# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 # # Permission is hereby granted, free of charge, to any person obtaining a copy of this # software and associated documentation files (the "Software"), to deal in the Software # without restriction, including without limitation the rights to use, copy, modify, # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to # permit persons to whom the Software is furnished to do so. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # Create ES Domain with Cognito user pool # Not all instances support encryption at rest & node-to-node encryption resource "aws_elasticsearch_domain" "Security_Hub_Elasticsearch_Service" { domain_name = "${var.ElasticSearch_Domain_Name}" elasticsearch_version = "${var.ElasticSearch_Domain_ES_Version}" cluster_config { instance_type = "${var.ElasticSearch_Domain_Instance_Type}" instance_count = "${var.ElasticSearch_Domain_Instance_Count}" } ebs_options { ebs_enabled = true volume_type = "gp2" volume_size = "15" } encrypt_at_rest { enabled = true } node_to_node_encryption { enabled = true } snapshot_options { automated_snapshot_start_hour = 23 } cognito_options { enabled = true user_pool_id = "${aws_cognito_user_pool.ES_Cognito_User_Pool.id}" identity_pool_id = "${aws_cognito_identity_pool.ES_Cognito_Identity_Pool.id}" role_arn = "${aws_iam_role.ES_Cognito_Role.arn}" } depends_on = ["aws_securityhub_account.Security_Hub_Enabled"] } # this elasticsearch access policy will only allow your account and the IP your specify to access it resource "aws_elasticsearch_domain_policy" "Security_Hub_Elasticsearch_Service_Policy" { domain_name = "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.domain_name}" access_policies = <