-
Notifications
You must be signed in to change notification settings - Fork 4k
/
domain.ts
2170 lines (1934 loc) · 71.7 KB
/
domain.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
import { URL } from 'url';
import { Construct } from 'constructs';
import { LogGroupResourcePolicy } from './log-group-resource-policy';
import { OpenSearchAccessPolicy } from './opensearch-access-policy';
import { CfnDomain } from './opensearchservice.generated';
import * as perms from './perms';
import { EngineVersion } from './version';
import * as acm from '../../aws-certificatemanager';
import { Metric, MetricOptions, Statistic } from '../../aws-cloudwatch';
import * as ec2 from '../../aws-ec2';
import * as iam from '../../aws-iam';
import * as kms from '../../aws-kms';
import * as logs from '../../aws-logs';
import * as route53 from '../../aws-route53';
import * as secretsmanager from '../../aws-secretsmanager';
import * as cdk from '../../core';
import * as cxapi from '../../cx-api';
/**
* Configures the capacity of the cluster such as the instance type and the
* number of instances.
*/
export interface CapacityConfig {
/**
* The number of instances to use for the master node.
*
* @default - no dedicated master nodes
*/
readonly masterNodes?: number;
/**
* The hardware configuration of the computer that hosts the dedicated master
* node, such as `m3.medium.search`. For valid values, see [Supported
* Instance Types]
* (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html)
* in the Amazon OpenSearch Service Developer Guide.
*
* @default - r5.large.search
*/
readonly masterNodeInstanceType?: string;
/**
* The number of data nodes (instances) to use in the Amazon OpenSearch Service domain.
*
* @default - 1
*/
readonly dataNodes?: number;
/**
* The instance type for your data nodes, such as
* `m3.medium.search`. For valid values, see [Supported Instance
* Types](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html)
* in the Amazon OpenSearch Service Developer Guide.
*
* @default - r5.large.search
*/
readonly dataNodeInstanceType?: string;
/**
* The number of UltraWarm nodes (instances) to use in the Amazon OpenSearch Service domain.
*
* @default - no UltraWarm nodes
*/
readonly warmNodes?: number;
/**
* The instance type for your UltraWarm node, such as `ultrawarm1.medium.search`.
* For valid values, see [UltraWarm Storage Limits]
* (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#limits-ultrawarm)
* in the Amazon OpenSearch Service Developer Guide.
*
* @default - ultrawarm1.medium.search
*/
readonly warmInstanceType?: string;
/**
* Indicates whether Multi-AZ with Standby deployment option is enabled.
* For more information, see [Multi-AZ with Standby]
* (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-multiaz.html#managedomains-za-standby)
*
* @default - no multi-az with standby
*/
readonly multiAzWithStandbyEnabled?: boolean;
}
/**
* Specifies zone awareness configuration options.
*/
export interface ZoneAwarenessConfig {
/**
* Indicates whether to enable zone awareness for the Amazon OpenSearch Service domain.
* When you enable zone awareness, Amazon OpenSearch Service allocates the nodes and replica
* index shards that belong to a cluster across two Availability Zones (AZs)
* in the same region to prevent data loss and minimize downtime in the event
* of node or data center failure. Don't enable zone awareness if your cluster
* has no replica index shards or is a single-node cluster. For more information,
* see [Configuring a Multi-AZ Domain]
* (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-multiaz.html)
* in the Amazon OpenSearch Service Developer Guide.
*
* @default - false
*/
readonly enabled?: boolean;
/**
* If you enabled multiple Availability Zones (AZs), the number of AZs that you
* want the domain to use. Valid values are 2 and 3.
*
* @default - 2 if zone awareness is enabled.
*/
readonly availabilityZoneCount?: number;
}
/**
* The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that
* are attached to data nodes in the Amazon OpenSearch Service domain. For more information, see
* [Amazon EBS]
* (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html)
* in the Amazon Elastic Compute Cloud Developer Guide.
*/
export interface EbsOptions {
/**
* Specifies whether Amazon EBS volumes are attached to data nodes in the
* Amazon OpenSearch Service domain.
*
* @default - true
*/
readonly enabled?: boolean;
/**
* The number of I/O operations per second (IOPS) that the volume
* supports. This property applies only to the gp3 and Provisioned IOPS (SSD) EBS
* volume type.
