@aws-cdk/aws-elasticsearch

Amazon Elasticsearch Service Construct Library

---

Features	Stability
CFN Resources
Higher level constructs for Domain

CFN Resources: All classes with the Cfn prefix in this module (CFN Resources) are always stable and safe to use.

Stable: Higher level constructs in this module that are marked stable will not undergo any breaking changes. They will strictly follow the Semantic Versioning model.

---

Quick start

Create a development cluster by simply specifying the version:

import * as es from '@aws-cdk/aws-elasticsearch';

const devDomain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_1,
});

To perform version upgrades without replacing the entire domain, specify the enableVersionUpgrade property.

import * as es from '@aws-cdk/aws-elasticsearch';

const devDomain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_10,
    enableVersionUpgrade: true // defaults to false
});

Create a production grade cluster by also specifying things like capacity and az distribution

const prodDomain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_1,
    capacity: {
        masterNodes: 5,
        dataNodes: 20
    },
    ebs: {
        volumeSize: 20
    },
    zoneAwareness: {
        availabilityZoneCount: 3
    },
    logging: {
        slowSearchLogEnabled: true,
        appLogEnabled: true,
        slowIndexLogEnabled: true,
    },
});

This creates an Elasticsearch cluster and automatically sets up log groups for logging the domain logs and slow search logs.

A note about SLR

Some cluster configurations (e.g VPC access) require the existence of the AWSServiceRoleForAmazonElasticsearchService Service-Linked Role.

When performing such operations via the AWS Console, this SLR is created automatically when needed. However, this is not the behavior when using CloudFormation. If an SLR is needed, but doesn't exist, you will encounter a failure message simlar to:

Before you can proceed, you must enable a service-linked role to give Amazon ES...

To resolve this, you need to create the SLR. We recommend using the AWS CLI:

aws iam create-service-linked-role --aws-service-name es.amazonaws.com

You can also create it using the CDK, but note that only the first application deploying this will succeed:

const slr = new iam.CfnServiceLinkedRole(this, 'ElasticSLR', {
  awsServiceName: 'es.amazonaws.com'
});

Importing existing domains

To import an existing domain into your CDK application, use the Domain.fromDomainEndpoint factory method. This method accepts a domain endpoint of an already existing domain:

const domainEndpoint = 'https://my-domain-jcjotrt6f7otem4sqcwbch3c4u.us-east-1.es.amazonaws.com';
const domain = Domain.fromDomainEndpoint(this, 'ImportedDomain', domainEndpoint);

Permissions

IAM

Helper methods also exist for managing access to the domain.

const lambda = new lambda.Function(this, 'Lambda', { /* ... */ });

// Grant write access to the app-search index
domain.grantIndexWrite('app-search', lambda);

// Grant read access to the 'app-search/_search' path
domain.grantPathRead('app-search/_search', lambda);

Encryption

The domain can also be created with encryption enabled:

const domain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_4,
    ebs: {
        volumeSize: 100,
        volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD,
    },
    nodeToNodeEncryption: true,
    encryptionAtRest: {
        enabled: true,
    },
});

This sets up the domain with node to node encryption and encryption at rest. You can also choose to supply your own KMS key to use for encryption at rest.

VPC Support

Elasticsearch domains can be placed inside a VPC, providing a secure communication between Amazon ES and other services within the VPC without the need for an internet gateway, NAT device, or VPN connection.

Visit VPC Support for Amazon Elasticsearch Service Domains for more details.

const vpc = new ec2.Vpc(this, 'Vpc');
const domainProps: es.DomainProps = {
  version: es.ElasticsearchVersion.V7_1,
  removalPolicy: RemovalPolicy.DESTROY,
  vpc,
  // must be enabled since our VPC contains multiple private subnets.
  zoneAwareness: {
    enabled: true,
  },
  capacity: {
    // must be an even number since the default az count is 2.
    dataNodes: 2,
  },
};
new es.Domain(this, 'Domain', domainProps);

In addition, you can use the vpcSubnets property to control which specific subnets will be used, and the securityGroups property to control which security groups will be attached to the domain. By default, CDK will select all private subnets in the VPC, and create one dedicated security group.

Metrics

Helper methods exist to access common domain metrics for example:

const freeStorageSpace = domain.metricFreeStorageSpace();
const masterSysMemoryUtilization = domain.metric('MasterSysMemoryUtilization');

This module is part of the AWS Cloud Development Kit project.

Fine grained access control

The domain can also be created with a master user configured. The password can be supplied or dynamically created if not supplied.

const domain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_1,
    enforceHttps: true,
    nodeToNodeEncryption: true,
    encryptionAtRest: {
        enabled: true,
    },
    fineGrainedAccessControl: {
        masterUserName: 'master-user',
    },
});

const masterUserPassword = domain.masterUserPassword;

Using unsigned basic auth

For convenience, the domain can be configured to allow unsigned HTTP requests that use basic auth. Unless the domain is configured to be part of a VPC this means anyone can access the domain using the configured master username and password.

To enable unsigned basic auth access the domain is configured with an access policy that allows anyonmous requests, HTTPS required, node to node encryption, encryption at rest and fine grained access control.

If the above settings are not set they will be configured as part of enabling unsigned basic auth. If they are set with conflicting values, an error will be thrown.

