AWS::Elasticsearch::Domain
The AWS::Elasticsearch::Domain resource creates an Amazon Elasticsearch Service (Amazon ES) domain.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Elasticsearch::Domain", "Properties" : { "AccessPolicies" :
Json
, "AdvancedOptions" :{
, "AdvancedSecurityOptions" :Key
:Value
, ...}AdvancedSecurityOptionsInput
, "CognitoOptions" :CognitoOptions
, "DomainEndpointOptions" :DomainEndpointOptions
, "DomainName" :String
, "EBSOptions" :EBSOptions
, "ElasticsearchClusterConfig" :ElasticsearchClusterConfig
, "ElasticsearchVersion" :String
, "EncryptionAtRestOptions" :EncryptionAtRestOptions
, "LogPublishingOptions" :{
, "NodeToNodeEncryptionOptions" :Key
:Value
, ...}NodeToNodeEncryptionOptions
, "SnapshotOptions" :SnapshotOptions
, "Tags" :[ Tag, ... ]
, "VPCOptions" :VPCOptions
} }
YAML
Type: AWS::Elasticsearch::Domain Properties: AccessPolicies:
Json
AdvancedOptions:AdvancedSecurityOptions:
Key
:Value
AdvancedSecurityOptionsInput
CognitoOptions:CognitoOptions
DomainEndpointOptions:DomainEndpointOptions
DomainName:String
EBSOptions:EBSOptions
ElasticsearchClusterConfig:ElasticsearchClusterConfig
ElasticsearchVersion:String
EncryptionAtRestOptions:EncryptionAtRestOptions
LogPublishingOptions:NodeToNodeEncryptionOptions:
Key
:Value
NodeToNodeEncryptionOptions
SnapshotOptions:SnapshotOptions
Tags:- Tag
VPCOptions:VPCOptions
Properties
AccessPolicies
-
An AWS Identity and Access Management (IAM) policy document that specifies who can access the Amazon ES domain and their permissions. For more information, see Configuring Access Policies in the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: Json
Update requires: No interruption
AdvancedOptions
-
Additional options to specify for the Amazon ES domain. For more information, see Configuring Advanced Options in the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: Map of String
Update requires: No interruption
AdvancedSecurityOptions
-
Specifies options for fine-grained access control.
Required: No
Type: AdvancedSecurityOptionsInput
Update requires: Replacement
CognitoOptions
-
Configures Amazon ES to use Amazon Cognito authentication for Kibana.
Required: No
Type: CognitoOptions
Update requires: No interruption
DomainEndpointOptions
-
Specifies additional options for the domain endpoint, such as whether to require HTTPS for all traffic or whether to use a custom endpoint rather than the default endpoint.
Required: No
Type: DomainEndpointOptions
Update requires: No interruption
DomainName
-
A name for the Amazon ES domain. For valid values, see the DomainName data type in the Amazon Elasticsearch Service Developer Guide. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the domain name. For more information, see Name Type.
Important If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement
EBSOptions
-
The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the Amazon ES domain. For more information, see Configuring EBS-based Storage in the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: EBSOptions
Update requires: No interruption
ElasticsearchClusterConfig
-
ElasticsearchClusterConfig is a property of the AWS::Elasticsearch::Domain resource that configures the cluster of an Amazon Elasticsearch Service (Amazon ES) domain.
Required: No
Type: ElasticsearchClusterConfig
Update requires: No interruption
ElasticsearchVersion
-
The version of Elasticsearch to use, such as 2.3. If not specified, 1.5 is used as the default. For information about the versions that Amazon ES supports, see the Elasticsearch-Version parameter for the CreateElasticsearchDomain action in the Amazon Elasticsearch Service Developer Guide.
If you set the UpgradeElasticsearchVersion update policy to
true
, you can updateElasticsearchVersion
without interruption. WhenUpgradeElasticsearchVersion
is set tofalse
, or is not specified, updatingElasticsearchVersion
results in replacement.Required: No
Type: String
Update requires: Some interruptions
EncryptionAtRestOptions
-
Whether the domain should encrypt data at rest, and if so, the AWS Key Management Service (KMS) key to use. Can only be used to create a new domain, not update an existing one.
