AWS::Elasticsearch::Domain - AWS CloudFormation

AWS::Elasticsearch::Domain

The AWS::Elasticsearch::Domain resource creates an Amazon OpenSearch Service domain.

Important

The AWS::Elasticsearch::Domain resource is being replaced by the AWS::OpenSearchService::Domain resource. While the legacy Elasticsearch resource and options are still supported, we recommend modifying your existing Cloudformation templates to use the new OpenSearch Service resource, which supports both OpenSearch and legacy Elasticsearch. For instructions to upgrade domains defined within CloudFormation from Elasticsearch to OpenSearch, see Remarks.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

Properties

AccessPolicies

An AWS Identity and Access Management (IAM) policy document that specifies who can access the OpenSearch Service domain and their permissions. For more information, see Configuring access policies in the Amazon OpenSearch Service Developer Guide.

Required: No

Type: Json

Update requires: No interruption

AdvancedOptions

Additional options to specify for the OpenSearch Service domain. For more information, see Advanced cluster parameters in the Amazon OpenSearch Service Developer Guide.

Required: No

Type: Object of String

Pattern: [a-zA-Z0-9]+

Update requires: No interruption

AdvancedSecurityOptions

Specifies options for fine-grained access control.

Required: No

Type: AdvancedSecurityOptionsInput

Update requires: No interruption

CognitoOptions

Configures OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.

Required: No

Type: CognitoOptions

Update requires: No interruption

DomainEndpointOptions

Specifies additional options for the domain endpoint, such as whether to require HTTPS for all traffic or whether to use a custom endpoint rather than the default endpoint.

Required: No

Type: DomainEndpointOptions

Update requires: No interruption

DomainName

A name for the OpenSearch Service domain. For valid values, see the DomainName data type in the Amazon OpenSearch Service Developer Guide. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the domain name. For more information, see Name Type.

Important

If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

Required: Conditional

Type: String

Update requires: Replacement

EBSOptions

The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the OpenSearch Service domain. For more information, see EBS volume size limits in the Amazon OpenSearch Service Developer Guide.

Required: No

Type: EBSOptions

Update requires: No interruption

ElasticsearchClusterConfig

ElasticsearchClusterConfig is a property of the AWS::Elasticsearch::Domain resource that configures the cluster of an Amazon OpenSearch Service domain.

Required: No

Type: ElasticsearchClusterConfig

Update requires: No interruption

ElasticsearchVersion

The version of Elasticsearch to use, such as 2.3. If not specified, 1.5 is used as the default. For information about the versions that OpenSearch Service supports, see Supported versions of OpenSearch and Elasticsearch in the Amazon OpenSearch Service Developer Guide.

If you set the EnableVersionUpgrade update policy to true, you can update ElasticsearchVersion without interruption. When EnableVersionUpgrade is set to false, or is not specified, updating ElasticsearchVersion results in replacement.

Required: No

Type: String

Update requires: No interruption

EncryptionAtRestOptions

Whether the domain should encrypt data at rest, and if so, the AWS Key Management Service key to use. See Encryption of data at rest for Amazon OpenSearch Service.

Required: No

Type: EncryptionAtRestOptions

Update requires: No interruption

LogPublishingOptions

An object with one or more of the following keys: SEARCH_SLOW_LOGS, ES_APPLICATION_LOGS, INDEX_SLOW_LOGS, AUDIT_LOGS, depending on the types of logs you want to publish. Each key needs a valid LogPublishingOption value.

Required: No

Type: Object of LogPublishingOption

Update requires: No interruption

NodeToNodeEncryptionOptions

Specifies whether node-to-node encryption is enabled. See Node-to-node encryption for Amazon OpenSearch Service.

Required: No

Type: NodeToNodeEncryptionOptions

Update requires: No interruption

SnapshotOptions

DEPRECATED. The automated snapshot configuration for the OpenSearch Service domain indices.

Required: No

Type: SnapshotOptions

Update requires: No interruption

Tags

An arbitrary set of tags (key–value pairs) to associate with the OpenSearch Service domain.

Required: No

Type: Array of Tag

Update requires: No interruption

VPCOptions

The virtual private cloud (VPC) configuration for the OpenSearch Service domain. For more information, see Launching your Amazon OpenSearch Service domains within a VPC in the Amazon OpenSearch Service Developer Guide.

Required: No

Type: VPCOptions

Update requires: No interruption

Return values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource name, such as mystack-elasticsea-abc1d2efg3h4. For more information about using the Ref function, see Ref.

Fn::GetAtt

Fn::GetAtt returns a value for a specified attribute of this type. For more information, see Fn::GetAtt. The following are the available attributes and sample return values.

Arn

The Amazon Resource Name (ARN) of the domain, such as arn:aws:es:us-west-2:123456789012:domain/mystack-elasti-1ab2cdefghij. This returned value is the same as the one returned by AWS::Elasticsearch::Domain.DomainArn.

DomainArn

The Amazon Resource Name (ARN) of the domain, such as arn:aws:es:us-west-2:123456789012:domain/mystack-elasti-1ab2cdefghij. This returned value is the same as the one returned by AWS::Elasticsearch::Domain.Arn.