*
* @default - iops are not set.
*/
readonly iops?: number;
/**
* The throughput (in MiB/s) of the EBS volumes attached to data nodes.
* This property applies only to the gp3 volume type.
*
* @default - throughput is not set.
*/
readonly throughput?: number;
/**
* The size (in GiB) of the EBS volume for each data node. The minimum and
* maximum size of an EBS volume depends on the EBS volume type and the
* instance type to which it is attached. For valid values, see
* [EBS volume size limits]
* (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#ebsresource)
* in the Amazon OpenSearch Service Developer Guide.
*
* @default 10
*/
readonly volumeSize?: number;
/**
* The EBS volume type to use with the Amazon OpenSearch Service domain, such as standard, gp2, io1.
*
* @default gp2
*/
readonly volumeType?: ec2.EbsDeviceVolumeType;
}
/**
* Configures log settings for the domain.
*/
export interface LoggingOptions {
/**
* Specify if slow search logging should be set up.
* Requires Elasticsearch version 5.1 or later or OpenSearch version 1.0 or later.
* An explicit `false` is required when disabling it from `true`.
*
* @default - false
*/
readonly slowSearchLogEnabled?: boolean;
/**
* Log slow searches to this log group.
*
* @default - a new log group is created if slow search logging is enabled
*/
readonly slowSearchLogGroup?: logs.ILogGroup;
/**
* Specify if slow index logging should be set up.
* Requires Elasticsearch version 5.1 or later or OpenSearch version 1.0 or later.
* An explicit `false` is required when disabling it from `true`.
*
* @default - false
*/
readonly slowIndexLogEnabled?: boolean;
/**
* Log slow indices to this log group.
*
* @default - a new log group is created if slow index logging is enabled
*/
readonly slowIndexLogGroup?: logs.ILogGroup;
/**
* Specify if Amazon OpenSearch Service application logging should be set up.
* Requires Elasticsearch version 5.1 or later or OpenSearch version 1.0 or later.
* An explicit `false` is required when disabling it from `true`.
*
* @default - false
*/
readonly appLogEnabled?: boolean;
/**
* Log Amazon OpenSearch Service application logs to this log group.
*
* @default - a new log group is created if app logging is enabled
*/
readonly appLogGroup?: logs.ILogGroup;
/**
* Specify if Amazon OpenSearch Service audit logging should be set up.
* Requires Elasticsearch version 6.7 or later or OpenSearch version 1.0 or later and fine grained access control to be enabled.
*
* @default - false
*/
readonly auditLogEnabled?: boolean;
/**
* Log Amazon OpenSearch Service audit logs to this log group.
*
* @default - a new log group is created if audit logging is enabled
*/
readonly auditLogGroup?: logs.ILogGroup;
}
/**
* Whether the domain should encrypt data at rest, and if so, the AWS Key
* Management Service (KMS) key to use. Can only be used to create a new domain,
* not update an existing one. Requires Elasticsearch version 5.1 or later or OpenSearch version 1.0 or later.
*/
export interface EncryptionAtRestOptions {
/**
* Specify true to enable encryption at rest.
*
* @default - encryption at rest is disabled.
*/
readonly enabled?: boolean;
/**
* Supply if using KMS key for encryption at rest.
*
* @default - uses default aws/es KMS key.
*/
readonly kmsKey?: kms.IKey;
}
/**
* Configures Amazon OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cognito-auth.html
*/
export interface CognitoOptions {
/**
* The Amazon Cognito identity pool ID that you want Amazon OpenSearch Service to use for OpenSearch Dashboards authentication.
*/
readonly identityPoolId: string;
/**
* A role that allows Amazon OpenSearch Service to configure your user pool and identity pool. It must have the `AmazonESCognitoAccess` policy attached to it.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cognito-auth.html#cognito-auth-prereq
*/
readonly role: iam.IRole;
/**
* The Amazon Cognito user pool ID that you want Amazon OpenSearch Service to use for OpenSearch Dashboards authentication.
*/
readonly userPoolId: string;
}
/**
* The minimum TLS version required for traffic to the domain.
