Package software.amazon.awscdk.services.opensearchservice

@Stability(Stable) @Deprecated package software.amazon.awscdk.services.opensearchservice

Deprecated.

Amazon OpenSearch Service Construct Library

---

AWS CDK v1 has reached End-of-Support on 2023-06-01. This package is no longer being updated, and users should migrate to AWS CDK v2.

For more information on how to migrate, see the Migrating to AWS CDK v2 guide.

Features | Stability -----------------------------------|---------------------------------------------------------------- CFN Resources | Higher level constructs for Domain |

CFN Resources: All classes with the Cfn prefix in this module (CFN Resources) are always stable and safe to use.

Stable: Higher level constructs in this module that are marked stable will not undergo any breaking changes. They will strictly follow the Semantic Versioning model.

See Migrating to OpenSearch for migration instructions from @aws-cdk/aws-elasticsearch to this module, @aws-cdk/aws-opensearchservice.

Quick start

Create a development cluster by simply specifying the version:

 Domain devDomain = Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .build();
 

To perform version upgrades without replacing the entire domain, specify the enableVersionUpgrade property.

 Domain devDomain = Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .enableVersionUpgrade(true)
         .build();
 

Create a production grade cluster by also specifying things like capacity and az distribution

 Domain prodDomain = Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .capacity(CapacityConfig.builder()
                 .masterNodes(5)
                 .dataNodes(20)
                 .build())
         .ebs(EbsOptions.builder()
                 .volumeSize(20)
                 .build())
         .zoneAwareness(ZoneAwarenessConfig.builder()
                 .availabilityZoneCount(3)
                 .build())
         .logging(LoggingOptions.builder()
                 .slowSearchLogEnabled(true)
                 .appLogEnabled(true)
                 .slowIndexLogEnabled(true)
                 .build())
         .build();
 

This creates an Amazon OpenSearch Service cluster and automatically sets up log groups for logging the domain logs and slow search logs.

A note about SLR

Some cluster configurations (e.g VPC access) require the existence of the AWSServiceRoleForAmazonElasticsearchService Service-Linked Role.

When performing such operations via the AWS Console, this SLR is created automatically when needed. However, this is not the behavior when using CloudFormation. If an SLR is needed, but doesn't exist, you will encounter a failure message simlar to:

 Before you can proceed, you must enable a service-linked role to give Amazon OpenSearch Service...
 

To resolve this, you need to create the SLR. We recommend using the AWS CLI:

 aws iam create-service-linked-role --aws-service-name es.amazonaws.com
 

You can also create it using the CDK, but note that only the first application deploying this will succeed:

 CfnServiceLinkedRole slr = CfnServiceLinkedRole.Builder.create(this, "Service Linked Role")
         .awsServiceName("es.amazonaws.com")
         .build();
 

Importing existing domains

To import an existing domain into your CDK application, use the Domain.fromDomainEndpoint factory method. This method accepts a domain endpoint of an already existing domain:

 String domainEndpoint = "https://my-domain-jcjotrt6f7otem4sqcwbch3c4u.us-east-1.es.amazonaws.com";
 IDomain domain = Domain.fromDomainEndpoint(this, "ImportedDomain", domainEndpoint);
 

Permissions

IAM

Helper methods also exist for managing access to the domain.

 Function fn;
 Domain domain;
 
 
 // Grant write access to the app-search index
 domain.grantIndexWrite("app-search", fn);
 
 // Grant read access to the 'app-search/_search' path
 domain.grantPathRead("app-search/_search", fn);
 

Encryption

The domain can also be created with encryption enabled:

 Domain domain = Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .ebs(EbsOptions.builder()
                 .volumeSize(100)
                 .volumeType(EbsDeviceVolumeType.GENERAL_PURPOSE_SSD)
                 .build())
         .nodeToNodeEncryption(true)
         .encryptionAtRest(EncryptionAtRestOptions.builder()
                 .enabled(true)
                 .build())
         .build();
 

This sets up the domain with node to node encryption and encryption at rest. You can also choose to supply your own KMS key to use for encryption at rest.

