The CDK Construct Library for AWS::OpenSearchService
Project description
Amazon OpenSearch Service Construct Library
---AWS CDK v1 has reached End-of-Support on 2023-06-01. This package is no longer being updated, and users should migrate to AWS CDK v2.
For more information on how to migrate, see the Migrating to AWS CDK v2 guide.
Features | Stability |
---|---|
CFN Resources | |
Higher level constructs for Domain |
CFN Resources: All classes with the
Cfn
prefix in this module (CFN Resources) are always stable and safe to use.
Stable: Higher level constructs in this module that are marked stable will not undergo any breaking changes. They will strictly follow the Semantic Versioning model.
See Migrating to OpenSearch for migration instructions from @aws-cdk/aws-elasticsearch
to this module, @aws-cdk/aws-opensearchservice
.
Quick start
Create a development cluster by simply specifying the version:
dev_domain = opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0
)
To perform version upgrades without replacing the entire domain, specify the enableVersionUpgrade
property.
dev_domain = opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0,
enable_version_upgrade=True
)
Create a production grade cluster by also specifying things like capacity and az distribution
prod_domain = opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0,
capacity=opensearch.CapacityConfig(
master_nodes=5,
data_nodes=20
),
ebs=opensearch.EbsOptions(
volume_size=20
),
zone_awareness=opensearch.ZoneAwarenessConfig(
availability_zone_count=3
),
logging=opensearch.LoggingOptions(
slow_search_log_enabled=True,
app_log_enabled=True,
slow_index_log_enabled=True
)
)
This creates an Amazon OpenSearch Service cluster and automatically sets up log groups for logging the domain logs and slow search logs.
A note about SLR
Some cluster configurations (e.g VPC access) require the existence of the AWSServiceRoleForAmazonElasticsearchService
Service-Linked Role.
When performing such operations via the AWS Console, this SLR is created automatically when needed. However, this is not the behavior when using CloudFormation. If an SLR is needed, but doesn't exist, you will encounter a failure message simlar to:
Before you can proceed, you must enable a service-linked role to give Amazon OpenSearch Service...
To resolve this, you need to create the SLR. We recommend using the AWS CLI:
aws iam create-service-linked-role --aws-service-name es.amazonaws.com
You can also create it using the CDK, but note that only the first application deploying this will succeed:
slr = iam.CfnServiceLinkedRole(self, "Service Linked Role",
aws_service_name="es.amazonaws.com"
)
Importing existing domains
To import an existing domain into your CDK application, use the Domain.fromDomainEndpoint
factory method.
This method accepts a domain endpoint of an already existing domain:
domain_endpoint = "https://my-domain-jcjotrt6f7otem4sqcwbch3c4u.us-east-1.es.amazonaws.com"
domain = opensearch.Domain.from_domain_endpoint(self, "ImportedDomain", domain_endpoint)
Permissions
IAM
Helper methods also exist for managing access to the domain.
# fn: lambda.Function
# domain: opensearch.Domain
# Grant write access to the app-search index
domain.grant_index_write("app-search", fn)
# Grant read access to the 'app-search/_search' path
domain.grant_path_read("app-search/_search", fn)
Encryption
The domain can also be created with encryption enabled:
domain = opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0,
ebs=opensearch.EbsOptions(
volume_size=100,
volume_type=ec2.EbsDeviceVolumeType.GENERAL_PURPOSE_SSD
),
node_to_node_encryption=True,
encryption_at_rest=opensearch.EncryptionAtRestOptions(
enabled=True
)
)
This sets up the domain with node to node encryption and encryption at rest. You can also choose to supply your own KMS key to use for encryption at rest.
VPC Support
Domains can be placed inside a VPC, providing a secure communication between Amazon OpenSearch Service and other services within the VPC without the need for an internet gateway, NAT device, or VPN connection.
Visit VPC Support for Amazon OpenSearch Service Domains for more details.
vpc = ec2.Vpc(self, "Vpc")
domain_props = opensearch.DomainProps(
version=opensearch.EngineVersion.OPENSEARCH_1_0,
removal_policy=RemovalPolicy.DESTROY,
vpc=vpc,
# must be enabled since our VPC contains multiple private subnets.
zone_awareness=opensearch.ZoneAwarenessConfig(
enabled=True
),
capacity=opensearch.CapacityConfig(
# must be an even number since the default az count is 2.
data_nodes=2
)
)
opensearch.Domain(self, "Domain", domain_props)
In addition, you can use the vpcSubnets
property to control which specific subnets will be used, and the securityGroups
property to control
which security groups will be attached to the domain. By default, CDK will select all private subnets in the VPC, and create one dedicated security group.
Metrics
Helper methods exist to access common domain metrics for example:
# domain: opensearch.Domain
free_storage_space = domain.metric_free_storage_space()
master_sys_memory_utilization = domain.metric("MasterSysMemoryUtilization")
This module is part of the AWS Cloud Development Kit project.
Fine grained access control
The domain can also be created with a master user configured. The password can be supplied or dynamically created if not supplied.
domain = opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0,
enforce_https=True,
node_to_node_encryption=True,
encryption_at_rest=opensearch.EncryptionAtRestOptions(
enabled=True
),
fine_grained_access_control=opensearch.AdvancedSecurityOptions(
master_user_name="master-user"
)
)
master_user_password = domain.master_user_password
Using unsigned basic auth
For convenience, the domain can be configured to allow unsigned HTTP requests that use basic auth. Unless the domain is configured to be part of a VPC this means anyone can access the domain using the configured master username and password.