*/
export enum TLSSecurityPolicy {
/** Cipher suite TLS 1.0 */
TLS_1_0 = 'Policy-Min-TLS-1-0-2019-07',
/** Cipher suite TLS 1.2 */
TLS_1_2 = 'Policy-Min-TLS-1-2-2019-07',
/** Cipher suite TLS 1.2 to 1.3 with perfect forward secrecy (PFS) */
TLS_1_2_PFS = 'Policy-Min-TLS-1-2-PFS-2023-10',
}
/**
* Container for information about the SAML configuration for OpenSearch Dashboards.
*/
export interface SAMLOptionsProperty {
/**
* The unique entity ID of the application in the SAML identity provider.
*/
readonly idpEntityId: string;
/**
* The metadata of the SAML application, in XML format.
*/
readonly idpMetadataContent: string;
/**
* The SAML master username, which is stored in the domain's internal user database.
* This SAML user receives full permission in OpenSearch Dashboards/Kibana.
* Creating a new master username does not delete any existing master usernames.
*
* @default - No master user name is configured
*/
readonly masterUserName?: string;
/**
* The backend role that the SAML master user is mapped to.
* Any users with this backend role receives full permission in OpenSearch Dashboards/Kibana.
* To use a SAML master backend role, configure the `rolesKey` property.
*
* @default - The master user is not mapped to a backend role
*/
readonly masterBackendRole?: string;
/**
* Element of the SAML assertion to use for backend roles.
*
* @default - roles
*/
readonly rolesKey?: string;
/**
* Element of the SAML assertion to use for the user name.
*
* @default - NameID element of the SAML assertion fot the user name
*/
readonly subjectKey?: string;
/**
* The duration, in minutes, after which a user session becomes inactive.
*
* @default - 60
*/
readonly sessionTimeoutMinutes?: number;
}
/**
* Specifies options for fine-grained access control.
*/
export interface AdvancedSecurityOptions {
/**
* ARN for the master user. Only specify this or masterUserName, but not both.
*
* @default - fine-grained access control is disabled
*/
readonly masterUserArn?: string;
/**
* Username for the master user. Only specify this or masterUserArn, but not both.
*
* @default - fine-grained access control is disabled
*/
readonly masterUserName?: string;
/**
* Password for the master user.
*
* You can use `SecretValue.unsafePlainText` to specify a password in plain text or
* use `secretsmanager.Secret.fromSecretAttributes` to reference a secret in
* Secrets Manager.
*
* @default - A Secrets Manager generated password
*/
readonly masterUserPassword?: cdk.SecretValue;
/**
* True to enable SAML authentication for a domain.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html
*
* @default - SAML authentication is disabled. Enabled if `samlAuthenticationOptions` is set.
*/
readonly samlAuthenticationEnabled?: boolean;
/**
* Container for information about the SAML configuration for OpenSearch Dashboards.
* If set, `samlAuthenticationEnabled` will be enabled.
*
* @default - no SAML authentication options
*/
readonly samlAuthenticationOptions?: SAMLOptionsProperty;
}
/**
* Configures a custom domain endpoint for the Amazon OpenSearch Service domain
*/
export interface CustomEndpointOptions {
/**
* The custom domain name to assign
*/
readonly domainName: string;
/**
* The certificate to use
* @default - create a new one
*/
readonly certificate?: acm.ICertificate;
/**
* The hosted zone in Route53 to create the CNAME record in
* @default - do not create a CNAME
*/
readonly hostedZone?: route53.IHostedZone;
}
export interface WindowStartTime {
/**
* The start hour of the window in Coordinated Universal Time (UTC), using 24-hour time.
* For example, 17 refers to 5:00 P.M. UTC.
*
* @default - 22
*/
readonly hours: number;
/**
* The start minute of the window, in UTC.
*
* @default - 0
*/
readonly minutes: number;
}
/**
* The IP address type for the domain.
*/
export enum IpAddressType {
/**
* IPv4 addresses only
*/
IPV4 = 'ipv4',
/**
* IPv4 and IPv6 addresses
*/
DUAL_STACK = 'dualstack',
}
/**
* Properties for an Amazon OpenSearch Service domain.
*/
export interface DomainProps {
/**
* Domain access policies.
*
* @default - No access policies.
*/
readonly accessPolicies?: iam.PolicyStatement[];
/**
* Additional options to specify for the Amazon OpenSearch Service domain.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html#createdomain-configure-advanced-options
* @default - no advanced options are specified
*/
readonly advancedOptions?: { [key: string]: (string) };
/**
* Configures Amazon OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.
