Add ES cleanup module #1
Conversation
joshmyers force-pushed the add_es_cleanup_module branch 2 times, most recently from 3bd9ac6 to 5512c28 Compare 
| I think we should convey |
README.yaml Outdated
| # Short description of this project | ||
| description: |- | ||
| Terraform module to provision a scheduled Lambda function which will | ||
| delete old Elasticsearch indexes using SigV4Auth authentication. The |
There was a problem hiding this comment.
| delete old Elasticsearch indexes using SigV4Auth authentication. The | |
| delete old Elasticsearch indexes using [SigV4Auth](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) authentication. The |
There was a problem hiding this comment.
not sure if that is the right link
There was a problem hiding this comment.
It is the overarching sigV4 (needed when talking to ES clusters) documentation link - from there you can dig more into those docs.
README.yaml Outdated
| | ||
| # Contributors to this project | ||
| contributors: | ||
| - name: "Erik Osterman" |
example/main.tf Outdated
| enabled = "true" | ||
| namespace = "example" | ||
| stage = "dev" | ||
| schedule = "rate(5 minutes)" |
There was a problem hiding this comment.
How would we limit this to specific indexes?
There was a problem hiding this comment.
We could add an index whitelist should we wish. Currently the function accepts a specific index, or all.
| @@ -0,0 +1,210 @@ | |||
| #!/usr/bin/python | |||
There was a problem hiding this comment.
Add link of attribution to original lambda
There was a problem hiding this comment.
Also, mention copyrights and license
There was a problem hiding this comment.
Would we rather that in the function itself rather than https://github.com/cloudposse/terraform-aws-elasticsearch-cleanup/blob/0cb550ade3c70a52f7150ec4b7476ad2399772d4/README.yaml#L47-L48 ? NP if so
joshmyers force-pushed the add_es_cleanup_module branch from 5512c28 to bfd7c0f Compare variables.tf Outdated
| } | ||
| | ||
| variable "python_version" { | ||
| default = "2.7" |
There was a problem hiding this comment.
comment addressed.
example/main.tf Outdated
| | ||
| module "elasticsearch" { | ||
| source = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.1.5" | ||
| namespace = "example" |
There was a problem hiding this comment.
We don't want to hardcode these in examples b/c it precludes us testing the module concurrently. Additionally, sometimes our community will deploy this version without changing the values, which means we cannot reuse them.
| | ||
| class ES_Cleanup(object): | ||
| | ||
| name = "lambda_es_cleanup" |
There was a problem hiding this comment.
Just want to make sure this doesn't need to be unique to the AWS account
There was a problem hiding this comment.
Nope, this is used to prefix outputted messaged when sending to SNS
main.tf Outdated
| | ||
| resource "aws_security_group" "default" { | ||
| count = "${local.enabled == true ? 1 : 0}" | ||
| name = "${module.label.id}-elasticsearch-cleanup" |
There was a problem hiding this comment.
We are not consistent about this, but technically should be using a new label with attributes = ["elasticsearch", "cleanup"]
There was a problem hiding this comment.
Otherwise, we ignore the user's delimiter selection
main.tf Outdated
| | ||
| resource "aws_iam_role_policy" "default" { | ||
| count = "${local.enabled == true ? 1 : 0}" | ||
| name = "${module.label.id}-elasticsearch-cleanup" |
There was a problem hiding this comment.
variables.tf Outdated
| } | ||
| | ||
| variable "vpc_id" { | ||
| description = "VPC Id for the Lambda function - should be the same VPC as ES domain" |
There was a problem hiding this comment.
| description = "VPC Id for the Lambda function - should be the same VPC as ES domain" | |
| description = "VPC ID for the Lambda function. Should be the same VPC as the ES domain." |
variables.tf Outdated
| } | ||
| | ||
| variable "index" { | ||
| description = "Index/indices to process comma separated, with all every index will be processed except '.kibana'" |
There was a problem hiding this comment.
| description = "Index/indices to process comma separated, with all every index will be processed except '.kibana'" | |
| description = "Index/indices to process. Use a comma-separated list. Specify`all` to match every index except for `.kibana`" |
variables.tf Outdated
| } | ||
| | ||
| variable "delete_after" { | ||
| description = "Numbers of days to preserve" |
There was a problem hiding this comment.
| description = "Numbers of days to preserve" | |
| description = "Number of days to preserve" |
variables.tf Outdated
| | ||
| variable "enabled" { | ||
| type = "string" | ||
| description = "Enable or disable the ElasticSearch Cleanup function" |
There was a problem hiding this comment.
| description = "Enable or disable the ElasticSearch Cleanup function" | |
| description = "Enable or disable the Elasticsearch Cleanup function" |
Seems like the canonical spelling is Elasticsearch per AWS documentation
variables.tf Outdated
| variable "tags" { | ||
| type = "map" | ||
| default = {} | ||
| description = "Additional tags (e.g. `map('BusinessUnit`,`XYZ`)" |
There was a problem hiding this comment.
| description = "Additional tags (e.g. `map('BusinessUnit`,`XYZ`)" | |
| description = "Additional tags (e.g. `map('BusinessUnit','XYZ')`" |
There was a problem hiding this comment.
