r/aws_elasticsearch_domain: Add custom endpoint support

[matiaszilli]

Add support to define a custom endpoint for your Elasticsearch domain and associate an SSL certificate from AWS ACM.
AWS announcement

The following attributes under domain_endpoint_options were added:

• custom_endpoint_enabled
• custom_endpoint
• custom_endpoint_certificate_arn

resource "aws_elasticsearch_domain" "example" {
  domain_endpoint_options {
    custom_endpoint_enabled         = true
    custom_endpoint                 = "example.com"
    custom_endpoint_certificate_arn = aws_acm_certificate.example.arn
  }
}

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #16059

Release note for CHANGELOG:

resource/aws_elasticsearch_domain: Add custom endpoint support

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSElasticSearchDomain_CustomEndpoint'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSElasticSearchDomain_CustomEndpoint -timeout 120m
=== RUN   TestAccAWSElasticSearchDomain_CustomEndpoint
=== PAUSE TestAccAWSElasticSearchDomain_CustomEndpoint
=== CONT  TestAccAWSElasticSearchDomain_CustomEndpoint
--- PASS: TestAccAWSElasticSearchDomain_CustomEndpoint (1134.57s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       1134.713s

[matiaszilli]

Hi @bflad @DrFaust92 , please can anyone from your team revise this PR?. Thanks in advance.

[aviau]

Looking forward to see this in the terraform provider! Thank you for working on this :)

[nathanwebsterdotme]

Eagerly awaiting this!

[kristjankullerkann]

Looking forward for this feature.

[sc250024]

Thank you @matiaszilli

[davikawasaki]

Waiting for this feature as well :)

[wassertim]

Looking forward for this to be merged

[infosec-shinobi]

Similar to other people's comments... Any update on this? Would love to move away from the pre-generated urls for kibana to a custom one via TF.

[bm1549]

Does anyone know if there's someone from AWS, hashicorp, or otherwise that we can @ mention to get some eyes on this?

[matiaszilli]

Does anyone know if there's someone from AWS, hashicorp, or otherwise that we can @ mention to get some eyes on this?

I have mentioned three guys above but they did not answer.

[smozhevskiiEPAM]

Any news?

[sc250024]

I just checked the most recently merged PRs, and other than @bflad , @anGie44 was also active for approving and merging requests.

@anGie44 Would you mind helping us out please?

[DrFaust92]

Hey, I dont work for Hashi so i dont comment on their behalf but please see https://github.com/hashicorp/terraform-provider-aws/blob/main/docs/FAQ.md and https://github.com/hashicorp/terraform-provider-aws/blob/main/ROADMAP.md for currently planned activities.

Nudging maintainers is not helpful and just makes their(And Mine) notifications noisy.

And ofcourse see the Issue template itself:

Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

[mrtnfchs]

Are there any plans to have this change released soon ?

[Gowiem]

@mrtnfchs no way of knowing unless it's in the roadmap, which this is not. That means it's not a priority for the coming few months unfortunately.

One thing that can help is sharing this issue with your team / community and getting folks to 👍 it. I believe the hashi team is more likely to evaluate PRs when they're high up in the 👍 reaction list. This one already is, so I'm sure it wouldn't be hard to push it further towards the top.

[tomelliff]

Bit of a drive by review as I was curious but in general looks good to me (as a non maintainer) at a glance with a couple of nits/questions.

[tomelliff]

What was the reasoning for this change? I don't see any explanation in 5217ecb and it looks like an unnecessary change at a glance.

[matiaszilli]

Hi, because it doesn't has to be a necessary attribute to set. For example, you might want to enable a custom endpoint, so you would have to just set custom_endpoint_enabled and custom_endpoint attributes and no more that that.

[tomelliff]

This looks like it has been lifted directly from aws/resource_aws_route53_record.go. Is it strictly needed here because of a similar API error on the ES API? Sadly https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-configuration-api.html#es-configuration-api-datatypes-domainendpointoptions leaves any validation undocumented.

https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-customendpoint.html suggests you can leave a trailing dot at the end but the console may just strip that.

