Skip to content

Commit

Permalink
MLPAB-2067 - Only deploy OpenSearch Ingestion Pipeline when needed (#…
Browse files Browse the repository at this point in the history 
…1189)

* only deploy pipeline when needed

* re-enable search indexing
  • Loading branch information
@andrewpearce-digital
andrewpearce-digital authored Apr 18, 2024
1 parent d7dea3f commit 51c498d
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 7 deletions.
16 changes: 13 additions & 3 deletions terraform/environment/opensearch_ingestion_pipeline.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
locals {
enable_opensearch_ingestion_pipeline = false
}

data "aws_kms_alias" "dynamodb_encryption_key" {
name = "alias/${local.default_tags.application}_dynamodb_encryption"
provider = aws.eu_west_1
Expand All @@ -9,6 +13,7 @@ data "aws_kms_alias" "opensearch_encryption_key" {
}

resource "aws_iam_role_policy" "opensearch_pipeline" {
count = local.enable_opensearch_ingestion_pipeline ? 1 : 0
name = "opensearch_pipeline"
role = module.global.iam_roles.opensearch_pipeline.name
policy = data.aws_iam_policy_document.opensearch_pipeline.json
Expand Down Expand Up @@ -122,6 +127,7 @@ data "aws_subnet" "application" {
}

resource "aws_security_group" "opensearch_ingestion" {
count = local.enable_opensearch_ingestion_pipeline ? 1 : 0
name_prefix = "${local.default_tags.environment-name}-opensearch-ingestion"
description = "Security group for the opensearch ingestion pipeline"
vpc_id = data.aws_vpc.main.id
Expand All @@ -130,15 +136,17 @@ resource "aws_security_group" "opensearch_ingestion" {

# tfsec:ignore:aws-cloudwatch-log-group-customer-key
resource "aws_cloudwatch_log_group" "opensearch_pipeline" {
count = local.enable_opensearch_ingestion_pipeline ? 1 : 0
name = "/aws/vendedlogs/OpenSearchIngestion/lpas-${local.default_tags.environment-name}/audit-logs"
retention_in_days = 1
provider = aws.eu_west_1
}

resource "aws_cloudwatch_query_definition" "opensearch_pipeline" {
count = local.enable_opensearch_ingestion_pipeline ? 1 : 0
name = "${local.default_tags.environment-name}/lpas-opensearch-pipeline"
query_string = "parse @message '* [*] * * - *' as timestamp, thread, Loglevel, endpoint, message | sort @timestamp desc | limit 1000"
log_group_names = [aws_cloudwatch_log_group.opensearch_pipeline.name]
log_group_names = [aws_cloudwatch_log_group.opensearch_pipeline[0].name]
provider = aws.eu_west_1
}

Expand Down Expand Up @@ -178,6 +186,7 @@ locals {
}

resource "aws_opensearchserverless_access_policy" "pipeline" {
count = local.enable_opensearch_ingestion_pipeline ? 1 : 0
name = "pipeline-${local.environment_name}"
type = "data"
description = "allow index and collection access for the opensearch ingestion pipeline"
Expand All @@ -204,6 +213,7 @@ resource "aws_opensearchserverless_access_policy" "pipeline" {
}

resource "aws_osis_pipeline" "lpas_stream" {
count = local.enable_opensearch_ingestion_pipeline ? 1 : 0
pipeline_name = "lpas-${local.default_tags.environment-name}-stream"
max_units = 1
min_units = 1
Expand All @@ -213,12 +223,12 @@ resource "aws_osis_pipeline" "lpas_stream" {
}
log_publishing_options {
cloudwatch_log_destination {
log_group = aws_cloudwatch_log_group.opensearch_pipeline.name
log_group = aws_cloudwatch_log_group.opensearch_pipeline[0].name
}
is_logging_enabled = true
}
vpc_options {
security_group_ids = [aws_security_group.opensearch_ingestion.id]
security_group_ids = [aws_security_group.opensearch_ingestion[0].id]
subnet_ids = data.aws_subnet.application[*].id
}
provider = aws.eu_west_1
Expand Down
4 changes: 0 additions & 4 deletions terraform/environment/region/modules/app/ecs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -467,10 +467,6 @@ locals {
{
name = "SEARCH_ENDPOINT",
value = var.search_endpoint == null ? "" : var.search_endpoint
},
{
name = "SEARCH_INDEXING_DISABLED",
value = "1"
}
]
}
Expand Down

0 comments on commit 51c498d

Please sign in to comment.