VPC Support

Domains can be placed inside a VPC, providing a secure communication between Amazon OpenSearch Service and other services within the VPC without the need for an internet gateway, NAT device, or VPN connection.

Visit VPC Support for Amazon OpenSearch Service Domains for more details.

 Vpc vpc = new Vpc(this, "Vpc");
 DomainProps domainProps = DomainProps.builder()
         .version(EngineVersion.OPENSEARCH_1_0)
         .removalPolicy(RemovalPolicy.DESTROY)
         .vpc(vpc)
         // must be enabled since our VPC contains multiple private subnets.
         .zoneAwareness(ZoneAwarenessConfig.builder()
                 .enabled(true)
                 .build())
         .capacity(CapacityConfig.builder()
                 // must be an even number since the default az count is 2.
                 .dataNodes(2)
                 .build())
         .build();
 new Domain(this, "Domain", domainProps);
 

In addition, you can use the vpcSubnets property to control which specific subnets will be used, and the securityGroups property to control which security groups will be attached to the domain. By default, CDK will select all private subnets in the VPC, and create one dedicated security group.

Metrics

Helper methods exist to access common domain metrics for example:

 Domain domain;
 
 Metric freeStorageSpace = domain.metricFreeStorageSpace();
 Metric masterSysMemoryUtilization = domain.metric("MasterSysMemoryUtilization");
 

This module is part of the AWS Cloud Development Kit project.

Fine grained access control

The domain can also be created with a master user configured. The password can be supplied or dynamically created if not supplied.

 Domain domain = Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .enforceHttps(true)
         .nodeToNodeEncryption(true)
         .encryptionAtRest(EncryptionAtRestOptions.builder()
                 .enabled(true)
                 .build())
         .fineGrainedAccessControl(AdvancedSecurityOptions.builder()
                 .masterUserName("master-user")
                 .build())
         .build();
 
 SecretValue masterUserPassword = domain.getMasterUserPassword();
 

Using unsigned basic auth

For convenience, the domain can be configured to allow unsigned HTTP requests that use basic auth. Unless the domain is configured to be part of a VPC this means anyone can access the domain using the configured master username and password.

To enable unsigned basic auth access the domain is configured with an access policy that allows anyonmous requests, HTTPS required, node to node encryption, encryption at rest and fine grained access control.

If the above settings are not set they will be configured as part of enabling unsigned basic auth. If they are set with conflicting values, an error will be thrown.

If no master user is configured a default master user is created with the username admin.

If no password is configured a default master user password is created and stored in the AWS Secrets Manager as secret. The secret has the prefix <domain id>MasterUser.

 Domain domain = Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .useUnsignedBasicAuth(true)
         .build();
 
 SecretValue masterUserPassword = domain.getMasterUserPassword();
 

Custom access policies

If the domain requires custom access control it can be configured either as a constructor property, or later by means of a helper method.

For simple permissions the accessPolicies constructor may be sufficient:

 Domain domain = Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .accessPolicies(List.of(
             PolicyStatement.Builder.create()
                     .actions(List.of("es:*ESHttpPost", "es:ESHttpPut*"))
                     .effect(Effect.ALLOW)
                     .principals(List.of(new AccountPrincipal("123456789012")))
                     .resources(List.of("*"))
                     .build()))
         .build();
 

For more complex use-cases, for example, to set the domain up to receive data from a cross-account Kinesis Firehose the addAccessPolicies helper method allows for policies that include the explicit domain ARN.

