AWSCDK::OpenSearchService

25 types

Amazon OpenSearch Service Construct Library

See Migrating to OpenSearch for migration instructions from aws-cdk-lib/aws-elasticsearch to this module, aws-cdk-lib/aws-opensearchservice.

Quick start

Create a development cluster by simply specifying the version:

dev_domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
})

To perform version upgrades without replacing the entire domain, specify the enable_version_upgrade property.

dev_domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    enable_version_upgrade: true,
})

Create a cluster with GP3 volumes:

gp3_domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_2_5,
    ebs: {
        volume_size: 30,
        volume_type: AWSCDK::EC2::EbsDeviceVolumeType::GP3,
        throughput: 125,
        iops: 3000,
    },
})

Create a production grade cluster by also specifying things like capacity and az distribution

prod_domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    capacity: {
        master_nodes: 5,
        data_nodes: 20,
    },
    ebs: {
        volume_size: 20,
    },
    zone_awareness: {
        availability_zone_count: 3,
    },
    logging: {
        slow_search_log_enabled: true,
        app_log_enabled: true,
        slow_index_log_enabled: true,
    },
})

This creates an Amazon OpenSearch Service cluster and automatically sets up log groups for logging the domain logs and slow search logs.

A note about SLR

Some cluster configurations (e.g VPC access) require the existence of the AWSServiceRoleForAmazonElasticsearchService Service-Linked Role.

When performing such operations via the AWS Console, this SLR is created automatically when needed. However, this is not the behavior when using CloudFormation. If an SLR is needed, but doesn't exist, you will encounter a failure message similar to:

Before you can proceed, you must enable a service-linked role to give Amazon OpenSearch Service...

To resolve this, you need to create the SLR. We recommend using the AWS CLI:

aws iam create-service-linked-role --aws-service-name es.amazonaws.com

You can also create it using the CDK, but note that only the first application deploying this will succeed:

slr = AWSCDK::IAM::CfnServiceLinkedRole.new(self, "Service Linked Role", {
    aws_service_name: "es.amazonaws.com",
})

Importing existing domains

Using a known domain endpoint

To import an existing domain into your CDK application, use the Domain.fromDomainEndpoint factory method. This method accepts a domain endpoint of an already existing domain:

domain_endpoint = "https://my-domain-jcjotrt6f7otem4sqcwbch3c4u.us-east-1.es.amazonaws.com"
domain = AWSCDK::OpenSearchService::Domain.from_domain_endpoint(self, "ImportedDomain", domain_endpoint)

Using the output of another CloudFormation stack

To import an existing domain with the help of an exported value from another CloudFormation stack, use the Domain.fromDomainAttributes factory method. This will accept tokens.

domain_arn = AWSCDK::Fn.import_value("another-cf-stack-export-domain-arn")
domain_endpoint = AWSCDK::Fn.import_value("another-cf-stack-export-domain-endpoint")
domain = AWSCDK::OpenSearchService::Domain.from_domain_attributes(self, "ImportedDomain", {
    domain_arn: domain_arn,
    domain_endpoint: domain_endpoint,
})

Permissions

IAM

Helper methods also exist for managing access to the domain.

fn = nil # AWSCDK::Lambda::Function
domain = nil # AWSCDK::OpenSearchService::Domain


# Grant write access to the app-search index
domain.grant_index_write("app-search", fn)

# Grant read access to the 'app-search/_search' path
domain.grant_path_read("app-search/_search", fn)

Encryption

The domain can also be created with encryption enabled:

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    ebs: {
        volume_size: 100,
        volume_type: AWSCDK::EC2::EbsDeviceVolumeType::GENERAL_PURPOSE_SSD,
    },
    node_to_node_encryption: true,
    encryption_at_rest: {
        enabled: true,
    },
})

This sets up the domain with node to node encryption and encryption at rest. You can also choose to supply your own KMS key to use for encryption at rest:

require 'aws-cdk-lib'


encryption_key = AWSCDK::KMS::Key.new(self, "EncryptionKey")

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    encryption_at_rest: {
        kms_key: encryption_key,
    },
})

The construct also supports using cross-account KMS keys for encryption at rest:

require 'aws-cdk-lib'


 = AWSCDK::KMS::Key.from_key_arn(self, "CrossAccountKey", "arn:aws:kms:us-east-1:111111111111:key/12345678-1234-1234-1234-123456789012")

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    encryption_at_rest: {
        kms_key: ,
    },
})

VPC Support

Domains can be placed inside a VPC, providing a secure communication between Amazon OpenSearch Service and other services within the VPC without the need for an internet gateway, NAT device, or VPN connection.