DomainEndpoint

The domain-specific endpoint that's used for requests to the OpenSearch APIs, such as search-mystack-elasti-1ab2cdefghij-ab1c2deckoyb3hofw7wpqa3cm.us-west-1.es.amazonaws.com.

Remarks

Migrating stacks from Elasticsearch to OpenSearch

Important

You can't directly update a CloudFormation templates to use the AWS::OpenSearchService::Domain resource in place of AWS::Elasticsearch::Domain, otherwise the corresponding domain will be deleted along with all of its data.

Perform the following steps to migrate an Elasticsearch domain to an OpenSearch domain if the domain is defined within CloudFormation.

Step 1: Prepare your existing stack for deprecation

Make a copy of your original CloudFormation template, which contains the Elasticsearch domain resource, for use in step 3. Then add the following attributes to the Elasticsearch domain resource at the same level as Type and Properties.

DeletionPolicy: Retain

UpdateReplacePolicy: Retain

These settings ensure that CloudFormation doesn't delete or modify the corresponding domain when you delete this resource from your stack. If you have other custom resources defined in the stack that aren't critically important during the short migration period, you can delete them from the template and they'll be recreated when you create the new stack.

Step 2: Upgrade your domain to OpenSearch

After you add the two policy attributes to your template, upgrade your domain to an OpenSearch version using the normal upgrade process. For instructions, see Starting an upgrade. Make sure to take a snapshot of your domain before upgrading it to prevent accidental loss of data.

Step 3: Create a new CloudFormation template

While you wait for the upgrade to complete, prepare your new OpenSearch template. Using the copy of your original template that you made in step 1, make the following changes:

  • Change the domain resource type from AWS::Elasticsearch::Domain to AWS::OpenSearchService::Domain.

  • Add the DeletionPolicy and UpdateReplacePolicy attributes to the resource, as you did in step 1.

  • Change ElasticsearchVersion to EngineVersion and set its value to OpenSearch_1.0 (or whichever version of OpenSearch you want to upgrade to).

  • If your resource contains ElasticsearchClusterConfig, change it to ClusterConfig.

  • Change the suffixes of all instance types from .elasticsearch to .search.

  • If your template includes ColdStorageOptions, remove it, as it's not currently supported for OpenSearch resources.

  • If there are any Fn::GetAtt or !GetAtt references to your domain ARN, change them to !GetAtt MyDomain.Arn.

  • Comment out any resources not currently within the stack (most likely everything except AWS::OpenSearchService::Domain).

See the next section for examples that demonstrate the new format.

Step 4: Import the OpenSearch stack

Once your domain upgrade finishes, you can import the new stack. Within CloudFormation, choose Create stack and With existing resources (import resources), then upload the template you created in the previous step.

CloudFormation prompts you for the name (identifier value) of the existing domain. Copy the domain name directly from the OpenSearch console. Give the stack a name that's different from the current one, then choose Import resources.

After the stack is created, uncomment any related resources from the stack and update it to ensure they're recreated. You can remove the DeletionPolicy and UpdateReplacePolicy attributes if you want, but they can help prevent accidental deletions in the future.

Step 5: Delete the Elasticsearch stack

Now that your new stack is created, delete the old stack which contains the legacy Elasticsearch resource.

Important

Before deleting the old stack, make absolutely sure that the template contains the DeletionPolicy: Retain attribute.

*The above steps were partially derived from this blog post.

Examples

Create an OpenSearch Service domain that contains two data nodes and three master nodes

The following example creates an OpenSearch Service domain running Elasticsearch 7.10 that contains two data nodes and three dedicated master nodes. The domain has 40 GiB of storage and enables log publishing for application logs, search slow logs, and index slow logs. The access policy permits the root user for the AWS account to make all HTTP requests to the domain, such as indexing documents or searching indices.

JSON

"ElasticsearchDomain": { "Type":"AWS::Elasticsearch::Domain", "Properties": { "DomainName": "test", "ElasticsearchVersion": "7.10", "ElasticsearchClusterConfig": { "DedicatedMasterEnabled": true, "InstanceCount": "2", "ZoneAwarenessEnabled": true, "InstanceType": "m3.medium.elasticsearch", "DedicatedMasterType": "m3.medium.elasticsearch", "DedicatedMasterCount": "3" }, "EBSOptions":{ "EBSEnabled": true, "Iops": "0", "VolumeSize": "20", "VolumeType": "gp2" }, "AccessPolicies": { "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/es-user" }, "Action":"es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*" } ] }, "LogPublishingOptions": { "ES_APPLICATION_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-application-logs", "Enabled": true }, "SEARCH_SLOW_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-slow-logs", "Enabled": true }, "INDEX_SLOW_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-index-slow-logs", "Enabled": true } }, "AdvancedOptions": { "rest.action.multi.allow_explicit_index": true } } }