If no master user is configured a default master user is created with the username admin.

If no password is configured a default master user password is created and stored in the AWS Secrets Manager as secret. The secret has the prefix <domain id>MasterUser.

const domain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_1,
    useUnsignedBasicAuth: true,
});

const masterUserPassword = domain.masterUserPassword;

Audit logs

Audit logs can be enabled for a domain, but only when fine grained access control is enabled.

const domain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_1,
    enforceHttps: true,
    nodeToNodeEncryption: true,
    encryptionAtRest: {
        enabled: true,
    },
    fineGrainedAccessControl: {
        masterUserName: 'master-user',
    },
    logging: {
        auditLogEnabled: true,
        slowSearchLogEnabled: true,
        appLogEnabled: true,
        slowIndexLogEnabled: true,
    },
});

UltraWarm

UltraWarm nodes can be enabled to provide a cost-effective way to store large amounts of read-only data.

const domain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_10,
    capacity: {
        masterNodes: 2,
        warmNodes: 2,
        warmInstanceType: 'ultrawarm1.medium.elasticsearch',
    },
});

Custom endpoint

Custom endpoints can be configured to reach the ES domain under a custom domain name.

new Domain(stack, 'Domain', {
    version: ElasticsearchVersion.V7_7,
    customEndpoint: {
        domainName: 'search.example.com',
    },
});

It is also possible to specify a custom certificate instead of the auto-generated one.

Additionally, an automatic CNAME-Record is created if a hosted zone is provided for the custom endpoint

Changelog

1.109.0 (2021-06-16)

Features

• apigateway: disable execute api endpoint (#14526) (b3a7d5b)
• aws-backup: Add arn attribute and grant method to backup vault (#14997) (04c0a07), closes #14996
• cfnspec: cloudformation spec v38.0.0 (#15044) (632d518)
• cfnspec: cloudformation spec v39.1.0 (#15144) (abc457e)
• cloudfront: add fromFile for CF functions (#14980) (31c9338), closes #14967
• codestarnotifications: new L2 constructs (#10833) (645ebe1), closes #9680
• core: allow user to provide docker --security-opt when bundling (#14682) (a418ea6)
• core: Support platform flag during asset build (#14908) (0189a9a)
• dynamodb: exposes schema method to return partition and sort key of table or secondary indexes (#15111) (1137eb7), closes #7680
• ecs-patterns: Add ability to configure VisibilityTimeout on QueueProcessing service pattern (#15052) (350d783)
• ecs-patterns: allow specifying security groups on ScheduledTask pattern (#15096) (6bdf1c0), closes #5213 #14220
• ecs-patterns: expose task target on ScheduledTask pattern (#15127) (c31c59a), closes #14971 #14953 #12609
• lambda-event-sources: streams - report batch item failures (#14458) (3d4a13e), closes #12654
• logs: make the addition of permissions to Lambda functions optional (#14222) (0c50ec9), closes #14198
• migration: add constructs migration to rewrite script (#14916) (37a4c8d)
• pipelines: add test commands to standard synth actions (#14979) (0bc8a8a)
• servicecatalog: initial implementation of the Portfolio construct (#15099) (203cc45)

Bug Fixes

• aws-iam: prevent adding duplicate resources and actions (#14712) (a8298cb), closes #13611
• cfn-include: NestedStack's Parameters are not converted to strings (#15098) (8ad33b8), closes #15092
• cli: cdk synth too eager with validation in Pipelines (#15147) (ae98e88), closes #14613 #15130
• cli: cdk synth doesn't output yaml for stacks with dependency stacks (#14805) (44feee6), closes #3721
• cli: deployment error traceback overwritten by progress bar (#14812) (d4a0af1), closes #14780
• cli: HTTP timeout is too low for some asset uploads (#13575) (23c58d6), closes #13183
• cli: option --all selects stacks in nested assemblies (#15046) (0d00e50)
• cli: partition is not being resolved at missing value lookup (#15146) (cc7191e), closes #15119
• cli: stack glob patterns only select one stack (#15071) (fcd2a6e)
• codebuild: Project's Role has permissions to the entire Bucket when using S3 as the source (#15112) (9d01b4f)
• codebuild: Secret env variable as token from another account fails on Key decryption (#14483) (91e80d7), closes #14477
• core: CloudFormation dynamic references can't be assigned to num… (#14913) (39aacc8), closes #14824
• ecs: TagParameterContainerImage cannot be used across accounts (#15073) (486f2e5), closes #15070
• kinesisanalytics-flink: set applicationName with L2 Application (#15060) (1de85f2), closes #15058
• lambda: deployment failure when layers are added to container functions (#15037) (8127cf2), closes #14143
• lambda-event-sources: kafka event source expects credentials even when accessed via vpc (#14804) (5eb1e75)
• pipelines: assets buildspec can exceed 25k size limit (#14974) (f7f367f)
• pipelines: PublishAssetsAction uses hard-coded role names (#15118) (bad9713)
• pipelines: self-update role assumes hard-coded role names (#14969) (cbd7552), closes #14877 #9271
• secretsmanager: support secrets rotation in partition 'aws-cn' (#14608) (5061a8d), closes #13385