Required: No
Type: EncryptionAtRestOptions
Update requires: Replacement
LogPublishingOptions
-
An object with one or more of the following keys:
SEARCH_SLOW_LOGS
,ES_APPLICATION_LOGS
,INDEX_SLOW_LOGS
,AUDIT_LOGS
, depending on the types of logs you want to publish. Each key needs a validLogPublishingOption
value. See here for the full syntax.Required: No
Type: Map of LogPublishingOption
Update requires: No interruption
NodeToNodeEncryptionOptions
-
Specifies whether node-to-node encryption is enabled.
Required: No
Type: NodeToNodeEncryptionOptions
Update requires: Replacement
SnapshotOptions
-
The automated snapshot configuration for the Amazon ES domain indices.
Required: No
Type: SnapshotOptions
Update requires: No interruption
Tags
-
An arbitrary set of tags (key–value pairs) to associate with the Amazon ES domain.
Required: No
Type: List of Tag
Update requires: No interruption
VPCOptions
-
The virtual private cloud (VPC) configuration for the Amazon ES domain. For more information, see VPC Support for Amazon Elasticsearch Service Domains in the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: VPCOptions
Update requires: No interruption
Return values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref
returns the resource name, such as mystack-elasticsea-abc1d2efg3h4.
For more
information about using the Ref function, see Ref.
Fn::GetAtt
Fn::GetAtt returns a value for a specified attribute of this type. For more information, see Fn::GetAtt. The following are the available attributes and sample return values.
Arn
-
The Amazon Resource Name (ARN) of the domain, such as
arn:aws:es:us-west-2:123456789012:domain/mystack-elasti-1ab2cdefghij
. This returned value is the same as the one returned byAWS::Elasticsearch::Domain.DomainArn
. DomainArn
-
The Amazon Resource Name (ARN) of the domain, such as
arn:aws:es:us-west-2:123456789012:domain/mystack-elasti-1ab2cdefghij
. This returned value is the same as the one returned byAWS::Elasticsearch::Domain.Arn
. DomainEndpoint
-
The domain-specific endpoint that's used for requests to the Elasticsearch APIs, such as
search-mystack-elasti-1ab2cdefghij-ab1c2deckoyb3hofw7wpqa3cm.us-west-1.es.amazonaws.com
.
Examples
Create an Amazon ES domain that contains two data nodes and three master nodes
The following example creates an Amazon ES domain running Elasticsearch 7.4 that contains two data nodes and three dedicated master nodes. The domain has 40 GiB of storage and enables log publishing for application logs, search slow logs, and index slow logs. The access policy permits the root user for the AWS account to make all HTTP requests to the domain, such as indexing documents or searching indices.
JSON
"ElasticsearchDomain":{ "Type":"AWS::Elasticsearch::Domain", "Properties":{ "DomainName":"test", "ElasticsearchClusterConfig":{ "DedicatedMasterEnabled":"true", "InstanceCount":"2", "ZoneAwarenessEnabled":"true", "InstanceType":"m3.medium.elasticsearch", "DedicatedMasterType":"m3.medium.elasticsearch", "DedicatedMasterCount":"3" }, "EBSOptions":{ "EBSEnabled":true, "Iops":0, "VolumeSize":20, "VolumeType":"gp2" }, "SnapshotOptions":{ "AutomatedSnapshotStartHour":"0" }, "AccessPolicies":{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::123456789012:user/es-user" }, "Action":"es:*", "Resource":"arn:aws:es:us-east-1:123456789012:domain/test/*" } ] }, "AdvancedOptions":{ "rest.action.multi.allow_explicit_index":"true" } } }
YAML
ElasticsearchDomain: Type: AWS::Elasticsearch::Domain Properties: DomainName: "test" ElasticsearchClusterConfig: DedicatedMasterEnabled: "true" InstanceCount: "2" ZoneAwarenessEnabled: "true" InstanceType: "m3.medium.elasticsearch" DedicatedMasterType: "m3.medium.elasticsearch" DedicatedMasterCount: "3" EBSOptions: EBSEnabled: true Iops: 0 VolumeSize: 20 VolumeType: "gp2" SnapshotOptions: AutomatedSnapshotStartHour: "0" AccessPolicies: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: AWS: "arn:aws:iam::123456789012:user/es-user" Action: "es:*" Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*" AdvancedOptions: rest.action.multi.allow_explicit_index: "true"
Create a domain with VPC options
