Example Usage

variable "domain" {
  default = "tf-test"

data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

resource "aws_elasticsearch_domain" "es" {
  domain_name           = "${var.domain}"
  elasticsearch_version = "1.5"
  cluster_config {
    instance_type = "r3.large.elasticsearch"

  advanced_options {
    "rest.action.multi.allow_explicit_index" = "true"

  access_policies = <<CONFIG
    "Version": "2012-10-17",
    "Statement": [
            "Action": "es:*",
            "Principal": "*",
            "Effect": "Allow",
            "Resource": "arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.domain}/*"
            "Condition": {
                "IpAddress": {"aws:SourceIp": [""]}

  snapshot_options {
    automated_snapshot_start_hour = 23

  tags {
    Domain = "TestDomain"

Argument Reference

The following arguments are supported:

  • domain_name - (Required) Name of the domain.
  • access_policies - (Optional) IAM policy document specifying the access policies for the domain
  • advanced_options - (Optional) Key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes) or they may be wrong and cause a perpetual diff, causing Terraform to want to recreate your Elasticsearch domain on every apply.
  • ebs_options - (Optional) EBS related options, may be required based on chosen instance size. See below.
  • encrypt_at_rest - (Optional) Encrypt at rest options. Only available for certain instance types. See below.
  • cluster_config - (Optional) Cluster configuration of the domain, see below.
  • snapshot_options - (Optional) Snapshot related options, see below.
  • vpc_options - (Optional) VPC related options, see below. Adding or removing this configuration forces a new resource (documentation).
  • log_publishing_options - (Optional) Options for publishing slow logs to CloudWatch Logs.
  • elasticsearch_version - (Optional) The version of ElasticSearch to deploy. Defaults to 1.5
  • tags - (Optional) A mapping of tags to assign to the resource

ebs_options supports the following attributes:

  • ebs_enabled - (Required) Whether EBS volumes are attached to data nodes in the domain
  • volume_type - (Optional) The type of EBS volumes attached to data nodes.
  • volume_size - The size of EBS volumes attached to data nodes (in GB). Required if ebs_enabled is set to true.
  • iops - (Optional) The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the Provisioned IOPS EBS volume type.

encrypt_at_rest supports the following attributes:

  • enabled - (Required) Whether to enable encryption at rest. If the encrypt_at_rest block is not provided then this defaults to false.
  • kms_key_id - (Optional) The KMS key id to encrypt the Elasticsearch domain with. If not specified then it defaults to using the aws/es service KMS key.

cluster_config supports the following attributes:

vpc_options supports the following attributes:

AWS documentation: VPC Support for Amazon Elasticsearch Service Domains

  • security_group_ids - (Optional) List of VPC Security Group IDs to be applied to the Elasticsearch domain endpoints. If omitted, the default Security Group for the VPC will be used.
  • subnet_ids - (Required) List of VPC Subnet IDs for the Elasticsearch domain endpoints to be created in.

Security Groups and Subnets referenced in these attributes must all be within the same VPC; this determines what VPC the endpoints are created in.

snapshot_options supports the following attribute:

log_publishing_options supports the following attribute:

  • log_type - (Required) A type of Elasticsearch log. Valid values: INDEX_SLOW_LOGS, SEARCH_SLOW_LOGS
  • cloudwatch_log_group_arn - (Required) ARN of the Cloudwatch log group to which log needs to be published.
  • enabled - (Optional, Default: true) Specifies whether given log publishing option is enabled or not.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - Amazon Resource Name (ARN) of the domain.
  • domain_id - Unique identifier for the domain.
  • endpoint - Domain-specific endpoint used to submit index, search, and data upload requests.
  • kibana_endpoint - Domain-specific endpoint for kibana without https scheme.
  • vpc_options.0.availability_zones - If the domain was created inside a VPC, the names of the availability zones the configured subnet_ids were created inside.
  • vpc_options.0.vpc_id - If the domain was created inside a VPC, the ID of the VPC.


ElasticSearch domains can be imported using the domain_name, e.g.

$ terraform import aws_elasticsearch_domain.example domain_name

© 2018 HashiCorpLicensed under the MPL 2.0 License.