ICD Elasticsearch Module

Overview

• terraform-ibm-icd-elasticsearch
• Submodules
  • fscloud
• Examples
  • Basic example with index creation and updates to cluster-wide settings
  • Complete example with autoscaling, BYOK encryption and service credentials creation
  • Financial Services Cloud profile example with autoscaling enabled
• Contributing

This module implements an instance of the IBM Cloud Databases for Elasticsearch service.

Usage

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXXXXXX"
  region           = "us-south"
}

module "icd_elasticsearch" {
  source            = "terraform-ibm-modules/icd-elasticsearch/ibm"
  version           = "X.X.X"  # Replace "X.X.X" with a release version to lock into a specific release
  resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
  region            = "us-south"
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • Databases for Elasticsearch service
    • Editor role access

Requirements

Name	Version
terraform	>= 1.3.0
ibm	>= 1.70.0, <2.0.0
null	>= 3.2.1, < 4.0.0
time	>= 0.9.1

Modules

Name	Source	Version
backup_key_crn_parser	terraform-ibm-modules/common-utilities/ibm//modules/crn-parser	1.1.0
cbr_rule	terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module	1.29.0
kms_key_crn_parser	terraform-ibm-modules/common-utilities/ibm//modules/crn-parser	1.1.0

Resources

Name	Type
ibm_database.elasticsearch	resource
ibm_iam_authorization_policy.backup_kms_policy	resource
ibm_iam_authorization_policy.policy	resource
ibm_resource_key.service_credentials	resource
ibm_resource_tag.elasticsearch_tag	resource
null_resource.put_vectordb_model	resource
null_resource.start_vectordb_model	resource
time_sleep.wait_for_authorization_policy	resource
time_sleep.wait_for_backup_kms_authorization_policy	resource
ibm_database_connection.database_connection	data source

Inputs

Name	Description	Type	Default	Required
access_tags	A list of access tags to apply to the Databases for Elasticsearch instance created by the module. Learn more.	list(string)	[]	no
admin_pass	The password for the database administrator. If the admin password is null, the admin user ID cannot be accessed. You can specify more users in a user block.	string	null	no
auto_scaling	The rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. Learn more.	object({ disk = object({ capacity_enabled = optional(bool, false) free_space_less_than_percent = optional(number, 10) io_above_percent = optional(number, 90) io_enabled = optional(bool, false) io_over_period = optional(string, "15m") rate_increase_percent = optional(number, 10) rate_limit_mb_per_member = optional(number, 3670016) rate_period_seconds = optional(number, 900) rate_units = optional(string, "mb") }) memory = object({ io_above_percent = optional(number, 90) io_enabled = optional(bool, false) io_over_period = optional(string, "15m") rate_increase_percent = optional(number, 10) rate_limit_mb_per_member = optional(number, 114688) rate_period_seconds = optional(number, 900) rate_units = optional(string, "mb") }) })	null	no
backup_crn	The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after both provisioning is complete and the new deployment that uses that data starts. Specify a backup CRN is in the format crn:v1:<...>:backup:. If not specified, the database is provisioned empty.	string	null	no
backup_encryption_key_crn	The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if use_ibm_owned_encryption_key is false and use_same_kms_key_for_backups is false. If no value is passed, and use_same_kms_key_for_backups is true, the value of kms_key_crn is used. Alternatively set use_default_backup_encryption_key to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See Bring your own key for backups and Using the HPCS Key for Backup encryption.	string	null	no
cbr_rules	The list of context-based restriction rules to create.	list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string }))	[]	no
elasticsearch_version	The version of Databases for Elasticsearch to deploy. Possible values: 8.7, 8.10, 8.12, 8.15 which requires an Enterprise Platinum pricing plan. If no value is specified, the current preferred version for IBM Cloud Databases is used.	string	null	no
elser_model_type	Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: .elser_model_1, .elser_model_2 and .elser_model_2_linux-x86_64. Learn more	string	".elser_model_2_linux-x86_64"	no
enable_elser_model	Set it to true to install and start the Elastic's Natural Language Processing model. Learn more	bool	false	no
kms_key_crn	The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if use_ibm_owned_encryption_key is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the use_same_kms_key_for_backups and backup_encryption_key_crn inputs. Bare in mind that backups encryption is only available in certain regions. See Bring your own key for backups and Using the HPCS Key for Backup encryption.	string	null	no
member_cpu_count	The dedicated CPU per member that is allocated. For shared CPU, set to 0. Learn more.	number	0	no
member_disk_mb	The disk that is allocated per member. Learn more.	number	5120	no
member_host_flavor	The host flavor per member. Learn more.	string	null	no
member_memory_mb	The memory per member that is allocated. Learn more	number	4096	no
members	The number of members that are allocated. Learn more.	number	3	no
name	The name of the Databases for Elasticsearch instance.	string	n/a	yes
plan	The pricing plan for the Databases for Elasticsearch instance. Must be enterprise or platinum if the elasticsearch_version variable is set to 8.10 or later.	string	"enterprise"	no
region	The region where you want to deploy your instance.	string	"us-south"	no
resource_group_id	The resource group ID where the Databases for Elasticsearch instance is created.	string	n/a	yes
service_credential_names	The map of name and role for service credentials that you want to create for the database.	map(string)	{}	no
service_endpoints	The type of endpoint of the database instance. Possible values: public, private, public-and-private.	string	"public"	no
skip_iam_authorization_policy	Set to true to skip the creation of IAM authorization policies that permits all Databases for Elasticsearch instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the kms_key_crn and backup_encryption_key_crn inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if use_ibm_owned_encryption_key is true.	bool	false	no
tags	The list of tags to be added to the Databases for Elasticsearch instance.	list(string)	[]	no
use_default_backup_encryption_key	When use_ibm_owned_encryption_key is set to false, backups will be encrypted with either the key specified in kms_key_crn, or in backup_encryption_key_crn if a value is passed. If you do not want to use your own key for backups encryption, you can set this to true to use the IBM Cloud Databases default encryption for backups. Alternatively set use_ibm_owned_encryption_key to true to use the default encryption for both backups and deployment data.	bool	false	no
use_ibm_owned_encryption_key	IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for the kms_key_crn input.	bool	true	no
use_same_kms_key_for_backups	Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the backup_encryption_key_crn input. Alternatiely set use_default_backup_encryption_key to true to use the IBM Cloud Databases default encryption. Applies only if use_ibm_owned_encryption_key is false. Bare in mind that backups encryption is only available in certain regions. See Bring your own key for backups and Using the HPCS Key for Backup encryption.	bool	true	no
users	The list of users that have access to the database. Multiple blocks are allowed. The user password must be 10-32 characters. In most cases, you can use IAM service credentials (by specifying service_credential_names) to control access to the database instance. This block creates native database users. Learn more.	list(object({ name = string password = string # pragma: allowlist secret type = optional(string) role = optional(string) }))	[]	no

Outputs

Name	Description
adminuser	Database admin user name
cbr_rule_ids	CBR rule ids created to restrict Elasticsearch
certificate_base64	Database connection certificate
crn	Elasticsearch instance crn
guid	Elasticsearch instance guid
hostname	Database connection hostname
id	Elasticsearch id
port	Database connection port
service_credentials_json	Service credentials json map
service_credentials_object	Service credentials object
version	Elasticsearch version

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.