*
* @default - Cognito not used for authentication to OpenSearch Dashboards.
*/
readonly cognitoDashboardsAuth?: CognitoOptions;
/**
* Enforces a particular physical domain name.
*
* @default - A name will be auto-generated.
*/
readonly domainName?: string;
/**
* The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that
* are attached to data nodes in the Amazon OpenSearch Service domain.
*
* @default - 10 GiB General Purpose (SSD) volumes per node.
*/
readonly ebs?: EbsOptions;
/**
* The cluster capacity configuration for the Amazon OpenSearch Service domain.
*
* @default - 1 r5.large.search data node; no dedicated master nodes.
*/
readonly capacity?: CapacityConfig;
/**
* The cluster zone awareness configuration for the Amazon OpenSearch Service domain.
*
* @default - no zone awareness (1 AZ)
*/
readonly zoneAwareness?: ZoneAwarenessConfig;
/**
* The Elasticsearch/OpenSearch version that your domain will leverage.
*/
readonly version: EngineVersion;
/**
* Encryption at rest options for the cluster.
*
* @default - No encryption at rest
*/
readonly encryptionAtRest?: EncryptionAtRestOptions;
/**
* Configuration log publishing configuration options.
*
* @default - No logs are published
*/
readonly logging?: LoggingOptions;
/**
* Specify true to enable node to node encryption.
* Requires Elasticsearch version 6.0 or later or OpenSearch version 1.0 or later.
*
* @default - Node to node encryption is not enabled.
*/
readonly nodeToNodeEncryption?: boolean;
/**
* The hour in UTC during which the service takes an automated daily snapshot
* of the indices in the Amazon OpenSearch Service domain. Only applies for Elasticsearch versions
* below 5.3.
*
* @default - Hourly automated snapshots not used
*/
readonly automatedSnapshotStartHour?: number;
/**
* Place the domain inside this VPC.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc.html
* @default - Domain is not placed in a VPC.
*/
readonly vpc?: ec2.IVpc;
/**
* The list of security groups that are associated with the VPC endpoints
* for the domain.
*
* Only used if `vpc` is specified.
*
* @see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
* @default - One new security group is created.
*/
readonly securityGroups?: ec2.ISecurityGroup[];
/**
* The specific vpc subnets the domain will be placed in. You must provide one subnet for each Availability Zone
* that your domain uses. For example, you must specify three subnet IDs for a three Availability Zone
* domain.
*
* Only used if `vpc` is specified.
*
* @see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html
* @default - All private subnets.
*/
readonly vpcSubnets?: ec2.SubnetSelection[];
/**
* True to require that all traffic to the domain arrive over HTTPS.
*
* @default - false
*/
readonly enforceHttps?: boolean;
/**
* The minimum TLS version required for traffic to the domain.
*
* @default - TLSSecurityPolicy.TLS_1_0
*/
readonly tlsSecurityPolicy?: TLSSecurityPolicy;
/**
* Specifies options for fine-grained access control.
* Requires Elasticsearch version 6.7 or later or OpenSearch version 1.0 or later. Enabling fine-grained access control
* also requires encryption of data at rest and node-to-node encryption, along with
* enforced HTTPS.
*
* @default - fine-grained access control is disabled
*/
readonly fineGrainedAccessControl?: AdvancedSecurityOptions;
/**
* Configures the domain so that unsigned basic auth is enabled. If no master user is provided a default master user
* with username `admin` and a dynamically generated password stored in KMS is created. The password can be retrieved
* by getting `masterUserPassword` from the domain instance.
*
* Setting this to true will also add an access policy that allows unsigned
* access, enable node to node encryption, encryption at rest. If conflicting
* settings are encountered (like disabling encryption at rest) enabling this
* setting will cause a failure.
*
* @default - false
*/
readonly useUnsignedBasicAuth?: boolean;
/**
* To upgrade an Amazon OpenSearch Service domain to a new version, rather than replacing the entire
* domain resource, use the EnableVersionUpgrade update policy.