Visit VPC Support for Amazon OpenSearch Service Domains for more details.

vpc = AWSCDK::EC2::VPC.new(self, "Vpc")
domain_props = {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    removal_policy: AWSCDK::RemovalPolicy::DESTROY,
    vpc: vpc,
    # must be enabled since our VPC contains multiple private subnets.
    zone_awareness: {
        enabled: true,
    },
    capacity: {
        # must be an even number since the default az count is 2.
        data_nodes: 2,
    },
}
AWSCDK::OpenSearchService::Domain.new(self, "Domain", domain_props)

In addition, you can use the vpc_subnets property to control which specific subnets will be used, and the security_groups property to control which security groups will be attached to the domain. By default, CDK will select all private subnets in the VPC, and create one dedicated security group.

Metrics

Helper methods exist to access common domain metrics for example:

domain = nil # AWSCDK::OpenSearchService::Domain

free_storage_space = domain.metric_free_storage_space
master_sys_memory_utilization = domain.metric("MasterSysMemoryUtilization")

This module is part of the AWS Cloud Development Kit project.

Fine grained access control

The domain can also be created with a master user configured. The password can be supplied or dynamically created if not supplied.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    enforce_https: true,
    node_to_node_encryption: true,
    encryption_at_rest: {
        enabled: true,
    },
    fine_grained_access_control: {
        master_user_name: "master-user",
    },
})

master_user_password = domain.master_user_password

SAML authentication

You can enable SAML authentication to use your existing identity provider to offer single sign-on (SSO) for dashboards on Amazon OpenSearch Service domains running OpenSearch or Elasticsearch 6.7 or later. To use SAML authentication, fine-grained access control must be enabled.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    enforce_https: true,
    node_to_node_encryption: true,
    encryption_at_rest: {
        enabled: true,
    },
    fine_grained_access_control: {
        master_user_name: "master-user",
        saml_authentication_enabled: true,
        saml_authentication_options: {
            idp_entity_id: "entity-id",
            idp_metadata_content: "metadata-content-with-quotes-escaped",
        },
    },
})

Using unsigned basic auth

For convenience, the domain can be configured to allow unsigned HTTP requests that use basic auth. Unless the domain is configured to be part of a VPC this means anyone can access the domain using the configured master username and password.

To enable unsigned basic auth access the domain is configured with an access policy that allows anonymous requests, HTTPS required, node to node encryption, encryption at rest and fine grained access control.

If the above settings are not set they will be configured as part of enabling unsigned basic auth. If they are set with conflicting values, an error will be thrown.

If no master user is configured a default master user is created with the username admin.

If no password is configured a default master user password is created and stored in the AWS Secrets Manager as secret. The secret has the prefix <domain id>MasterUser.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    use_unsigned_basic_auth: true,
})

master_user_password = domain.master_user_password

Custom access policies

If the domain requires custom access control it can be configured either as a constructor property, or later by means of a helper method.

For simple permissions the access_policies constructor may be sufficient:

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    access_policies: [
        AWSCDK::IAM::PolicyStatement.new({
            actions: ["es:*ESHttpPost", "es:ESHttpPut*"],
            effect: AWSCDK::IAM::Effect::ALLOW,
            principals: [AWSCDK::IAM::AccountPrincipal.new("123456789012")],
            resources: ["*"],
        }),
    ],
})

