AWS::Elasticsearch::Domain - AWS CloudFormation

AWS::Elasticsearch::Domain

The AWS::Elasticsearch::Domain resource creates an Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) domain.

Important

The AWS::Elasticsearch::Domain resource is being replaced by the AWS::OpenSearchService::Domain resource. While the legacy Elasticsearch resource and options are still supported, we recommend modifying your existing Cloudformation templates to use the new OpenSearch Service resource, which supports both OpenSearch and Elasticsearch. For more information about the service rename, see New resource types in the Amazon OpenSearch Service Developer Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

Properties

AccessPolicies

An AWS Identity and Access Management (IAM) policy document that specifies who can access the OpenSearch Service domain and their permissions. For more information, see Configuring access policies in the Amazon OpenSearch Service Developer Guide.

Required: No

Type: Json

Update requires: No interruption

AdvancedOptions

Additional options to specify for the OpenSearch Service domain. For more information, see Advanced cluster parameters in the Amazon OpenSearch Service Developer Guide.

Required: No

Type: Map of String

Update requires: No interruption

AdvancedSecurityOptions

Specifies options for fine-grained access control.

Required: No

Type: AdvancedSecurityOptionsInput

Update requires: Replacement

CognitoOptions

Configures OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.

Required: No

Type: CognitoOptions

Update requires: No interruption

DomainEndpointOptions

Specifies additional options for the domain endpoint, such as whether to require HTTPS for all traffic or whether to use a custom endpoint rather than the default endpoint.

Required: No

Type: DomainEndpointOptions

Update requires: No interruption

DomainName

A name for the OpenSearch Service domain. For valid values, see the DomainName data type in the Amazon OpenSearch Service Developer Guide. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the domain name. For more information, see Name Type.

Important

If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

Required: No

Type: String

Update requires: Replacement

EBSOptions

The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the OpenSearch Service domain. For more information, see EBS volume size limits in the Amazon OpenSearch Service Developer Guide.

Required: No

Type: EBSOptions

Update requires: No interruption

ElasticsearchClusterConfig

ElasticsearchClusterConfig is a property of the AWS::Elasticsearch::Domain resource that configures the cluster of an Amazon OpenSearch Service domain.

Required: No

Type: ElasticsearchClusterConfig

Update requires: No interruption

ElasticsearchVersion

The version of Elasticsearch to use, such as 2.3. If not specified, 1.5 is used as the default. For information about the versions that OpenSearch Service supports, see Supported versions of OpenSearch and Elasticsearch in the Amazon OpenSearch Service Developer Guide.

If you set the EnableVersionUpgrade update policy to true, you can update ElasticsearchVersion without interruption. When EnableVersionUpgrade is set to false, or is not specified, updating ElasticsearchVersion results in replacement.

Required: No

Type: String

Update requires: Some interruptions

EncryptionAtRestOptions

Whether the domain should encrypt data at rest, and if so, the AWS Key Management Service key to use. See Encryption of data at rest for Amazon OpenSearch Service.

Required: No

Type: EncryptionAtRestOptions

Update requires: Some interruptions

LogPublishingOptions

An object with one or more of the following keys: SEARCH_SLOW_LOGS, ES_APPLICATION_LOGS, INDEX_SLOW_LOGS, AUDIT_LOGS, depending on the types of logs you want to publish. Each key needs a valid LogPublishingOption value.

Required: No

Type: Map of LogPublishingOption

Update requires: No interruption

NodeToNodeEncryptionOptions

Specifies whether node-to-node encryption is enabled. See Node-to-node encryption for Amazon OpenSearch Service.

Required: No

Type: NodeToNodeEncryptionOptions

Update requires: Some interruptions

SnapshotOptions

DEPRECATED. The automated snapshot configuration for the OpenSearch Service domain indices.

Required: No

Type: SnapshotOptions

Update requires: No interruption

Tags

An arbitrary set of tags (key–value pairs) to associate with the OpenSearch Service domain.