That said, the origin of this map(..) business is from OLD terraforms which did not support { ... } notation. At some point we need to bite the bullet.
joshmyers force-pushed the add_es_cleanup_module branch 3 times, most recently from 4ef843b to fbdd26d Compare 
.gitignore Outdated
| @@ -1,7 +1,6 @@ | |||
| # Compiled files | |||
There was a problem hiding this comment.
use our standard .gitignore for Terraform repos:
# Local .terraform directories **/.terraform/* # .tfstate files *.tfstate *.tfstate.* # .tfvars files *.tfvars **/.idea **/*.iml **/.build-harness **/build-harness README.yaml Outdated
| description: "Terraform module for dynamic subnets provisioning." | ||
| url: "https://github.com/cloudposse/terraform-aws-dynamic-subnets" | ||
| - name: "terraform-aws-elasticsearch" | ||
| description: "Terraform module for AWS ElasticSearch provisioning." |
README.yaml Outdated
| # How to use this project | ||
| usage: |- | ||
| ```hcl | ||
| module "elasticsearch-cleanup" { |
There was a problem hiding this comment.
| module "elasticsearch-cleanup" { | |
| module "elasticsearch_cleanup" { |
use snake case to name resources
| enabled = "true" | ||
| namespace = "example" | ||
| stage = "dev" | ||
| schedule = "rate(5 minutes)" |
There was a problem hiding this comment.
is this just a free text for the schedule, not regex?
There was a problem hiding this comment.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html this can be in cron or rate format
example/main.tf Outdated
| } | ||
| | ||
| module "elasticsearch" { | ||
| source = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.1.5" |
There was a problem hiding this comment.
| source = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.1.5" | |
| source = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=master" |
use master for consistency
There was a problem hiding this comment.
Sure, I was going for a known working release
There was a problem hiding this comment.
it's kind of a chicken and the egg - also easily forgotten to update. We tend to pin our README.md examples to master so users who copy and paste get something that probably works.
example/main.tf Outdated
| vpc_id = "${module.vpc.vpc_id}" | ||
| subnet_ids = ["${module.subnets.public_subnet_ids}"] | ||
| zone_awareness_enabled = "true" | ||
| elasticsearch_version = "6.2" |
There was a problem hiding this comment.
| elasticsearch_version = "6.2" | |
| elasticsearch_version = "6.3" |
use the latest supported version
| resource "aws_cloudwatch_event_target" "default" { | ||
| count = "${local.enabled == true ? 1 : 0}" | ||
| target_id = "${local.function_name}" | ||
| rule = "${aws_cloudwatch_event_rule.default.name}" |
There was a problem hiding this comment.
| rule = "${aws_cloudwatch_event_rule.default.name}" | |
| rule = "${join("", aws_cloudwatch_event_rule.default.*.name})" |
variables.tf Outdated
| description = "Subnet ids" | ||
| } | ||
| | ||
| variable "sns_alert" { |
There was a problem hiding this comment.
| variable "sns_alert" { | |
| variable "sns_arn" { |
variables.tf Outdated
| variable "sns_alert" { | ||
| type = "string" | ||
| default = "" | ||
| description = "SNS ARN to pusblish any alert" |
There was a problem hiding this comment.
| description = "SNS ARN to pusblish any alert" | |
| description = "SNS ARN to publish alerts" |
variables.tf Outdated
| variable "index" { | ||
| type = "string" | ||
| default = "all" | ||
| description = "Index/indices to process. Use a comma-separated list. Specify`all` to match every index except for `.kibana`" |
There was a problem hiding this comment.
| description = "Index/indices to process. Use a comma-separated list. Specify`all` to match every index except for `.kibana`" | |
| description = "Index/indices to process. Use a comma-separated list. Specify `all` to match every index except for `.kibana`" |
variables.tf Outdated
| description = "Stage, e.g. 'prod', 'staging', 'dev', or 'test'" | ||
| } | ||
| | ||
| variable "environment" { |
variables.tf Outdated
| | ||
| variable "index_format" { | ||
| default = "%Y.%m.%d" | ||
| description = "Combined with 'index' varible is used to evaluate the index age" |
There was a problem hiding this comment.
| description = "Combined with 'index' varible is used to evaluate the index age" | |
| description = "Combined with 'index' variable and is used to evaluate the index age" |
| | ||
| data "aws_iam_policy_document" "default" { | ||
| statement { | ||
| actions = [ |
There was a problem hiding this comment.
do we need to give these permissions to the module?
There was a problem hiding this comment.
Yeah these are needed to the Lambda function can a) write log files to CloudWatch logs b) post a v4 signed payload to ES
joshmyers force-pushed the add_es_cleanup_module branch 2 times, most recently from 134754c to 588494c Compare 
| @aknysh Ready for another review |
This creates all the base resources necessary to test the elasticsearch-cleanup module. Unfortunately this requires a two stage apply as the `aws_route53_zone` resource fails to compute ID when passed into other modules. See: cloudposse/terraform-aws-elasticsearch#13
Pull the deployment artifact from S3 using the new terraform-external-module-artifact module. This approach has the benefit of not checking in zip files into git, but the downside of more preamble when wanting to test this module as per the example docs. You need to know that the function should already be in S3 at a pre determined path. We need to think of proper deployment and promotion of these artifacts through different S3 buckets e.g. artifacts.testing.cloudposse.org -> artifacts.prod.cloudposse.org
joshmyers force-pushed the add_es_cleanup_module branch from 588494c to a4585fe Compare 
what
This PR adds the main gubbins of the ES cleanup Lambda function and associated Terraform code