For more complex use-cases, for example, to set the domain up to receive data from a cross-account Amazon Data Firehose the add_access_policies helper method allows for policies that include the explicit domain ARN.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
})
domain.add_access_policies(
AWSCDK::IAM::PolicyStatement.new({
    actions: ["es:ESHttpPost", "es:ESHttpPut"],
    effect: AWSCDK::IAM::Effect::ALLOW,
    principals: [AWSCDK::IAM::AccountPrincipal.new("123456789012")],
    resources: [domain.domain_arn, "#{domain.domain_arn}/*"],
}),
AWSCDK::IAM::PolicyStatement.new({
    actions: ["es:ESHttpGet"],
    effect: AWSCDK::IAM::Effect::ALLOW,
    principals: [AWSCDK::IAM::AccountPrincipal.new("123456789012")],
    resources: [
        "#{domain.domain_arn}/_all/_settings",
        "#{domain.domain_arn}/_cluster/stats",
        "#{domain.domain_arn}/index-name*/_mapping/type-name",
        "#{domain.domain_arn}/roletest*/_mapping/roletest",
        "#{domain.domain_arn}/_nodes",
        "#{domain.domain_arn}/_nodes/stats",
        "#{domain.domain_arn}/_nodes/*/stats",
        "#{domain.domain_arn}/_stats",
        "#{domain.domain_arn}/index-name*/_stats",
        "#{domain.domain_arn}/roletest*/_stat",
    ],
}))

Audit logs

Audit logs can be enabled for a domain, but only when fine grained access control is enabled.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    enforce_https: true,
    node_to_node_encryption: true,
    encryption_at_rest: {
        enabled: true,
    },
    fine_grained_access_control: {
        master_user_name: "master-user",
    },
    logging: {
        audit_log_enabled: true,
        slow_search_log_enabled: true,
        app_log_enabled: true,
        slow_index_log_enabled: true,
    },
})

Suppress creating CloudWatch Logs resource policy

When logging is enabled for the domain, the CloudWatch Logs resource policy is created by default. This resource policy is necessary for logging, but since only a maximum of 10 resource policies can be created per region, the maximum number of resource policies may be a problem when enabling logging for several domains. By setting the suppress_logs_resource_policy option to true, you can suppress the creation of a CloudWatch Logs resource policy.

If you set the suppress_logs_resource_policy option to true, you must create a resource policy before deployment. Also, to avoid reaching this limit, consider reusing a broader policy that includes multiple log groups.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    enforce_https: true,
    node_to_node_encryption: true,
    encryption_at_rest: {
        enabled: true,
    },
    fine_grained_access_control: {
        master_user_name: "master-user",
    },
    logging: {
        audit_log_enabled: true,
        slow_search_log_enabled: true,
        app_log_enabled: true,
        slow_index_log_enabled: true,
    },
    suppress_logs_resource_policy: true,
})

Visit Monitoring OpenSearch logs with Amazon CloudWatch Logs for more details.

UltraWarm

UltraWarm nodes can be enabled to provide a cost-effective way to store large amounts of read-only data.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    capacity: {
        master_nodes: 2,
        warm_nodes: 2,
        warm_instance_type: "ultrawarm1.medium.search",
    },
})

Cold storage

Cold storage can be enabled on the domain. You must enable UltraWarm storage to enable cold storage.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    capacity: {
        master_nodes: 2,
        warm_nodes: 2,
        warm_instance_type: "ultrawarm1.medium.search",
    },
    cold_storage_enabled: true,
})

S3 Vectors Engine

Amazon OpenSearch Service offers the ability to use Amazon S3 as a vector engine for vector indexes. This feature allows you to offload vector data to Amazon S3 while maintaining sub-second vector search capabilities at low cost.

Requirements:

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_2_19,
    s3_vectors_engine_enabled: true,
    capacity: {
        data_node_instance_type: "or1.medium.search",
    },
    encryption_at_rest: {
        enabled: true,
    },
})

Custom endpoint

Custom endpoints can be configured to reach the domain under a custom domain name.

AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    custom_endpoint: {
        domain_name: "search.example.com",
    },
})

It is also possible to specify a custom certificate instead of the auto-generated one.

Additionally, an automatic CNAME-Record is created if a hosted zone is provided for the custom endpoint

Advanced options

Advanced options can used to configure additional options.

AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    advanced_options: {
        "rest.action.multi.allow_explicit_index" => "false",
        "indices.fielddata.cache.size" => "25",
        "indices.query.bool.max_clause_count" => "2048",
    },
})

Amazon Cognito authentication for OpenSearch Dashboards

The domain can be configured to use Amazon Cognito authentication for OpenSearch Dashboards.

