what

Adds a new parameter to be able to pass a json string with a custom access policy to set for the elasticsearch.

why

In my opinion, the access policies are too "opinionated" on this module, especially when it is on "vpc mode". I think it should be more flexible and allow to customize it however we want and not having it based on the iam_role_arn variable.

references

N/A

P.S.: This is already the 3rd time I'm trying to have this new parameter accepted. Please take a look at it this time 🙇 thank you.
Previous tries:

• https://github.com/cloudposse/terraform-aws-elasticsearch/pull/180
• https://github.com/cloudposse/terraform-aws-elasticsearch/pull/155

what

• To allow usage of AWS IRSA the assume role policy of the created IAM role needs to be adapted, therefore an additional (and optional) statement for the sts:AssumeRoleWithWebIdentity action was added
• To decouple sts:AssumeRole for the Service and the AWS principal types all statements have been split into separate blocks

why

• To allow usage of AWS IAM roles inside of EKS AWS
• more secure than handling AWS access keys and secrets

references

• IRSA
• 1
• 2

Release Notes

Release Notes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Note that this bumps the minimum hashicorp/aws provider version to
5.15.0, where this parameter was introduced [1].

The README diff was generated with make init and make readme, and
introduces some minor unrelated changes.

Closes: https://github.com/cloudposse/terraform-aws-elasticsearch/issues/195

what

This PR simply exposes a new variable (multi_az_with_standby_enabled) for OpenSearch clusters.

why

This is the recommended setting by AWS, so it makes sense to be able to do this via terraform.

references

Closes: #​195

Release Notes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

what

Typo fix

why

references

what

• Adds capability to attach existing security groups to Opensearch domain by setting var.create_security_group to false
• Almost all the necessary settings already exist to support this functionality, as it aligns with how the module currently handles security group configuration for the OpenSearch domain
• This feature already exists for Elasticsearch domain

why

• This modification enables users to either create a new security group or specify existing ones via the var.security_groups variable. This is especially useful for integrating with externally managed security groups.
• We expect to use existing security groups to attach to the OpenSearch domain in cases where we don’t want to use the security group created by the module.
• The var.security_groups variable already exists and accepts a list of security group IDs that can be directly applied to the OpenSearch domain.

references

https://github.com/cloudposse/terraform-aws-elasticsearch/pull/134

Updates golang.org/x/net from 0.21.0 to 0.38.0

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

what

• Added support for the anonymous_auth_enabled parameter in the advanced security options of AWS OpenSearch domain resource
• This parameter is optional and defaults to false, maintaining backward compatibility
• Only modified the OpenSearch domain resource, leaving the Elasticsearch domain resource unchanged

why

• Enables anonymous authentication during the fine-grained access control migration period
• Allows for a smoother transition when enabling fine-grained access control on an existing domain
• Provides users with more flexibility when implementing security controls on their OpenSearch domains
• Addresses a missing parameter that exists in the AWS provider but wasn't exposed in this module

references

• AWS Documentation on Fine-Grained Access Control
• AWS Provider Documentation for anonymous_auth_enabled
• Related to migration strategies for implementing fine-grained access control on existing domains

Updates golang.org/x/crypto from 0.0.0-20200622213623-75b288015ac9 to 0.35.0

Updates golang.org/x/net from 0.0.0-20200707034311-ab3426394381 to 0.21.0

Updates golang.org/x/sys from 0.0.0-20200622214017-ed371f2e16b4 to 0.30.0

Updates gopkg.in/yaml.v3 from 3.0.0-20200313102051-9f266ea9e77c to 3.0.0

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

what

• Fix kibana_endpoint in aws_opensearch_domain for hashicorp/aws provider v6.x

why

Fix for:

│ Error: Unsupported attribute
│ 
│ on .terraform/modules/opensearch.opensearch/main.tf line 11, in locals:
│ 11: aws_service_domain_kibana_endpoint = coalesce(join("", aws_elasticsearch_domain.default[*].kibana_endpoint), join("", aws_opensearch_domain.default[*].kibana_endpoint))
│ 
│ This object does not have an attribute named "kibana_endpoint".

after upgrading hashicorp/aws provider to version 6.x.

Reference:

• aws_opensearch_domain

what

• Update go 1.24

why

• Error loading shared library libresolv.so.2 in Go 1.20

References

• https://sweetops.slack.com/archives/G014YEKDH4K/p1746672149263629
• https://github.com/golang/go/issues/59305#issuecomment-1488478737
• https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/pull/294/#issuecomment-2859195553

what

• Remove Makefile
• Add atmos.yaml

why

• Replace build-harness with atmos for readme genration

References

• DEV-3229 Migrate from build-harness to atmos

what

• Update .github/settings.yml
• Update .github/chatops.yml files

why

• Re-apply .github/settings.yml from org level to get terratest environment
• Migrate to new test account

References

• DEV-388 Automate clean up of test account in new organization
• DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
• DEV-386 Update terratest to use new testing account with GitHub OIDC

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

what

• Update workflow (.github/workflows/release.yaml) to have permission to comment on PR

why

• So we can support commenting on PRs with a link to the release

what

• Update workflows (.github/workflows) to use shared workflows from .github repo

why

• Reduce nested levels of reusable workflows

what

• Update workflows (.github/workflows) to add issue: write permission needed by ReviewDog tflint action

why

• The ReviewDog action will comment with line-level suggestions based on linting failures

what

• Update workflows (.github/workflows/settings.yaml)

why

• Support new readme generation workflow.
• Generate banners

what

• Install latest GitHub Action Workflows

why

• Use shared workflows from cldouposse/.github repository
• Simplify management of workflows from centralized hub of configuration

what

• Install a repository config (.github/settings.yaml)

why

• Programmatically manage GitHub repo settings

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

what

• Reran make readme to rebuild README.md from README.yaml
• Migrate to square badges
• Add scaffolding for repo settings and Mergify

why

• Upstream template changed in the .github repo
• Work better with repository rulesets
• Modernize look & feel

what

• Adds support for opensearch domains

why

• Amazon OpenSearch Service is the successor to Amazon Elasticsearch Service and supports OpenSearch and legacy Elasticsearch OSS (up to 7.10, the final open source version of the software).

references

• Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow).
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain

what

• Correct variable name for var.auto_tune.cron_schedule

why

• cron_expression_for_recurrence referred to the wrong variable name, with _ not .

references

what

Support AWS Provider V5
Linter fixes

why

Maintenance

references

https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.0.0

Rebuild github dir from the template