 Domain domain = Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .build();
 domain.addAccessPolicies(
 PolicyStatement.Builder.create()
         .actions(List.of("es:ESHttpPost", "es:ESHttpPut"))
         .effect(Effect.ALLOW)
         .principals(List.of(new AccountPrincipal("123456789012")))
         .resources(List.of(domain.getDomainArn(), String.format("%s/*", domain.getDomainArn())))
         .build(),
 PolicyStatement.Builder.create()
         .actions(List.of("es:ESHttpGet"))
         .effect(Effect.ALLOW)
         .principals(List.of(new AccountPrincipal("123456789012")))
         .resources(List.of(String.format("%s/_all/_settings", domain.getDomainArn()), String.format("%s/_cluster/stats", domain.getDomainArn()), String.format("%s/index-name*/_mapping/type-name", domain.getDomainArn()), String.format("%s/roletest*/_mapping/roletest", domain.getDomainArn()), String.format("%s/_nodes", domain.getDomainArn()), String.format("%s/_nodes/stats", domain.getDomainArn()), String.format("%s/_nodes/*/stats", domain.getDomainArn()), String.format("%s/_stats", domain.getDomainArn()), String.format("%s/index-name*/_stats", domain.getDomainArn()), String.format("%s/roletest*/_stat", domain.getDomainArn())))
         .build());
 

Audit logs

Audit logs can be enabled for a domain, but only when fine grained access control is enabled.

 Domain domain = Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .enforceHttps(true)
         .nodeToNodeEncryption(true)
         .encryptionAtRest(EncryptionAtRestOptions.builder()
                 .enabled(true)
                 .build())
         .fineGrainedAccessControl(AdvancedSecurityOptions.builder()
                 .masterUserName("master-user")
                 .build())
         .logging(LoggingOptions.builder()
                 .auditLogEnabled(true)
                 .slowSearchLogEnabled(true)
                 .appLogEnabled(true)
                 .slowIndexLogEnabled(true)
                 .build())
         .build();
 

UltraWarm

UltraWarm nodes can be enabled to provide a cost-effective way to store large amounts of read-only data.

 Domain domain = Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .capacity(CapacityConfig.builder()
                 .masterNodes(2)
                 .warmNodes(2)
                 .warmInstanceType("ultrawarm1.medium.search")
                 .build())
         .build();
 

Custom endpoint

Custom endpoints can be configured to reach the domain under a custom domain name.

 Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .customEndpoint(CustomEndpointOptions.builder()
                 .domainName("search.example.com")
                 .build())
         .build();
 

It is also possible to specify a custom certificate instead of the auto-generated one.

Additionally, an automatic CNAME-Record is created if a hosted zone is provided for the custom endpoint

Advanced options

Advanced options can used to configure additional options.

 Domain.Builder.create(this, "Domain")
         .version(EngineVersion.OPENSEARCH_1_0)
         .advancedOptions(Map.of(
                 "rest.action.multi.allow_explicit_index", "false",
                 "indices.fielddata.cache.size", "25",
                 "indices.query.bool.max_clause_count", "2048"))
         .build();
 

Deprecated: AWS CDK v1 has reached End-of-Support on 2023-06-01. This package is no longer being updated, and users should migrate to AWS CDK v2. For more information on how to migrate, see https://docs.aws.amazon.com/cdk/v2/guide/migrating-v2.html