*
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatepolicy.html#cfn-attributes-updatepolicy-upgradeopensearchdomain
*
* @default - false
*/
readonly enableVersionUpgrade?: boolean;
/**
* Policy to apply when the domain is removed from the stack
*
* @default RemovalPolicy.RETAIN
*/
readonly removalPolicy?: cdk.RemovalPolicy;
/**
* To configure a custom domain configure these options
*
* If you specify a Route53 hosted zone it will create a CNAME record and use DNS validation for the certificate
*
* @default - no custom domain endpoint will be configured
*/
readonly customEndpoint?: CustomEndpointOptions;
/**
* Options for enabling a domain's off-peak window, during which OpenSearch Service can perform mandatory
* configuration changes on the domain.
*
* Off-peak windows were introduced on February 16, 2023.
* All domains created before this date have the off-peak window disabled by default.
* You must manually enable and configure the off-peak window for these domains.
* All domains created after this date will have the off-peak window enabled by default.
* You can't disable the off-peak window for a domain after it's enabled.
*
* @see https://docs.aws.amazon.com/it_it/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-offpeakwindow.html
*
* @default - Disabled for domains created before February 16, 2023. Enabled for domains created after. Enabled if `offPeakWindowStart` is set.
*/
readonly offPeakWindowEnabled?: boolean;
/**
* Start time for the off-peak window, in Coordinated Universal Time (UTC).
* The window length will always be 10 hours, so you can't specify an end time.
* For example, if you specify 11:00 P.M. UTC as a start time, the end time will automatically be set to 9:00 A.M.
*
* @default - 10:00 P.M. local time
*/
readonly offPeakWindowStart?: WindowStartTime;
/**
* Specifies whether automatic service software updates are enabled for the domain.
*
* @see https://docs.aws.amazon.com/it_it/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-softwareupdateoptions.html
*
* @default - false
*/
readonly enableAutoSoftwareUpdate?: boolean;
/**
* Specify either dual stack or IPv4 as your IP address type.
* Dual stack allows you to share domain resources across IPv4 and IPv6 address types, and is the recommended option.
*
* If you set your IP address type to dual stack, you can't change your address type later.
*
* @default - IpAddressType.IPV4
*/
readonly ipAddressType?: IpAddressType;
/**
* Specify whether to create a CloudWatch Logs resource policy or not.
*
* When logging is enabled for the domain, a CloudWatch Logs resource policy is created by default.
* However, CloudWatch Logs supports only 10 resource policies per region.
* If you enable logging for several domains, it may hit the quota and cause an error.
* By setting this property to true, creating a resource policy is suppressed, allowing you to avoid this problem.
*
* If you set this option to true, you must create a resource policy before deployment.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html
*
* @default - false
*/
readonly suppressLogsResourcePolicy?: boolean;
}
/**
* An interface that represents an Amazon OpenSearch Service domain - either created with the CDK, or an existing one.
*/
export interface IDomain extends cdk.IResource {
/**
* Arn of the Amazon OpenSearch Service domain.
*
* @attribute
*/
readonly domainArn: string;
/**
* Domain name of the Amazon OpenSearch Service domain.
*
* @attribute
*/
readonly domainName: string;
/**
* Identifier of the Amazon OpenSearch Service domain.
*
* @attribute
*/
readonly domainId: string;
/**
* Endpoint of the Amazon OpenSearch Service domain.
*
* @attribute
*/
readonly domainEndpoint: string;
/**
* Grant read permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* @param identity The principal
*/
grantRead(identity: iam.IGrantable): iam.Grant;
/**
* Grant write permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* @param identity The principal
*/
grantWrite(identity: iam.IGrantable): iam.Grant;
/**
* Grant read/write permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* @param identity The principal
*/
grantReadWrite(identity: iam.IGrantable): iam.Grant;
/**
* Grant read permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexRead(index: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant write permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexWrite(index: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant read/write permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexReadWrite(index: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant read permissions for a specific path in this domain to an IAM
* principal (Role/Group/User).
*
* @param path The path to grant permissions for
* @param identity The principal
*/
grantPathRead(path: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant write permissions for a specific path in this domain to an IAM
* principal (Role/Group/User).
*
* @param path The path to grant permissions for
* @param identity The principal
*/
grantPathWrite(path: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant read/write permissions for a specific path in this domain to an IAM
* principal (Role/Group/User).