I was also wondering if there was a common validate function that checks it's a valid FQDN (max length in total and per label etc) but I don't see one elsewhere in the code base or in the plugin SDK.

At the least the comment here probably wants updating.

[matiaszilli]

You're right, I have just lifted that code from aws/resource_aws_route53_record.go. I was trying to find a common validation function but it doesn't exist, it might be becose the different AWS API endpoints require different validations to be done. I agree with you about the comment update, I will do that. Thank you!

[bflad]

It is generally preferable to leave out these types of StateFunc where possible. If the API has issues with trailing periods, we can introduce validation to try and catch that early.

[matiaszilli]

Perfect @bflad , I will get rid of that validation.

[bflad]

It is generally preferable to leave out these types of StateFunc where possible. If the API has issues with trailing periods, we can introduce validation to try and catch that early.

[bflad]

Overall this is looking good, just running the full resource acceptance testing now. Leaving these minor items here in case you are updating the pull request already. Thank you, @matiaszilli

[bflad]

Thanks again, @matiaszilli 🚀

Output from acceptance testing:

--- PASS: TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_Disabled (1110.37s)
--- PASS: TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_IAM (910.89s)
--- PASS: TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_UserDB (2315.72s)
--- PASS: TestAccAWSElasticSearchDomain_basic (828.97s)
--- PASS: TestAccAWSElasticSearchDomain_ClusterConfig_ZoneAwarenessConfig (6476.66s)
--- PASS: TestAccAWSElasticSearchDomain_CognitoOptionsCreateAndRemove (1678.06s)
--- PASS: TestAccAWSElasticSearchDomain_CognitoOptionsUpdate (2566.28s)
--- PASS: TestAccAWSElasticSearchDomain_complex (1058.50s)
--- PASS: TestAccAWSElasticSearchDomain_CustomEndpoint (2500.69s)
--- PASS: TestAccAWSElasticSearchDomain_duplicate (712.87s)
--- PASS: TestAccAWSElasticSearchDomain_encrypt_at_rest_default_key (993.05s)
--- PASS: TestAccAWSElasticSearchDomain_encrypt_at_rest_specify_key (1464.85s)
--- PASS: TestAccAWSElasticSearchDomain_internetToVpcEndpoint (2329.21s)
--- PASS: TestAccAWSElasticSearchDomain_LogPublishingOptions_AuditLogs (1158.98s)
--- PASS: TestAccAWSElasticSearchDomain_LogPublishingOptions_EsApplicationLogs (1519.00s)
--- PASS: TestAccAWSElasticSearchDomain_LogPublishingOptions_IndexSlowLogs (858.37s)
--- PASS: TestAccAWSElasticSearchDomain_LogPublishingOptions_SearchSlowLogs (1081.40s)
--- PASS: TestAccAWSElasticSearchDomain_NodeToNodeEncryption (938.28s)
--- PASS: TestAccAWSElasticSearchDomain_policy (1332.27s)
--- PASS: TestAccAWSElasticSearchDomain_RequireHTTPS (1653.56s)
--- PASS: TestAccAWSElasticSearchDomain_tags (1714.35s)
--- PASS: TestAccAWSElasticSearchDomain_update (2329.18s)
--- PASS: TestAccAWSElasticSearchDomain_update_version (4438.77s)
--- PASS: TestAccAWSElasticSearchDomain_update_volume_type (3179.57s)
--- PASS: TestAccAWSElasticSearchDomain_v23 (1237.71s)
--- PASS: TestAccAWSElasticSearchDomain_vpc (930.36s)
--- PASS: TestAccAWSElasticSearchDomain_vpc_update (3231.96s)
--- PASS: TestAccAWSElasticSearchDomain_warm (6666.88s)
--- PASS: TestAccAWSElasticSearchDomain_withDedicatedMaster (3033.83s)
--- PASS: TestAccAWSElasticSearchDomain_WithVolumeType_Missing (840.98s)

[ghost]

This has been released in version 3.35.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!