Required: No

Type: List of Tag

Update requires: No interruption

VPCOptions

The virtual private cloud (VPC) configuration for the OpenSearch Service domain. For more information, see Launching your Amazon OpenSearch Service domains within a VPC in the Amazon OpenSearch Service Developer Guide.

Required: No

Type: VPCOptions

Update requires: No interruption

Return values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource name, such as mystack-elasticsea-abc1d2efg3h4. For more information about using the Ref function, see Ref.

Fn::GetAtt

Fn::GetAtt returns a value for a specified attribute of this type. For more information, see Fn::GetAtt. The following are the available attributes and sample return values.

Arn

The Amazon Resource Name (ARN) of the domain, such as arn:aws:es:us-west-2:123456789012:domain/mystack-elasti-1ab2cdefghij. This returned value is the same as the one returned by AWS::Elasticsearch::Domain.DomainArn.

DomainArn

The Amazon Resource Name (ARN) of the domain, such as arn:aws:es:us-west-2:123456789012:domain/mystack-elasti-1ab2cdefghij. This returned value is the same as the one returned by AWS::Elasticsearch::Domain.Arn.

DomainEndpoint

The domain-specific endpoint that's used for requests to the OpenSearch APIs, such as search-mystack-elasti-1ab2cdefghij-ab1c2deckoyb3hofw7wpqa3cm.us-west-1.es.amazonaws.com.

Examples

Create an OpenSearch Service domain that contains two data nodes and three master nodes

The following example creates an OpenSearch Service domain running Elasticsearch 7.10 that contains two data nodes and three dedicated master nodes. The domain has 40 GiB of storage and enables log publishing for application logs, search slow logs, and index slow logs. The access policy permits the root user for the AWS account to make all HTTP requests to the domain, such as indexing documents or searching indices.

JSON

"ElasticsearchDomain": { "Type":"AWS::Elasticsearch::Domain", "Properties": { "DomainName": "test", "ElasticsearchVersion": "7.10", "ElasticsearchClusterConfig": { "DedicatedMasterEnabled": true, "InstanceCount": "2", "ZoneAwarenessEnabled": true, "InstanceType": "m3.medium.elasticsearch", "DedicatedMasterType": "m3.medium.elasticsearch", "DedicatedMasterCount": "3" }, "EBSOptions":{ "EBSEnabled": true, "Iops": "0", "VolumeSize": "20", "VolumeType": "gp2" }, "AccessPolicies": { "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/es-user" }, "Action":"es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*" } ] }, "LogPublishingOptions": { "ES_APPLICATION_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-application-logs", "Enabled": true }, "SEARCH_SLOW_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-slow-logs", "Enabled": true }, "INDEX_SLOW_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-index-slow-logs", "Enabled": true } }, "AdvancedOptions": { "rest.action.multi.allow_explicit_index": true } } }

YAML

ElasticsearchDomain: Type: AWS::Elasticsearch::Domain Properties: DomainName: 'test' ElasticsearchVersion: '7.10' ElasticsearchClusterConfig: DedicatedMasterEnabled: true InstanceCount: '2' ZoneAwarenessEnabled: true InstanceType: 'm3.medium.elasticsearch' DedicatedMasterType: 'm3.medium.elasticsearch' DedicatedMasterCount: '3' EBSOptions: EBSEnabled: true Iops: '0' VolumeSize: '20' VolumeType: 'gp2' AccessPolicies: Version: '2012-10-17' Statement: - Effect: 'Allow' Principal: AWS: 'arn:aws:iam::123456789012:user/es-user' Action: 'es:*' Resource: 'arn:aws:es:us-east-1:846973539254:domain/test/*' LogPublishingOptions: ES_APPLICATION_LOGS: CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-application-logs' Enabled: true SEARCH_SLOW_LOGS: CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-slow-logs' Enabled: true INDEX_SLOW_LOGS: CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-index-slow-logs' Enabled: true AdvancedOptions: rest.action.multi.allow_explicit_index: true