The following example creates a domain with VPC options.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "ElasticsearchDomain resource", "Parameters": { "DomainName": { "Description": "User defined Elasticsearch Domain name", "Type": "String" }, "ElasticsearchVersion": { "Description": "User defined Elasticsearch Version", "Type": "String" }, "InstanceType": { "Type": "String" }, "AvailabilityZone": { "Type": "String" }, "CidrBlock": { "Type": "String" }, "GroupDescription": { "Type": "String" }, "SGName": { "Type": "String" } }, "Resources": { "ElasticsearchDomain": { "Type": "AWS::Elasticsearch::Domain", "Properties": { "DomainName": { "Ref": "DomainName" }, "ElasticsearchVersion": { "Ref": "ElasticsearchVersion" }, "ElasticsearchClusterConfig": { "InstanceCount": "1", "InstanceType": { "Ref": "InstanceType" } }, "EBSOptions": { "EBSEnabled": "true", "Iops": 0, "VolumeSize": 10, "VolumeType": "standard" }, "SnapshotOptions": { "AutomatedSnapshotStartHour": "0" }, "AccessPolicies": { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "*" } ] }, "LogPublishingOptions": { "SEARCH_SLOW_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs", "Enabled": "true" }, "INDEX_SLOW_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs", "Enabled": "true" } }, "AdvancedOptions": { "rest.action.multi.allow_explicit_index": "true" }, "Tags": [ { "Key": "foo", "Value": "bar" } ], "VPCOptions": { "SubnetIds": [ { "Ref": "subnet" } ], "SecurityGroupIds": [ { "Ref": "mySecurityGroup" } ] } } }, "vpc": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }, "subnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "vpc" }, "CidrBlock": { "Ref": "CidrBlock" }, "AvailabilityZone": { "Ref": "AvailabilityZone" } } }, "mySecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": { "Ref": "GroupDescription" }, "VpcId": { "Ref": "vpc" }, "GroupName": { "Ref": "SGName" }, "SecurityGroupIngress": [ { "FromPort": "443", "IpProtocol": "tcp", "ToPort": "443", "CidrIp": "0.0.0.0/0" } ] } } }, "Outputs": { "DomainArn": { "Value": { "Fn::GetAtt": [ "ElasticsearchDomain", "DomainArn" ] } }, "DomainEndpoint": { "Value": { "Fn::GetAtt": [ "ElasticsearchDomain", "DomainEndpoint" ] } }, "SecurityGroupId": { "Value": { "Ref": "mySecurityGroup" } }, "SubnetId": { "Value": { "Ref": "subnet" } } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Description: ElasticsearchDomain resource Parameters: DomainName: Description: User defined Elasticsearch Domain name Type: String ElasticsearchVersion: Description: User defined Elasticsearch Version Type: String InstanceType: Type: String AvailabilityZone: Type: String CidrBlock: Type: String GroupDescription: Type: String SGName: Type: String Resources: ElasticsearchDomain: Type: 'AWS::Elasticsearch::Domain' Properties: DomainName: Ref: DomainName ElasticsearchVersion: Ref: ElasticsearchVersion ElasticsearchClusterConfig: InstanceCount: '1' InstanceType: Ref: InstanceType EBSOptions: EBSEnabled: 'true' Iops: 0 VolumeSize: 10 VolumeType: standard SnapshotOptions: AutomatedSnapshotStartHour: '0' AccessPolicies: Version: '2012-10-17' Statement: - Effect: Deny Principal: AWS: '*' Action: 'es:*' Resource: '*' LogPublishingOptions: SEARCH_SLOW_LOGS: CloudWatchLogsLogGroupArn: >- arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs Enabled: 'true' INDEX_SLOW_LOGS: CloudWatchLogsLogGroupArn: >- arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs Enabled: 'true' AdvancedOptions: rest.action.multi.allow_explicit_index: 'true' Tags: - Key: foo Value: bar VPCOptions: SubnetIds: - Ref: subnet SecurityGroupIds: - Ref: mySecurityGroup vpc: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.0.0.0/16 subnet: Type: 'AWS::EC2::Subnet' Properties: VpcId: Ref: vpc CidrBlock: Ref: CidrBlock AvailabilityZone: Ref: AvailabilityZone mySecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Ref: GroupDescription VpcId: Ref: vpc GroupName: Ref: SGName SecurityGroupIngress: - FromPort: '443' IpProtocol: tcp ToPort: '443' CidrIp: 0.0.0.0/0 Outputs: DomainArn: Value: 'Fn::GetAtt': - ElasticsearchDomain - DomainArn DomainEndpoint: Value: 'Fn::GetAtt': - ElasticsearchDomain - DomainEndpoint SecurityGroupId: Value: Ref: mySecurityGroup SubnetId: Value: Ref: subnet