*
* @param path The path to grant permissions for
* @param identity The principal
*/
grantPathReadWrite(path: string, identity: iam.IGrantable): iam.Grant;
/**
* Return the given named metric for this domain.
*/
metric(metricName: string, props?: MetricOptions): Metric;
/**
* Metric for the time the cluster status is red.
*
* @default maximum over 5 minutes
*/
metricClusterStatusRed(props?: MetricOptions): Metric;
/**
* Metric for the time the cluster status is yellow.
*
* @default maximum over 5 minutes
*/
metricClusterStatusYellow(props?: MetricOptions): Metric;
/**
* Metric for the storage space of nodes in the cluster.
*
* @default minimum over 5 minutes
*/
metricFreeStorageSpace(props?: MetricOptions): Metric;
/**
* Metric for the cluster blocking index writes.
*
* @default maximum over 1 minute
*/
metricClusterIndexWritesBlocked(props?: MetricOptions): Metric;
/**
* Metric for the number of nodes.
*
* @default minimum over 1 hour
*/
metricNodes(props?: MetricOptions): Metric;
/**
* Metric for automated snapshot failures.
*
* @default maximum over 5 minutes
*/
metricAutomatedSnapshotFailure(props?: MetricOptions): Metric;
/**
* Metric for CPU utilization.
*
* @default maximum over 5 minutes
*/
metricCPUUtilization(props?: MetricOptions): Metric;
/**
* Metric for JVM memory pressure.
*
* @default maximum over 5 minutes
*/
metricJVMMemoryPressure(props?: MetricOptions): Metric;
/**
* Metric for master CPU utilization.
*
* @default maximum over 5 minutes
*/
metricMasterCPUUtilization(props?: MetricOptions): Metric;
/**
* Metric for master JVM memory pressure.
*
* @default maximum over 5 minutes
*/
metricMasterJVMMemoryPressure(props?: MetricOptions): Metric;
/**
* Metric for KMS key errors.
*
* @default maximum over 5 minutes
*/
metricKMSKeyError(props?: MetricOptions): Metric;
/**
* Metric for KMS key being inaccessible.
*
* @default maximum over 5 minutes
*/
metricKMSKeyInaccessible(props?: MetricOptions): Metric;
/**
* Metric for number of searchable documents.
*
* @default maximum over 5 minutes
*/
metricSearchableDocuments(props?: MetricOptions): Metric;
/**
* Metric for search latency.
*
* @default p99 over 5 minutes
*/
metricSearchLatency(props?: MetricOptions): Metric;
/**
* Metric for indexing latency.
*
* @default p99 over 5 minutes
*/
metricIndexingLatency(props?: MetricOptions): Metric;
}
/**
* A new or imported domain.
*/
abstract class DomainBase extends cdk.Resource implements IDomain {
public abstract readonly domainArn: string;
public abstract readonly domainName: string;
public abstract readonly domainId: string;
public abstract readonly domainEndpoint: string;
/**
* Grant read permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* @param identity The principal
*/
grantRead(identity: iam.IGrantable): iam.Grant {
return this.grant(
identity,
perms.ES_READ_ACTIONS,
this.domainArn,
`${this.domainArn}/*`,
);
}
/**
* Grant write permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* @param identity The principal
*/
grantWrite(identity: iam.IGrantable): iam.Grant {
return this.grant(
identity,
perms.ES_WRITE_ACTIONS,
this.domainArn,
`${this.domainArn}/*`,
);
}
/**
* Grant read/write permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* @param identity The principal
*/
grantReadWrite(identity: iam.IGrantable): iam.Grant {
return this.grant(
identity,
perms.ES_READ_WRITE_ACTIONS,
this.domainArn,
`${this.domainArn}/*`,
);
}
/**
* Grant read permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexRead(index: string, identity: iam.IGrantable): iam.Grant {
return this.grant(
identity,
perms.ES_READ_ACTIONS,
`${this.domainArn}/${index}`,
`${this.domainArn}/${index}/*`,
);
}
/**
* Grant write permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexWrite(index: string, identity: iam.IGrantable): iam.Grant {
return this.grant(
identity,
perms.ES_WRITE_ACTIONS,
`${this.domainArn}/${index}`,
`${this.domainArn}/${index}/*`,
);
}
/**
* Grant read/write permissions for an index in this domain to an IAM