feat: Add support for OpenSearch serverless as separate sub-module

Author: bryantbiggs

.pre-commit-config.yaml

@@ -3,6 +3,7 @@ repos:
     rev: v1.83.6
     hooks:
       - id: terraform_fmt
+      - id: terraform_wrapper_module_for_each
       - id: terraform_validate
       - id: terraform_docs
         args:

README.md

@@ -2,6 +2,8 @@
 
 Terraform module which creates AWS OpenSearch resources.
 
+[![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)
+
 ## Usage
 
 See [`examples`](https://github.com/terraform-aws-modules/terraform-aws-opensearch/tree/master/examples) directory for working examples to reference:
@@ -29,13 +31,13 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.29 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.24 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.29 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.24 |
 
 ## Modules
 

examples/complete/README.md

@@ -22,13 +22,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.29 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.24 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.29 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.24 |
 
 ## Modules
 

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.29"
+      version = ">= 5.24"
     }
   }
 }

modules/README.md

@@ -0,0 +1 @@
+# AWS OpenSearch Terraform sub-module(s)

modules/serverless/README.md

@@ -0,0 +1,82 @@
+# AWS OpenSearch Serverless Terraform module
+
+Terraform module which creates AWS OpenSearch Serverless resources.
+
+## Usage
+
+See [`examples`](https://github.com/terraform-aws-modules/terraform-aws-opensearch/tree/master/examples) directory for working examples to reference:
+
+```hcl
+module "opensearch_serverless" {
+  source = "terraform-aws-modules/opensearch/aws//modules/serverless"
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.24 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.24 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_opensearchserverless_collection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_collection) | resource |
+| [aws_opensearchserverless_security_policy.encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_policy) | resource |
+| [aws_opensearchserverless_security_policy.network](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
+| <a name="input_create_encryption_policy"></a> [create\_encryption\_policy](#input\_create\_encryption\_policy) | Determines whether an encryption policy will be created | `bool` | `true` | no |
+| <a name="input_create_network_policy"></a> [create\_network\_policy](#input\_create\_network\_policy) | Determines whether an network policy will be created | `bool` | `true` | no |
+| <a name="input_description"></a> [description](#input\_description) | Description of the collection | `string` | `null` | no |
+| <a name="input_encryption_security_policy"></a> [encryption\_security\_policy](#input\_encryption\_security\_policy) | Encryption security policy to apply to the collection - this is merged with the default policy provided | `any` | `{}` | no |
+| <a name="input_encryption_security_policy_description"></a> [encryption\_security\_policy\_description](#input\_encryption\_security\_policy\_description) | Description of the encryption security policy | `string` | `null` | no |
+| <a name="input_encryption_security_policy_name"></a> [encryption\_security\_policy\_name](#input\_encryption\_security\_policy\_name) | Name of the encryption security policy | `string` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name of the collection | `string` | `""` | no |
+| <a name="input_network_security_policy"></a> [network\_security\_policy](#input\_network\_security\_policy) | Network security policy to apply to the collection - this is merged with the default policy provided | `any` | `{}` | no |
+| <a name="input_network_security_policy_description"></a> [network\_security\_policy\_description](#input\_network\_security\_policy\_description) | Description of the network security policy | `string` | `null` | no |
+| <a name="input_network_security_policy_name"></a> [network\_security\_policy\_name](#input\_network\_security\_policy\_name) | Name of the network security policy | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | Create and delete timeout configurations for the collection | `map(string)` | `{}` | no |
+| <a name="input_type"></a> [type](#input\_type) | Type of collection. One of `SEARCH`, `TIMESERIES`, or `VECTORSEARCH`. Defaults to `TIMESERIES` | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | Amazon Resource Name (ARN) of the collection |
+| <a name="output_dashboard_endpoint"></a> [dashboard\_endpoint](#output\_dashboard\_endpoint) | Collection-specific endpoint used to access OpenSearch Dashboards |
+| <a name="output_encryption_security_policy"></a> [encryption\_security\_policy](#output\_encryption\_security\_policy) | The JSON policy document of the security policy |
+| <a name="output_encryption_security_policy_version"></a> [encryption\_security\_policy\_version](#output\_encryption\_security\_policy\_version) | The version of the security policy |
+| <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | Collection-specific endpoint used to submit index, search, and data upload requests to an OpenSearch Serverless collection |
+| <a name="output_id"></a> [id](#output\_id) | Unique identifier for the collection |
+| <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the Amazon Web Services KMS key used to encrypt the collection |
+| <a name="output_network_security_policy"></a> [network\_security\_policy](#output\_network\_security\_policy) | The JSON policy document of the security policy |
+| <a name="output_network_security_policy_version"></a> [network\_security\_policy\_version](#output\_network\_security\_policy\_version) | The version of the security policy |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## License
+
+Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-opensearch/blob/master/LICENSE).