Class	Description
$Module
AdvancedSecurityOptions	Specifies options for fine-grained access control.
AdvancedSecurityOptions.Builder	A builder for AdvancedSecurityOptions
AdvancedSecurityOptions.Jsii$Proxy	An implementation for AdvancedSecurityOptions
CapacityConfig	Configures the capacity of the cluster such as the instance type and the number of instances.
CapacityConfig.Builder	A builder for CapacityConfig
CapacityConfig.Jsii$Proxy	An implementation for CapacityConfig
CfnDomain	A CloudFormation AWS::OpenSearchService::Domain.
CfnDomain.AdvancedSecurityOptionsInputProperty	Specifies options for fine-grained access control.
CfnDomain.AdvancedSecurityOptionsInputProperty.Builder	A builder for CfnDomain.AdvancedSecurityOptionsInputProperty
CfnDomain.AdvancedSecurityOptionsInputProperty.Jsii$Proxy	An implementation for CfnDomain.AdvancedSecurityOptionsInputProperty
CfnDomain.Builder	A fluent builder for CfnDomain.
CfnDomain.ClusterConfigProperty	The cluster configuration for the OpenSearch Service domain.
CfnDomain.ClusterConfigProperty.Builder	A builder for CfnDomain.ClusterConfigProperty
CfnDomain.ClusterConfigProperty.Jsii$Proxy	An implementation for CfnDomain.ClusterConfigProperty
CfnDomain.CognitoOptionsProperty	Configures OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.
CfnDomain.CognitoOptionsProperty.Builder	A builder for CfnDomain.CognitoOptionsProperty
CfnDomain.CognitoOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.CognitoOptionsProperty
CfnDomain.DomainEndpointOptionsProperty	Specifies additional options for the domain endpoint, such as whether to require HTTPS for all traffic or whether to use a custom endpoint rather than the default endpoint.
CfnDomain.DomainEndpointOptionsProperty.Builder	A builder for CfnDomain.DomainEndpointOptionsProperty
CfnDomain.DomainEndpointOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.DomainEndpointOptionsProperty
CfnDomain.EBSOptionsProperty	The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the OpenSearch Service domain.
CfnDomain.EBSOptionsProperty.Builder	A builder for CfnDomain.EBSOptionsProperty
CfnDomain.EBSOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.EBSOptionsProperty
CfnDomain.EncryptionAtRestOptionsProperty	Whether the domain should encrypt data at rest, and if so, the AWS Key Management Service key to use.
CfnDomain.EncryptionAtRestOptionsProperty.Builder	A builder for CfnDomain.EncryptionAtRestOptionsProperty
CfnDomain.EncryptionAtRestOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.EncryptionAtRestOptionsProperty
CfnDomain.IdpProperty	The SAML Identity Provider's information.
CfnDomain.IdpProperty.Builder	A builder for CfnDomain.IdpProperty
CfnDomain.IdpProperty.Jsii$Proxy	An implementation for CfnDomain.IdpProperty
CfnDomain.LogPublishingOptionProperty	Specifies whether the OpenSearch Service domain publishes application, search slow logs, or index slow logs to Amazon CloudWatch.
CfnDomain.LogPublishingOptionProperty.Builder	A builder for CfnDomain.LogPublishingOptionProperty
CfnDomain.LogPublishingOptionProperty.Jsii$Proxy	An implementation for CfnDomain.LogPublishingOptionProperty
CfnDomain.MasterUserOptionsProperty	Specifies information about the master user.
CfnDomain.MasterUserOptionsProperty.Builder	A builder for CfnDomain.MasterUserOptionsProperty
CfnDomain.MasterUserOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.MasterUserOptionsProperty
CfnDomain.NodeToNodeEncryptionOptionsProperty	Specifies options for node-to-node encryption.
CfnDomain.NodeToNodeEncryptionOptionsProperty.Builder	A builder for CfnDomain.NodeToNodeEncryptionOptionsProperty
CfnDomain.NodeToNodeEncryptionOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.NodeToNodeEncryptionOptionsProperty
CfnDomain.OffPeakWindowOptionsProperty	Off-peak window settings for the domain.
CfnDomain.OffPeakWindowOptionsProperty.Builder	A builder for CfnDomain.OffPeakWindowOptionsProperty
CfnDomain.OffPeakWindowOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.OffPeakWindowOptionsProperty
CfnDomain.OffPeakWindowProperty	A custom 10-hour, low-traffic window during which OpenSearch Service can perform mandatory configuration changes on the domain.
CfnDomain.OffPeakWindowProperty.Builder	A builder for CfnDomain.OffPeakWindowProperty
CfnDomain.OffPeakWindowProperty.Jsii$Proxy	An implementation for CfnDomain.OffPeakWindowProperty
