearch_sg_id" {
+  value = "${aws_security_group.elasticsearch.id}"
+}
+
+output "instance_profile_id" {
+  value = "${aws_iam_instance_profile.elasticsearch.id}"
+}
+
+output "iam_role_id" {
+  value = "${aws_iam_role.elasticsearch_role.id}"
+}

modules/elasticsearch/resources/elasticsearch.json

@@ -0,0 +1,41 @@
+[
+  {
+    "name": "${container-name}",
+    "image": "elasticsearch:${elasticsearch-version}",
+    "memory": ${memory},
+    "essential": true,
+    "portMappings": [
+      {
+      "hostPort": ${native_transport_port},
+      "containerPort": 9300,
+      "protocol": "tcp"
+      },
+      {
+      "hostPort": ${http_service_port},
+      "containerPort": 9200,
+      "protocol": "tcp"
+      }
+    ],
+    "environment": [
+
+    ],
+    "mountPoints": [
+      {
+        "sourceVolume": "${volume_name}",
+        "containerPath": "/usr/share/elasticsearch/data",
+        "readOnly": false
+      }
+    ],
+    "volumesFrom": null,
+    "extraHosts": null,
+    "ulimits": [
+      {
+        "name": "nofile",
+        "hardLimit": 65536,
+        "softLimit": 65536
+      }
+    ],
+    "dockerLabels": null,
+    "command": ["bash", "-c",  "chmod -R o+rw /usr/share/elasticsearch/data && gosu elasticsearch elasticsearch -Enetwork.publish_host=`curl -s http://169.254.169.254/latest/meta-data/local-ipv4` -Etransport.tcp.port=${native_transport_port} -Enode.name=${node_name} -Ecluster.name=${elasticsearch_cluster_name} ${extra_options}"]
+  }
+]

modules/elasticsearch/variables.tf

@@ -0,0 +1,96 @@
+variable "env_name" {
+  type = "string"
+}
+
+variable "vpc_id" {
+  type = "string"
+}
+
+variable "vpc_subnets" {
+  type = "list"
+}
+
+variable "availability_zones" {
+  type = "list"
+}
+
+variable "verbose_name" {
+  type = "string"
+  default = ""
+  description = "Will be used in resources names. E.g. Graylog"
+}
+
+variable "enable_termination_protection" {
+  type = "string"
+  default = true
+}
+
+variable "security_groups" {
+  type = "list"
+  default = []
+  description = "Extra security groups to be assigned"
+}
+
+variable "instance_key_name" {
+  type = "string"
+  description = "EC2 instance key name"
+}
+
+variable "ami_id" {
+  type = "string"
+}
+
+variable "instance_type" {
+  type = "string"
+  default = "t2.small"
+}
+
+variable "elasticsearch_cluster_name" {
+  type = "string"
+}
+
+variable "ecs_cluster_name" {
+  type = "string"
+}
+
+variable "instances_count" {
+  type = "string"
+  default = 1
+}
+
+variable "data_volume_device" {
+  type = "string"
+  default = "/dev/sdh"
+}
+
+variable "data_volume_device" {
+  type = "string"
+  default = "/dev/sdh"
+}
+
+variable "data_volume_path" {
+  type = "string"
+  default = "/srv/elasticseach-data"
+}
+
+variable container_memory_limit {
+  default = "2048"
+  description = "RAM limit for container"
+}
+
+variable "storage_size" {
+  type = "string"
+}
+
+variable "http_trusted_networks" {
+  type = "list"
+}
+
+variable "native_trusted_networks" {
+  type = "list"
+}
+
+variable "elasticsearch_version" {
+  type = "string"
+  default = "5.2.2"
+}