Custom Resources Library for Amazon OpenSearch Service

An AWS CDK construct library to manage OpenSearch resources via CloudFormation custom resource. This is especially useful if you use fine-grained access control feature on OpenSearch, where you have to create resources such as role or role mapping via OpenSearch REST API.

!architecture

Currently supported resources

* Role
* RoleMapping
* User

You can manage any other REST resources via our low level API (ResourceBase class).

Usage

Install it via npm:

``sh npm install opensearch-rest-resources`

Then you can create OpenSearch resources using Domain construct.

`ts import { IVpc } from 'aws-cdk-lib/aws-ec2'; import { IRole } from 'aws-cdk-lib/aws-iam'; import { Domain } from 'aws-cdk-lib/aws-opensearchservice'; import { OpenSearchRole, OpenSearchRoleMapping } from 'opensearch-rest-resources';

declare const vpc: IVpc; declare const backendRole: IRole; declare const domain: Domain;

const role = new OpenSearchRole(this, 'Role1', { vpc, domain, roleName: 'Role1', payload: { clusterPermissions: ['indices:data/write/bulk'], indexPermissions: [ { indexPatterns: ['*'], allowedActions: ['read', 'write', 'index', 'create_index'], }, ], } });

const roleMapping = new OpenSearchRoleMapping(this, 'RoleMapping1', { vpc, domain, roleName: role.roleName, payload: { backendRoles: [backendRole.roleArn], }, removalPolicy: RemovalPolicy.RETAIN, });`

`Limitation`


Currently this library assumes your OpenSearch domain is configured such that:

* Fine-grained access control is enabled * Use theDomainL2 construct * The master is authenticated with username and password, and the credential is stored in Secret Manager * Domain access policy is configured to allow access from the master user

`json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:ESHttp*", "Resource": "domain-arn/*" } ] }``

Most of the above follow the current operational best practices of Amazon OpenSearch Service. If you want other configuration supported, please submit an issue.

Usage

Install it via npm:

sh
npm install opensearch-rest-resources

Then you can create OpenSearch resources using Domain construct.

ts
import { IVpc } from 'aws-cdk-lib/aws-ec2';
import { IRole } from 'aws-cdk-lib/aws-iam';
import { Domain } from 'aws-cdk-lib/aws-opensearchservice';
import { OpenSearchRole, OpenSearchRoleMapping } from 'opensearch-rest-resources';

declare const vpc: IVpc;
declare const backendRole: IRole;
declare const domain: Domain;

const role = new OpenSearchRole(this, 'Role1', {
    vpc,
    domain,
    roleName: 'Role1',
    payload: {
        clusterPermissions: ['indices:data/write/bulk'],
        indexPermissions: [
            {
                indexPatterns: ['*'],
                allowedActions: ['read', 'write', 'index', 'create_index'],
            },
        ],
    }
});

const roleMapping = new OpenSearchRoleMapping(this, 'RoleMapping1', {
    vpc,
    domain,
    roleName: role.roleName,
    payload: {
        backendRoles: [backendRole.roleArn],
    },
    removalPolicy: RemovalPolicy.RETAIN,
});

Limitation

Currently this library assumes your OpenSearch domain is configured such that:

* Fine-grained access control is enabled
* Use the

Domain

 L2 construct
* The master is authenticated with username and password, and the credential is stored in Secret Manager
* Domain access policy is configured to allow access from the master user

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:ESHttp*",
      "Resource": "domain-arn/*"
    }
  ]
}

Most of the above follow the current operational best practices of Amazon OpenSearch Service. If you want other configuration supported, please submit an issue.