CfnDomain.SAMLOptionsProperty	Container for information about the SAML configuration for OpenSearch Dashboards.
CfnDomain.SAMLOptionsProperty.Builder	A builder for CfnDomain.SAMLOptionsProperty
CfnDomain.SAMLOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.SAMLOptionsProperty
CfnDomain.ServiceSoftwareOptionsProperty	The current status of the service software for an Amazon OpenSearch Service domain.
CfnDomain.ServiceSoftwareOptionsProperty.Builder	A builder for CfnDomain.ServiceSoftwareOptionsProperty
CfnDomain.ServiceSoftwareOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.ServiceSoftwareOptionsProperty
CfnDomain.SnapshotOptionsProperty	DEPRECATED .
CfnDomain.SnapshotOptionsProperty.Builder	A builder for CfnDomain.SnapshotOptionsProperty
CfnDomain.SnapshotOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.SnapshotOptionsProperty
CfnDomain.SoftwareUpdateOptionsProperty	Options for configuring service software updates for a domain.
CfnDomain.SoftwareUpdateOptionsProperty.Builder	A builder for CfnDomain.SoftwareUpdateOptionsProperty
CfnDomain.SoftwareUpdateOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.SoftwareUpdateOptionsProperty
CfnDomain.VPCOptionsProperty	The virtual private cloud (VPC) configuration for the OpenSearch Service domain.
CfnDomain.VPCOptionsProperty.Builder	A builder for CfnDomain.VPCOptionsProperty
CfnDomain.VPCOptionsProperty.Jsii$Proxy	An implementation for CfnDomain.VPCOptionsProperty
CfnDomain.WindowStartTimeProperty	A custom start time for the off-peak window, in Coordinated Universal Time (UTC).
CfnDomain.WindowStartTimeProperty.Builder	A builder for CfnDomain.WindowStartTimeProperty
CfnDomain.WindowStartTimeProperty.Jsii$Proxy	An implementation for CfnDomain.WindowStartTimeProperty
CfnDomain.ZoneAwarenessConfigProperty	Specifies zone awareness configuration options.
CfnDomain.ZoneAwarenessConfigProperty.Builder	A builder for CfnDomain.ZoneAwarenessConfigProperty
CfnDomain.ZoneAwarenessConfigProperty.Jsii$Proxy	An implementation for CfnDomain.ZoneAwarenessConfigProperty
CfnDomainProps	Properties for defining a CfnDomain.
CfnDomainProps.Builder	A builder for CfnDomainProps
CfnDomainProps.Jsii$Proxy	An implementation for CfnDomainProps
CognitoOptions	Configures Amazon OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.
CognitoOptions.Builder	A builder for CognitoOptions
CognitoOptions.Jsii$Proxy	An implementation for CognitoOptions
CustomEndpointOptions	Configures a custom domain endpoint for the Amazon OpenSearch Service domain.
CustomEndpointOptions.Builder	A builder for CustomEndpointOptions
CustomEndpointOptions.Jsii$Proxy	An implementation for CustomEndpointOptions
Domain	Provides an Amazon OpenSearch Service domain.
Domain.Builder	A fluent builder for Domain.
DomainAttributes	Reference to an Amazon OpenSearch Service domain.
DomainAttributes.Builder	A builder for DomainAttributes
DomainAttributes.Jsii$Proxy	An implementation for DomainAttributes
DomainProps	Properties for an Amazon OpenSearch Service domain.
DomainProps.Builder	A builder for DomainProps
DomainProps.Jsii$Proxy	An implementation for DomainProps
EbsOptions	The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the Amazon OpenSearch Service domain.
EbsOptions.Builder	A builder for EbsOptions
EbsOptions.Jsii$Proxy	An implementation for EbsOptions
EncryptionAtRestOptions	Whether the domain should encrypt data at rest, and if so, the AWS Key Management Service (KMS) key to use.
EncryptionAtRestOptions.Builder	A builder for EncryptionAtRestOptions
EncryptionAtRestOptions.Jsii$Proxy	An implementation for EncryptionAtRestOptions
EngineVersion	OpenSearch version.
IDomain	An interface that represents an Amazon OpenSearch Service domain - either created with the CDK, or an existing one.
IDomain.Jsii$Default	Internal default implementation for IDomain.
IDomain.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
LoggingOptions	Configures log settings for the domain.
LoggingOptions.Builder	A builder for LoggingOptions
LoggingOptions.Jsii$Proxy	An implementation for LoggingOptions
TLSSecurityPolicy	The minimum TLS version required for traffic to the domain.
ZoneAwarenessConfig	Specifies zone awareness configuration options.
ZoneAwarenessConfig.Builder	A builder for ZoneAwarenessConfig
ZoneAwarenessConfig.Jsii$Proxy	An implementation for ZoneAwarenessConfig