v1.4.0

🚀 Enhancements

Upgrade default TLS Policy domain_endpoint_options_tls_security_policy @niels1voo (#219)

## what

Change the default value of domain_endpoint_options_tls_security_policy to "Policy-Min-TLS-1-2-2019-07"

why

AWS is sunsetting the current default in April 2026.

references

https://docs.aws.amazon.com/opensearch-service/latest/developerguide/infrastructure-security.html

v1.3.0

fix: conditionally set service domain outputs when disabled @RoseSecurity (#216)

## what

• Previously, service domain output locals were always set, even when the module was disabled. This caused issues with downstream references. Now, these locals are set to null when the module is not enabled, preventing unintended values and improving conditional logic handling.

why

• Resolve the following error:

╷
│ Error: Error in function call
│
│   on .terraform/infra/modules/elasticsearch/main.tf line 11, in locals:
│   11:   aws_service_domain_kibana_endpoint = coalesce(join("", aws_elasticsearch_domain.default[*].kibana_endpoint), join("", aws_opensearch_domain.default[*].dashboard_endpoint))
│     ├────────────────
│     │ while calling coalesce(vals...)
│     │ aws_elasticsearch_domain.default is empty tuple
│     │ aws_opensearch_domain.default is empty tuple
│
│ Call to function "coalesce" failed: no non-null, non-empty-string arguments.
╵

• Closes #193

Add throughput to ebs_options for OpenSearch @eddieb96 (#214)

## what

• Fix ebs_throughput in aws_opensearch_domain by adding throughput to ebs_options

why

• Fix for #208
• Makes it possible to configure ebs_throughput on an OpenSearch domain

references

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain

v1.2.0

port #198 Parameterize access policies json for more flexibility (3rd try) @goruha (#210)

port #198 Parameterize access policies json for more flexibility (3rd try)

what

Adds a new parameter to be able to pass a json string with a custom access policy to set for the elasticsearch.

why

In my opinion, the access policies are too "opinionated" on this module, especially when it is on "vpc mode". I think it should be more flexible and allow to customize it however we want and not having it based on the iam_role_arn variable.

references

N/A

P.S.: This is already the 3rd time I'm trying to have this new parameter accepted. Please take a look at it this time 🙇 thank you.
Previous tries:

• #180
• #155

v1.1.0

port #137 - feat: add possibiblity to use AWS IAM roles for service accounts @goruha (#209)

Port of #137

what

• To allow usage of AWS IRSA the assume role policy of the created IAM role needs to be adapted, therefore an additional (and optional) statement for the sts:AssumeRoleWithWebIdentity action was added
• To decouple sts:AssumeRole for the Service and the AWS principal types all statements have been split into separate blocks

why

• To allow usage of AWS IAM roles inside of EKS AWS
• more secure than handling AWS access keys and secrets

references

• IRSA
• 1
• 2

v1.0.1

🤖 Automatic Updates

chore(deps): update terraform cloudposse/route53-cluster-hostname/aws to v0.13.0 @[renovate[bot]](https://github.com/apps/renovate) (#170)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/route53-cluster-hostname/aws (source)	module	minor	0.12.3 -> 0.13.0

---

Release Notes

cloudposse/terraform-aws-route53-cluster-hostname (cloudposse/route53-cluster-hostname/aws)

v0.13.0

Compare Source

• No changes

---

chore(deps): update terraform cloudposse/vpc/aws to v2.2.0 @[renovate[bot]](https://github.com/apps/renovate) (#174)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/vpc/aws (source)	module	minor	2.1.0 -> 2.2.0

---

Release Notes

cloudposse/terraform-aws-vpc (cloudposse/vpc/aws)

v2.2.0

Compare Source

v2.1.1

Compare Source

Add support for network address usage metrics @​lanzrein (#​124)

what

This PR adds support for Network Address Usage Metrics on the VPC.
AWS documentation : https://docs.aws.amazon.com/vpc/latest/userguide/network-address-usage.html
Terraform documentation : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#enable\_network\_address\_usage\_metrics

why

Network Address Usage metrics can help monitor the growth of a VPC and would be useful for any user.
Enable this after creating a VPC does not trigger recreation of the VPC.

references

closes #​115

Sync github @​max-lobur (#​120)

Rebuild github dir from the template

🤖 Automatic Updates

Update README.md and docs @​cloudpossebot (#​125)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

v1.0.0

🚀 Enhancements

feat: support `multi_az_with_standby_enabled` for opensearch @lukehsiao (#196)

feat: support `multi_az_with_standby_enabled` for opensearch

Note that this bumps the minimum hashicorp/aws provider version to
5.15.0, where this parameter was introduced [1].

The README diff was generated with make init and make readme, and
introduces some minor unrelated changes.