Create a domain with VPC options

The following example creates a domain with VPC options.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "ElasticsearchDomain resource", "Parameters": { "DomainName": { "Description": "User defined Elasticsearch Domain name", "Type": "String" }, "ElasticsearchVersion": { "Description": "User defined Elasticsearch Version", "Type": "String" }, "InstanceType": { "Type": "String" }, "AvailabilityZone": { "Type": "String" }, "CidrBlock": { "Type": "String" }, "GroupDescription": { "Type": "String" }, "SGName": { "Type": "String" } }, "Resources": { "ElasticsearchDomain": { "Type": "AWS::Elasticsearch::Domain", "Properties": { "DomainName": { "Ref": "DomainName" }, "ElasticsearchVersion": { "Ref": "ElasticsearchVersion" }, "ElasticsearchClusterConfig": { "InstanceCount": "1", "InstanceType": { "Ref": "InstanceType" } }, "EBSOptions": { "EBSEnabled": true, "Iops": "0", "VolumeSize": "10", "VolumeType": "standard" }, "AccessPolicies": { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "*" } ] }, "AdvancedOptions": { "rest.action.multi.allow_explicit_index": true }, "Tags": [ { "Key": "foo", "Value": "bar" } ], "VPCOptions": { "SubnetIds": [ { "Ref": "subnet" } ], "SecurityGroupIds": [ { "Ref": "mySecurityGroup" } ] } } }, "vpc": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }, "subnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "vpc" }, "CidrBlock": { "Ref": "CidrBlock" }, "AvailabilityZone": { "Ref": "AvailabilityZone" } } }, "mySecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": { "Ref": "GroupDescription" }, "VpcId": { "Ref": "vpc" }, "GroupName": { "Ref": "SGName" }, "SecurityGroupIngress": [ { "FromPort": 443, "IpProtocol": "tcp", "ToPort": 443, "CidrIp": "0.0.0.0/0" } ] } } }, "Outputs": { "DomainArn": { "Value": { "Fn::GetAtt": [ "ElasticsearchDomain", "DomainArn" ] } }, "DomainEndpoint": { "Value": { "Fn::GetAtt": [ "ElasticsearchDomain", "DomainEndpoint" ] } }, "SecurityGroupId": { "Value": { "Ref": "mySecurityGroup" } }, "SubnetId": { "Value": { "Ref": "subnet" } } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Description: ElasticsearchDomain resource Parameters: DomainName: Description: User-defined Elasticsearch domain name Type: String ElasticsearchVersion: Description: User-defined Elasticsearch version Type: String InstanceType: Type: String AvailabilityZone: Type: String CidrBlock: Type: String GroupDescription: Type: String SGName: Type: String Resources: ElasticsearchDomain: Type: 'AWS::Elasticsearch::Domain' Properties: DomainName: Ref: DomainName ElasticsearchVersion: Ref: ElasticsearchVersion ElasticsearchClusterConfig: InstanceCount: '1' InstanceType: Ref: InstanceType EBSOptions: EBSEnabled: true Iops: '0' VolumeSize: '10' VolumeType: 'standard' AccessPolicies: Version: '2012-10-17' Statement: - Effect: Deny Principal: AWS: '*' Action: 'es:*' Resource: '*' AdvancedOptions: rest.action.multi.allow_explicit_index: true Tags: - Key: foo Value: bar VPCOptions: SubnetIds: - Ref: subnet SecurityGroupIds: - Ref: mySecurityGroup vpc: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.0.0.0/16 subnet: Type: 'AWS::EC2::Subnet' Properties: VpcId: Ref: vpc CidrBlock: Ref: CidrBlock AvailabilityZone: Ref: AvailabilityZone mySecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Ref: GroupDescription VpcId: Ref: vpc GroupName: Ref: SGName SecurityGroupIngress: - FromPort: 443 IpProtocol: tcp ToPort: 443 CidrIp: 0.0.0.0/0 Outputs: DomainArn: Value: 'Fn::GetAtt': - ElasticsearchDomain - DomainArn DomainEndpoint: Value: 'Fn::GetAtt': - ElasticsearchDomain - DomainEndpoint SecurityGroupId: Value: Ref: mySecurityGroup SubnetId: Value: Ref: subnet