Visit Configuring Amazon Cognito authentication for OpenSearch Dashboards for more details.

cognito_configuration_role = nil # AWSCDK::IAM::Role


domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_0,
    cognito_dashboards_auth: {
        role: cognito_configuration_role,
        identity_pool_id: "example-identity-pool-id",
        user_pool_id: "example-user-pool-id",
    },
})

Enable support for Multi-AZ with Standby deployment

The domain can be configured to use multi-AZ with standby.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_3,
    ebs: {
        volume_size: 10,
        volume_type: AWSCDK::EC2::EbsDeviceVolumeType::GENERAL_PURPOSE_SSD_GP3,
    },
    zone_awareness: {
        enabled: true,
        availability_zone_count: 3,
    },
    capacity: {
        multi_az_with_standby_enabled: true,
        master_nodes: 3,
        data_nodes: 3,
    },
})

Define off-peak windows

The domain can be configured to use a daily 10-hour window considered as off-peak hours.

Off-peak windows were introduced on February 16, 2023. All domains created before this date have the off-peak window disabled by default. You must manually enable and configure the off-peak window for these domains. All domains created after this date will have the off-peak window enabled by default. You can't disable the off-peak window for a domain after it's enabled.

Visit Defining off-peak windows for Amazon OpenSearch Service for more details.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_3,
    off_peak_window_enabled: true,
     # can be omitted if offPeakWindowStart is set
    off_peak_window_start: {
        hours: 20,
        minutes: 0,
    },
})

Configuring service software updates

The domain can be configured to use service software updates.

Visit Service software updates in Amazon OpenSearch Service for more details.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_3,
    enable_auto_software_update: true,
})

IP address type

You can specify either dual stack or IPv4 as your IP address type.

domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_3,
    ip_address_type: AWSCDK::OpenSearchService::IPAddressType::DUAL_STACK,
})

Using Coordinator node with NodeOptions

You can specify coordinator as a valid value for node type.

Visit Dedicated coordinator nodes in Amazon OpenSearch Service for more details.

require 'aws-cdk-lib'


domain = AWSCDK::OpenSearchService::Domain.new(self, "Domain", {
    version: AWSCDK::OpenSearchService::EngineVersion.OPENSEARCH_1_3,
    capacity: {
        node_options: [
            {
                node_type: AWSCDK::OpenSearchService::NodeType::COORDINATOR,
                node_config: {
                    enabled: true,
                    count: 2,
                    type: "m5.large.search",
                },
            },
        ],
    },
})

API Reference

Classes 5

CfnApplicationCreates an OpenSearch UI application. CfnDomainThe AWS::OpenSearchService::Domain resource creates an Amazon OpenSearch Service domain. DomainProvides an Amazon OpenSearch Service domain. DomainGrantsCollection of grant methods for a IDomainRef. EngineVersionOpenSearch version.

Interfaces 17

AdvancedSecurityOptionsSpecifies options for fine-grained access control. CapacityConfigConfigures the capacity of the cluster such as the instance type and the number of instanc CfnApplicationPropsProperties for defining a `CfnApplication`. CfnDomainPropsProperties for defining a `CfnDomain`. CognitoOptionsConfigures Amazon OpenSearch Service to use Amazon Cognito authentication for OpenSearch D CustomEndpointOptionsConfigures a custom domain endpoint for the Amazon OpenSearch Service domain. DomainAttributesReference to an Amazon OpenSearch Service domain. DomainPropsProperties for an Amazon OpenSearch Service domain. EbsOptionsThe configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to EncryptionAtRestOptionsWhether the domain should encrypt data at rest, and if so, the AWS Key Management Service IDomainAn interface that represents an Amazon OpenSearch Service domain - either created with the LoggingOptionsConfigures log settings for the domain. NodeConfigConfiguration for a specific node type in OpenSearch domain. NodeOptionsConfiguration for node options in OpenSearch domain. SAMLOptionsPropertyContainer for information about the SAML configuration for OpenSearch Dashboards. WindowStartTime ZoneAwarenessConfigSpecifies zone awareness configuration options.

Enums 3

IPAddressTypeThe IP address type for the domain. NodeTypeNodeType is a string enum of the node types in OpenSearch domain. TLSSecurityPolicyThe minimum TLS version required for traffic to the domain.