rds: Serverless cluster enableHttpEndpoint renamed to enableDataApi
stepfunctions-tasks: type of outputLocation in the experimental Athena StartQueryExecution has been changed to s3.Location from string

Features

apigatewayv2: http api - endpoint url (#11092) (c200413), closes #10651
apigatewayv2: vpc link and private integrations (#11198) (e87a6a3), closes #10531 #10119 aws/jsii#1947
appmesh: add Virtual Gateways and Gateway Routes (#10879) (79200e7)
appsync: add RDS datasource (#9258) (23d0943), closes #9152
appsync: support custom cloudWatchLogsRoleArn for GraphqlApi (#10357) (bed89a5), closes #9441
ec2: Add Lambda interface endpoint (#11260) (9d0c935), closes #11259
intro "Names.uniqueId()" instead of the deprecated "node.uniqueId" (#11166) (5e433b1), closes aws/constructs#314
ecs-patterns: add option to create cname instead of alias record (#10812) (89a5055)
ecs-service-extensions: create an Environment from attributes (#10932) (d395b5e), closes #10931
rds: add grant method for Data API (#10748) (884539b), closes #10744

Bug Fixes

apigateway: changes to gateway response does not trigger auto deployment (#11068) (0c8264a), closes #10963
cfnspec: incorrect Route 53 health check configuration properties in CloudFormation specification (#11280) (f3c8b50), closes #issuecomment-717435271 #11096
cli: --no-previous-parameters incorrectly skips updates (#11288) (1bfc649)
core: many nested stacks make NodeJS run out of memory (#11250) (c124886)
core: multiple library copies lead to 'Assets must be defined within Stage or App' error (#11113) (fcfed39), closes #10314
core: support docker engine v20.10.0-beta1 (#11124) (87887a3)
dynamodb: Misconfigured metrics causing empty graphs (#11283) (9968669)
ecs: redirect config should honor openListener flag (#11115) (ed6e7ed)
event-targets: circular dependency when the lambda target is in a different stack (#11217) (e21f249), closes #10942
pipelines: asset stage can't support more than 50 assets (#11284) (5db8e80), closes #9353
secretsmanager: can't export secret name from Secret (#11202) (5dcdecb), closes #10914
secretsmanager: Secret.fromSecretName doesn't work with ECS (#11042) (fe1ce73), closes #10309 #10519
stepfunctions: stack overflow when referenced json path finding encounters a circular object graph (#11225) (f14d823), closes #9319
stepfunctions-tasks: Athena* APIs have incorrect supported integration patterns (#11188) (0f66833), closes #11045 #11246
stepfunctions-tasks: incorrect S3 permissions for AthenaStartQueryExecution (#11203) (b35c423)
explicitly set the 'ImagePullPrincipalType' of image (#11264) (29aa223), closes #10569

Readme

Source

Amazon Elasticsearch Service Construct Library

Features	Stability
CFN Resources
Higher level constructs for Domain

CFN Resources: All classes with the Cfn prefix in this module (CFN Resources) are always stable and safe to use.

Experimental: Higher level constructs in this module that are marked as experimental are under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

Create a development cluster by simply specifying the version:

import * as es from '@aws-cdk/aws-elasticsearch';

const devDomain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_1,
});

Create a production grade cluster by also specifying things like capacity and az distribution

const prodDomain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_1,
    capacity: {
        masterNodes: 5,
        dataNodes: 20
    },
    ebs: {
        volumeSize: 20
    },
    zoneAwareness: {
        availabilityZoneCount: 3
    },
    logging: {
        slowSearchLogEnabled: true,
        appLogEnabled: true,
        slowIndexLogEnabled: true,
    },
});

This creates an Elasticsearch cluster and automatically sets up log groups for logging the domain logs and slow search logs.

Importing existing domains

To import an existing domain into your CDK application, use the Domain.fromDomainEndpoint factory method. This method accepts a domain endpoint of an already existing domain:

const domainEndpoint = 'https://my-domain-jcjotrt6f7otem4sqcwbch3c4u.us-east-1.es.amazonaws.com';
const domain = Domain.fromDomainEndpoint(this, 'ImportedDomain', domainEndpoint);

Permissions

IAM

Helper methods also exist for managing access to the domain.

const lambda = new lambda.Function(this, 'Lambda', { /* ... */ });

// Grant write access to the app-search index
domain.grantIndexWrite('app-search', lambda);

// Grant read access to the 'app-search/_search' path
domain.grantPathRead('app-search/_search', lambda);

Encryption

The domain can also be created with encryption enabled:

const domain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_4,
    ebs: {
        volumeSize: 100,
        volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD,
    },
    nodeToNodeEncryption: true,
    encryptionAtRest: {
        enabled: true,
    },
});

This sets up the domain with node to node encryption and encryption at rest. You can also choose to supply your own KMS key to use for encryption at rest.

Metrics

Helper methods exist to access common domain metrics for example:

const freeStorageSpace = domain.metricFreeStorageSpace();
const masterSysMemoryUtilization = domain.metric('MasterSysMemoryUtilization');

This module is part of the AWS Cloud Development Kit project.

Fine grained access control

The domain can also be created with a master user configured. The password can be supplied or dynamically created if not supplied.

const domain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_1,
    enforceHttps: true,
    nodeToNodeEncryption: true,
    encryptionAtRest: {
        enabled: true,
    },
    fineGrainedAccessControl: {
        masterUserName: 'master-user',
    },
});

const masterUserPassword = domain.masterUserPassword;

Using unsigned basic auth

For convenience, the domain can be configured to allow unsigned HTTP requests that use basic auth. Unless the domain is configured to be part of a VPC this means anyone can access the domain using the configured master username and password.

To enable unsigned basic auth access the domain is configured with an access policy that allows anyonmous requests, HTTPS required, node to node encryption, encryption at rest and fine grained access control.

If the above settings are not set they will be configured as part of enabling unsigned basic auth. If they are set with conflicting values, an error will be thrown.

If no master user is configured a default master user is created with the username admin.

If no password is configured a default master user password is created and stored in the AWS Secrets Manager as secret. The secret has the prefix <domain id>MasterUser.

const domain = new es.Domain(this, 'Domain', {
    version: es.ElasticsearchVersion.V7_1,
    useUnsignedBasicAuth: true,
});

const masterUserPassword = domain.masterUserPassword;

Keywords

FAQs

What is @aws-cdk/aws-elasticsearch?

Is @aws-cdk/aws-elasticsearch popular?

Is @aws-cdk/aws-elasticsearch well maintained?

Last updated on 06 Nov 2020

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install