Elasticsearch domains are not configured with a minimum of three dedicated master nodes
Description
This policy is ensuring that Elasticsearch domains are configured with at least three dedicated master nodes for high availability. Not having high availability for Elasticsearch domains could lead to unexpected outages and potential data loss. In addition, it provides resilience against system failures and ensures uninterrupted system operations. Therefore, ignoring this policy can cause significant harm to your database infrastructure and compromises the reliability of your services.
Code Example
hcl
resource "aws_elasticsearch_domain" "example" {
domain_name = "example"
elasticsearch_version = "6.8"
cluster_config {
instance_type = "m4.large.elasticsearch"
instance_count = "3"
dedicated_master_enabled = true
dedicated_master_count = '3'
dedicated_master_type = "m4.large.elasticsearch"
}
}Remediation
Terraform
- Resource: aws_elasticsearch_domain, aws_opensearch_domain
- Arguments: cluster_config.dedicated_master_count
Configure your Elasticsearch domain with at least three dedicated master nodes. This can be achieved by setting the 'dedicated_master_count' value to 3, under 'cluster_config'. Here is how your Terraform code should look:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0365 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_318 |