YAML

ElasticsearchDomain: Type: AWS::Elasticsearch::Domain Properties: DomainName: 'test' ElasticsearchVersion: '7.10' ElasticsearchClusterConfig: DedicatedMasterEnabled: true InstanceCount: '2' ZoneAwarenessEnabled: true InstanceType: 'm3.medium.elasticsearch' DedicatedMasterType: 'm3.medium.elasticsearch' DedicatedMasterCount: '3' EBSOptions: EBSEnabled: true Iops: '0' VolumeSize: '20' VolumeType: 'gp2' AccessPolicies: Version: '2012-10-17' Statement: - Effect: 'Allow' Principal: AWS: 'arn:aws:iam::123456789012:user/es-user' Action: 'es:*' Resource: 'arn:aws:es:us-east-1:846973539254:domain/test/*' LogPublishingOptions: ES_APPLICATION_LOGS: CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-application-logs' Enabled: true SEARCH_SLOW_LOGS: CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-slow-logs' Enabled: true INDEX_SLOW_LOGS: CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-index-slow-logs' Enabled: true AdvancedOptions: rest.action.multi.allow_explicit_index: true

Create a domain with VPC options

The following example creates a domain with VPC options.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "ElasticsearchDomain resource", "Parameters": { "DomainName": { "Description": "User defined Elasticsearch Domain name", "Type": "String" }, "ElasticsearchVersion": { "Description": "User defined Elasticsearch Version", "Type": "String" }, "InstanceType": { "Type": "String" }, "AvailabilityZone": { "Type": "String" }, "CidrBlock": { "Type": "String" }, "GroupDescription": { "Type": "String" }, "SGName": { "Type": "String" } }, "Resources": { "ElasticsearchDomain": { "Type": "AWS::Elasticsearch::Domain", "Properties": { "DomainName": { "Ref": "DomainName" }, "ElasticsearchVersion": { "Ref": "ElasticsearchVersion" }, "ElasticsearchClusterConfig": { "InstanceCount": "1", "InstanceType": { "Ref": "InstanceType" } }, "EBSOptions": { "EBSEnabled": true, "Iops": "0", "VolumeSize": "10", "VolumeType": "standard" }, "AccessPolicies": { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "*" } ] }, "AdvancedOptions": { "rest.action.multi.allow_explicit_index": true }, "Tags": [ { "Key": "foo", "Value": "bar" } ], "VPCOptions": { "SubnetIds": [ { "Ref": "subnet" } ], "SecurityGroupIds": [ { "Ref": "mySecurityGroup" } ] } } }, "vpc": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }, "subnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "vpc" }, "CidrBlock": { "Ref": "CidrBlock" }, "AvailabilityZone": { "Ref": "AvailabilityZone" } } }, "mySecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": { "Ref": "GroupDescription" }, "VpcId": { "Ref": "vpc" }, "GroupName": { "Ref": "SGName" }, "SecurityGroupIngress": [ { "FromPort": 443, "IpProtocol": "tcp", "ToPort": 443, "CidrIp": "0.0.0.0/0" } ] } } }, "Outputs": { "DomainArn": { "Value": { "Fn::GetAtt": [ "ElasticsearchDomain", "DomainArn" ] } }, "DomainEndpoint": { "Value": { "Fn::GetAtt": [ "ElasticsearchDomain", "DomainEndpoint" ] } }, "SecurityGroupId": { "Value": { "Ref": "mySecurityGroup" } }, "SubnetId": { "Value": { "Ref": "subnet" } } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Description: ElasticsearchDomain resource Parameters: DomainName: Description: User-defined Elasticsearch domain name Type: String ElasticsearchVersion: Description: User-defined Elasticsearch version Type: String InstanceType: Type: String AvailabilityZone: Type: String CidrBlock: Type: String GroupDescription: Type: String SGName: Type: String Resources: ElasticsearchDomain: Type: 'AWS::Elasticsearch::Domain' Properties: DomainName: Ref: DomainName ElasticsearchVersion: Ref: ElasticsearchVersion ElasticsearchClusterConfig: InstanceCount: '1' InstanceType: Ref: InstanceType EBSOptions: EBSEnabled: true Iops: '0' VolumeSize: '10' VolumeType: 'standard' AccessPolicies: Version: '2012-10-17' Statement: - Effect: Deny Principal: AWS: '*' Action: 'es:*' Resource: '*' AdvancedOptions: rest.action.multi.allow_explicit_index: true Tags: - Key: foo Value: bar VPCOptions: SubnetIds: - Ref: subnet SecurityGroupIds: - Ref: mySecurityGroup vpc: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.0.0.0/16 subnet: Type: 'AWS::EC2::Subnet' Properties: VpcId: Ref: vpc CidrBlock: Ref: CidrBlock AvailabilityZone: Ref: AvailabilityZone mySecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Ref: GroupDescription VpcId: Ref: vpc GroupName: Ref: SGName SecurityGroupIngress: - FromPort: 443 IpProtocol: tcp ToPort: 443 CidrIp: 0.0.0.0/0 Outputs: DomainArn: Value: 'Fn::GetAtt': - ElasticsearchDomain - DomainArn DomainEndpoint: Value: 'Fn::GetAtt': - ElasticsearchDomain - DomainEndpoint SecurityGroupId: Value: Ref: mySecurityGroup SubnetId: Value: Ref: subnet