Closes: #195

---

what

This PR simply exposes a new variable (multi_az_with_standby_enabled) for OpenSearch clusters.

why

This is the recommended setting by AWS, so it makes sense to be able to do this via terraform.

references

Closes: #195

🤖 Automatic Updates

chore(deps): update terraform cloudposse/dynamic-subnets/aws to v2.4.2 @[renovate[bot]](https://github.com/apps/renovate) (#176)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/dynamic-subnets/aws (source)	module	patch	2.4.1 -> 2.4.2

---

Release Notes

cloudposse/terraform-aws-dynamic-subnets (cloudposse/dynamic-subnets/aws)

v2.4.2

Compare Source

🚀 Enhancements

chore(deps): update terraform cloudposse/utils/aws to v1.4.0 (main) @​renovate (#​191)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/utils/aws (source)	module	minor	1.3.0 -> 1.4.0

---

Release Notes

cloudposse/terraform-aws-utils (cloudposse/utils/aws)

v1.4.0

Compare Source

Add il-central-1 region @​&#​8203;jasonmk (#&#​8203;31)

what

Add new Tel Aviv (il-central-1) region

why

Provide full coverage

references

Sync github @​&#​8203;max-lobur (#&#​8203;27)

Rebuild github dir from the template

---

🤖 Automatic Updates

chore(deps): update terraform cloudposse/utils/aws to v1.4.0 (main) @​renovate (#​191)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/utils/aws (source)	module	minor	1.3.0 -> 1.4.0

---

Release Notes

cloudposse/terraform-aws-utils (cloudposse/utils/aws)

v1.4.0

Compare Source

Add il-central-1 region @​&#​8203;jasonmk (#&#​8203;31)

what

Add new Tel Aviv (il-central-1) region

why

Provide full coverage

references

Sync github @​&#​8203;max-lobur (#&#​8203;27)

Rebuild github dir from the template

---

Update README.md and docs @​cloudpossebot (#​189)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

v0.50.0

typo in variables.tf @jwlogemann-mercell (#184)

## what

Typo fix

why

references

v0.49.0

Adds capability to attach existing security groups to Opensearch domain @pierreislande (#200)

## what

• Adds capability to attach existing security groups to Opensearch domain by setting var.create_security_group to false
• Almost all the necessary settings already exist to support this functionality, as it aligns with how the module currently handles security group configuration for the OpenSearch domain
• This feature already exists for Elasticsearch domain

why

• This modification enables users to either create a new security group or specify existing ones via the var.security_groups variable. This is especially useful for integrating with externally managed security groups.
• We expect to use existing security groups to attach to the OpenSearch domain in cases where we don’t want to use the security group created by the module.
• The var.security_groups variable already exists and accepts a list of security group IDs that can be directly applied to the OpenSearch domain.

references

#134

🤖 Automatic Updates

chore(deps): bump golang.org/x/net from 0.21.0 to 0.38.0 in /test/src in the go_modules group across 1 directory @[dependabot[bot]](https://github.com/apps/dependabot) (#207)

Bumps the go_modules group with 1 update in the /test/src directory: [golang.org/x/net](https://github.com/golang/net).

Updates golang.org/x/net from 0.21.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.48.2

Add anonymous_auth_enabled option to OpenSearch advanced security opt… @tarik-arslanagic-gpp (#201)

…ions

what

• Added support for the anonymous_auth_enabled parameter in the advanced security options of AWS OpenSearch domain resource
• This parameter is optional and defaults to false, maintaining backward compatibility
• Only modified the OpenSearch domain resource, leaving the Elasticsearch domain resource unchanged

why

• Enables anonymous authentication during the fine-grained access control migration period
• Allows for a smoother transition when enabling fine-grained access control on an existing domain
• Provides users with more flexibility when implementing security controls on their OpenSearch domains
• Addresses a missing parameter that exists in the AWS provider but wasn't exposed in this module

references

• AWS Documentation on Fine-Grained Access Control
• AWS Provider Documentation for anonymous_auth_enabled
• Related to migration strategies for implementing fine-grained access control on existing domains

🤖 Automatic Updates

Bump the go_modules group across 1 directory with 4 updates @[dependabot[bot]](https://github.com/apps/dependabot) (#204)

Bumps the go_modules group with 2 updates in the /test/src directory: [golang.org/x/crypto](https://github.com/golang/crypto) and gopkg.in/yaml.v3.

Updates golang.org/x/crypto from 0.0.0-20200622213623-75b288015ac9 to 0.35.0

Commits

• See full diff in compare view

Updates golang.org/x/net from 0.0.0-20200707034311-ab3426394381 to 0.21.0

Commits

• See full diff in compare view

Updates golang.org/x/sys from 0.0.0-20200622214017-ed371f2e16b4 to 0.30.0

Commits

• See full diff in compare view

Updates gopkg.in/yaml.v3 from 3.0.0-20200313102051-9f266ea9e77c to 3.0.0

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.48.1

🚀 Enhancements

Fix kibana_endpoint in aws_opensearch_domain for AWS provider v6 @rmandziarz-spoton (#206)

## what

• Fix kibana_endpoint in aws_opensearch_domain for hashicorp/aws provider v6.x

why

Fix for:

│ Error: Unsupported attribute
│ 
│   on .terraform/modules/opensearch.opensearch/main.tf line 11, in locals:
│   11:   aws_service_domain_kibana_endpoint = coalesce(join("", aws_elasticsearch_domain.default[*].kibana_endpoint), join("", aws_opensearch_domain.default[*].kibana_endpoint))
│ 
│ This object does not have an attribute named "kibana_endpoint".

after upgrading hashicorp/aws provider to version 6.x.

Reference:

• aws_opensearch_domain

🤖 Automatic Updates

Fix go version in tests @osterman (#203)

## what - Update go `1.24`

why

• Error loading shared library libresolv.so.2 in Go 1.20

References

• https://sweetops.slack.com/archives/G014YEKDH4K/p1746672149263629
• golang/go#59305 (comment)
• cloudposse/terraform-aws-cloudfront-s3-cdn#294

Replace Makefile with atmos.yaml @osterman (#202)

## what - Remove `Makefile` - Add `atmos.yaml`

why

• Replace build-harness with atmos for readme genration

References

• DEV-3229 Migrate from build-harness to atmos