modules/serverless/main.tf

@@ -0,0 +1,70 @@
+################################################################################
+# Collection
+################################################################################
+
+resource "aws_opensearchserverless_collection" "this" {
+  count = var.create ? 1 : 0
+
+  description = var.description
+  name        = var.name
+  type        = var.type
+
+  tags = var.tags
+
+  timeouts {
+    create = try(var.timeouts.delete, null)
+    delete = try(var.timeouts.delete, null)
+  }
+
+  depends_on = [
+    aws_opensearchserverless_security_policy.encryption
+  ]
+}
+
+################################################################################
+# Security Policy - Encryption
+################################################################################
+
+resource "aws_opensearchserverless_security_policy" "encryption" {
+  count = var.create && var.create_encryption_policy ? 1 : 0
+
+  description = coalesce(var.encryption_security_policy_description, "Encryption policy for ${var.name} collection")
+  name        = coalesce(var.encryption_security_policy_name, "${var.name}-encryption")
+  policy = jsonencode(merge(
+    {
+      Rules = [
+        {
+          Resource     = ["collection/${var.name}"]
+          ResourceType = "collection"
+        }
+      ]
+      AWSOwnedKey = true
+    },
+    var.encryption_security_policy
+  ))
+  type = "encryption"
+}
+
+################################################################################
+# Security Policy - Network
+################################################################################
+
+resource "aws_opensearchserverless_security_policy" "network" {
+  count = var.create && var.create_network_policy ? 1 : 0
+
+  description = coalesce(var.network_security_policy_description, "Newtwork policy for ${var.name} collection")
+  name        = coalesce(var.network_security_policy_name, "${var.name}-network")
+  policy = jsonencode(merge(
+    {
+      Rules = [
+        {
+          Resource     = ["collection/${var.name}"]
+          ResourceType = "collection"
+        }
+      ]
+      AllowFromPublic = true
+    },
+    var.network_security_policy
+  ))
+  type = "network"
+}

modules/serverless/outputs.tf

@@ -0,0 +1,56 @@
+################################################################################
+# Collection
+################################################################################
+
+output "arn" {
+  description = "Amazon Resource Name (ARN) of the collection"
+  value       = try(aws_opensearchserverless_collection.this[0].arn, null)
+}
+
+output "endpoint" {
+  description = "Collection-specific endpoint used to submit index, search, and data upload requests to an OpenSearch Serverless collection"
+  value       = try(aws_opensearchserverless_collection.this[0].collection_endpoint, null)
+}
+
+output "dashboard_endpoint" {
+  description = "Collection-specific endpoint used to access OpenSearch Dashboards"
+  value       = try(aws_opensearchserverless_collection.this[0].dashboard_endpoint, null)
+}
+
+output "kms_key_arn" {
+  description = "The ARN of the Amazon Web Services KMS key used to encrypt the collection"
+  value       = try(aws_opensearchserverless_collection.this[0].kms_key_arn, null)
+}
+
+output "id" {
+  description = "Unique identifier for the collection"
+  value       = try(aws_opensearchserverless_collection.this[0].id, null)
+}
+
+################################################################################
+# Security Policy - Encryption
+################################################################################
+
+output "encryption_security_policy_version" {
+  description = "The version of the security policy"
+  value       = try(aws_opensearchserverless_security_policy.encryption[0].policy_version, null)
+}
+
+output "encryption_security_policy" {
+  description = "The JSON policy document of the security policy"
+  value       = try(aws_opensearchserverless_security_policy.encryption[0].policy, null)
+}
+
+################################################################################
+# Security Policy - Network
+################################################################################
+
+output "network_security_policy_version" {
+  description = "The version of the security policy"
+  value       = try(aws_opensearchserverless_security_policy.network[0].policy_version, null)
+}
+
+output "network_security_policy" {
+  description = "The JSON policy document of the security policy"
+  value       = try(aws_opensearchserverless_security_policy.network[0].policy, null)
+}

modules/serverless/variables.tf

@@ -0,0 +1,95 @@
+variable "create" {
+  description = "Determines whether resources will be created (affects all resources)"
+  type        = bool
+  default     = true
+}
+
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+################################################################################
+# Collection
+################################################################################
+
+variable "description" {
+  description = "Description of the collection"
+  type        = string
+  default     = null
+}
+
+variable "name" {
+  description = "Name of the collection"
+  type        = string
+  default     = ""
+}
+
+variable "type" {
+  description = "Type of collection. One of `SEARCH`, `TIMESERIES`, or `VECTORSEARCH`. Defaults to `TIMESERIES`"
+  type        = string
+  default     = null
+}
+
+variable "timeouts" {
+  description = "Create and delete timeout configurations for the collection"
+  type        = map(string)
+  default     = {}
+}
+
+################################################################################
+# Security Policy - Encryption
+################################################################################
+
+variable "create_encryption_policy" {
+  description = "Determines whether an encryption policy will be created"
+  type        = bool
+  default     = true
+}
+
+variable "encryption_security_policy_description" {
+  description = "Description of the encryption security policy"
+  type        = string
+  default     = null
+}
+
+variable "encryption_security_policy_name" {
+  description = "Name of the encryption security policy"
+  type        = string
+  default     = null
+}
+
+variable "encryption_security_policy" {
+  description = "Encryption security policy to apply to the collection - this is merged with the default policy provided"
+  type        = any
+  default     = {}
+}
+
+################################################################################
+# Security Policy - Network
+################################################################################
+
+variable "create_network_policy" {
+  description = "Determines whether an network policy will be created"
+  type        = bool
+  default     = true
+}
+
+variable "network_security_policy_description" {
+  description = "Description of the network security policy"
+  type        = string
+  default     = null
+}
+
+variable "network_security_policy_name" {
+  description = "Name of the network security policy"
+  type        = string
+  default     = null
+}
+
+variable "network_security_policy" {
+  description = "Network security policy to apply to the collection - this is merged with the default policy provided"
+  type        = any
+  default     = {}
+}

modules/serverless/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.24"
+    }
+  }
+}