To enable unsigned basic auth access the domain is configured with an access policy that allows anyonmous requests, HTTPS required, node to node encryption, encryption at rest and fine grained access control.
If the above settings are not set they will be configured as part of enabling unsigned basic auth. If they are set with conflicting values, an error will be thrown.
If no master user is configured a default master user is created with the
username admin
.
If no password is configured a default master user password is created and
stored in the AWS Secrets Manager as secret. The secret has the prefix
<domain id>MasterUser
.
domain = opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0,
use_unsigned_basic_auth=True
)
master_user_password = domain.master_user_password
Custom access policies
If the domain requires custom access control it can be configured either as a constructor property, or later by means of a helper method.
For simple permissions the accessPolicies
constructor may be sufficient:
domain = opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0,
access_policies=[
iam.PolicyStatement(
actions=["es:*ESHttpPost", "es:ESHttpPut*"],
effect=iam.Effect.ALLOW,
principals=[iam.AccountPrincipal("123456789012")],
resources=["*"]
)
]
)
For more complex use-cases, for example, to set the domain up to receive data from a
cross-account Kinesis Firehose the addAccessPolicies
helper method
allows for policies that include the explicit domain ARN.
domain = opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0
)
domain.add_access_policies(
iam.PolicyStatement(
actions=["es:ESHttpPost", "es:ESHttpPut"],
effect=iam.Effect.ALLOW,
principals=[iam.AccountPrincipal("123456789012")],
resources=[domain.domain_arn, f"{domain.domainArn}/*"]
),
iam.PolicyStatement(
actions=["es:ESHttpGet"],
effect=iam.Effect.ALLOW,
principals=[iam.AccountPrincipal("123456789012")],
resources=[f"{domain.domainArn}/_all/_settings", f"{domain.domainArn}/_cluster/stats", f"{domain.domainArn}/index-name*/_mapping/type-name", f"{domain.domainArn}/roletest*/_mapping/roletest", f"{domain.domainArn}/_nodes", f"{domain.domainArn}/_nodes/stats", f"{domain.domainArn}/_nodes/*/stats", f"{domain.domainArn}/_stats", f"{domain.domainArn}/index-name*/_stats", f"{domain.domainArn}/roletest*/_stat"
]
))
Audit logs
Audit logs can be enabled for a domain, but only when fine grained access control is enabled.
domain = opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0,
enforce_https=True,
node_to_node_encryption=True,
encryption_at_rest=opensearch.EncryptionAtRestOptions(
enabled=True
),
fine_grained_access_control=opensearch.AdvancedSecurityOptions(
master_user_name="master-user"
),
logging=opensearch.LoggingOptions(
audit_log_enabled=True,
slow_search_log_enabled=True,
app_log_enabled=True,
slow_index_log_enabled=True
)
)
UltraWarm
UltraWarm nodes can be enabled to provide a cost-effective way to store large amounts of read-only data.
domain = opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0,
capacity=opensearch.CapacityConfig(
master_nodes=2,
warm_nodes=2,
warm_instance_type="ultrawarm1.medium.search"
)
)
Custom endpoint
Custom endpoints can be configured to reach the domain under a custom domain name.
opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0,
custom_endpoint=opensearch.CustomEndpointOptions(
domain_name="search.example.com"
)
)
It is also possible to specify a custom certificate instead of the auto-generated one.
Additionally, an automatic CNAME-Record is created if a hosted zone is provided for the custom endpoint
Advanced options
Advanced options can used to configure additional options.
opensearch.Domain(self, "Domain",
version=opensearch.EngineVersion.OPENSEARCH_1_0,
advanced_options={
"rest.action.multi.allow_explicit_index": "false",
"indices.fielddata.cache.size": "25",
"indices.query.bool.max_clause_count": "2048"
}
)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file aws-cdk.aws-opensearchservice-1.204.0.tar.gz
.
File metadata
- Download URL: aws-cdk.aws-opensearchservice-1.204.0.tar.gz
- Upload date:
- Size: 230.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.2
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 241ab1f6f86fa05d1ea21d3168df9f775994acadac09ee1e026741ffb8867f82 |
|
MD5 | f2ce1fdad66412aa634be9ae55a59702 |
|
BLAKE2b-256 | dbd19202d2a38f86ed52ca80efe6168665503b61523080a0702d413a98cf7f85 |
File details
Details for the file aws_cdk.aws_opensearchservice-1.204.0-py3-none-any.whl
.
File metadata
- Download URL: aws_cdk.aws_opensearchservice-1.204.0-py3-none-any.whl
- Upload date:
- Size: 229.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.2
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | c09fe7676f4360b0671ab89d87c726c94cc4ac159510f30d4811f91e0baa0403 |
|
MD5 | 086b9ffadc052b0dbc65b102dd6dc8ae |
|
BLAKE2b-256 | 399cb82fb6f307a1ed83364830842073ee5286fdffa0e7d8a3ac6eea17bcbd6d |