AWS::OpenSearchService::Domain
The AWS::OpenSearchService::Domain resource creates an Amazon OpenSearch Service domain.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::OpenSearchService::Domain", "Properties" : { "AccessPolicies" :Json, "AdvancedOptions" :{, "AdvancedSecurityOptions" :Key:Value, ...}AdvancedSecurityOptionsInput, "ClusterConfig" :ClusterConfig, "CognitoOptions" :CognitoOptions, "DomainEndpointOptions" :DomainEndpointOptions, "DomainName" :String, "EBSOptions" :EBSOptions, "EncryptionAtRestOptions" :EncryptionAtRestOptions, "EngineVersion" :String, "IdentityCenterOptions" :IdentityCenterOptions, "IPAddressType" :String, "LogPublishingOptions" :{, "NodeToNodeEncryptionOptions" :Key:Value, ...}NodeToNodeEncryptionOptions, "OffPeakWindowOptions" :OffPeakWindowOptions, "SkipShardMigrationWait" :Boolean, "SnapshotOptions" :SnapshotOptions, "SoftwareUpdateOptions" :SoftwareUpdateOptions, "Tags" :[ Tag, ... ], "VPCOptions" :VPCOptions} }
YAML
Type: AWS::OpenSearchService::Domain Properties: AccessPolicies:JsonAdvancedOptions:AdvancedSecurityOptions:Key:ValueAdvancedSecurityOptionsInputClusterConfig:ClusterConfigCognitoOptions:CognitoOptionsDomainEndpointOptions:DomainEndpointOptionsDomainName:StringEBSOptions:EBSOptionsEncryptionAtRestOptions:EncryptionAtRestOptionsEngineVersion:StringIdentityCenterOptions:IdentityCenterOptionsIPAddressType:StringLogPublishingOptions:NodeToNodeEncryptionOptions:Key:ValueNodeToNodeEncryptionOptionsOffPeakWindowOptions:OffPeakWindowOptionsSkipShardMigrationWait:BooleanSnapshotOptions:SnapshotOptionsSoftwareUpdateOptions:SoftwareUpdateOptionsTags:- TagVPCOptions:VPCOptions
Properties
AccessPolicies-
An AWS Identity and Access Management (IAM) policy document that specifies who can access the OpenSearch Service domain and their permissions. For more information, see Configuring access policies in the Amazon OpenSearch Service Developer Guide.
Required: No
Type: Json
Update requires: No interruption
AdvancedOptions-
Additional options to specify for the OpenSearch Service domain. For more information, see AdvancedOptions in the OpenSearch Service API reference.
Required: No
Type: Object of String
Pattern:
[a-zA-Z0-9]+Update requires: No interruption
AdvancedSecurityOptions-
Specifies options for fine-grained access control and SAML authentication.
If you specify advanced security options, you must also enable node-to-node encryption (NodeToNodeEncryptionOptions) and encryption at rest (EncryptionAtRestOptions). You must also enable
EnforceHTTPSwithin DomainEndpointOptions, which requires HTTPS for all traffic to the domain.Required: No
Type: AdvancedSecurityOptionsInput
Update requires: No interruption
ClusterConfig-
Container for the cluster configuration of a domain.
Required: No
Type: ClusterConfig
Update requires: No interruption
CognitoOptions-
Configures OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.
Required: No
Type: CognitoOptions
Update requires: No interruption
DomainEndpointOptions-
Specifies additional options for the domain endpoint, such as whether to require HTTPS for all traffic or whether to use a custom endpoint rather than the default endpoint.
Required: No
Type: DomainEndpointOptions
Update requires: No interruption
DomainName-
A name for the OpenSearch Service domain. The name must have a minimum length of 3 and a maximum length of 28. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the domain name. For more information, see Name Type.
Required when creating a new domain.
Important
If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
Required: Conditional
Type: String
Update requires: Replacement
EBSOptions-
The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the OpenSearch Service domain. For more information, see EBS volume size limits in the Amazon OpenSearch Service Developer Guide.
Required: No
Type: EBSOptions
Update requires: No interruption
EncryptionAtRestOptions-
Whether the domain should encrypt data at rest, and if so, the AWS KMS key to use. See Encryption of data at rest for Amazon OpenSearch Service.
If no encryption at rest options were initially specified in the template, updating this property by adding it causes no interruption. However, if you change this property after it's already been set within a template, the domain is deleted and recreated in order to modify the property.
Required: No
Type: EncryptionAtRestOptions
Update requires: Some interruptions
EngineVersion-
The version of OpenSearch to use. The value must be in the format
OpenSearch_X.YorElasticsearch_X.Y. If not specified, the latest version of OpenSearch is used. For information about the versions that OpenSearch Service supports, see Supported versions of OpenSearch and Elasticsearch in the Amazon OpenSearch Service Developer Guide.If you set the EnableVersionUpgrade update policy to
true, you can updateEngineVersionwithout interruption. WhenEnableVersionUpgradeis set tofalse, or is not specified, updatingEngineVersionresults in replacement.Required: Conditional
Type: String
Pattern:
^Elasticsearch_[0-9]{1}\.[0-9]{1,2}$|^OpenSearch_[0-9]{1,2}\.[0-9]{1,2}$Minimum:
14Maximum:
18Update requires: No interruption
IdentityCenterOptions-
Container for IAM Identity Center Option control for the domain.
Required: No
Type: IdentityCenterOptions
Update requires: No interruption
IPAddressType-
Choose either dual stack or IPv4 as your IP address type. Dual stack allows you to share domain resources across IPv4 and IPv6 address types, and is the recommended option. If you set your IP address type to dual stack, you can't change your address type later.
Required: No
Type: String
Update requires: No interruption
LogPublishingOptions-
An object with one or more of the following keys:
SEARCH_SLOW_LOGS,ES_APPLICATION_LOGS,INDEX_SLOW_LOGS,AUDIT_LOGS, depending on the types of logs you want to publish. Each key needs a validLogPublishingOptionvalue. For the full syntax, see the examples.Required: No
Type: Object of LogPublishingOption
Update requires: No interruption
NodeToNodeEncryptionOptions-
Specifies whether node-to-node encryption is enabled. See Node-to-node encryption for Amazon OpenSearch Service.
Required: No
Type: NodeToNodeEncryptionOptions
Update requires: No interruption
OffPeakWindowOptions-
Options for a domain's off-peak window, during which OpenSearch Service can perform mandatory configuration changes on the domain.
Required: No
Type: OffPeakWindowOptions
Update requires: No interruption
SkipShardMigrationWaitProperty description not available.
Required: No
Type: Boolean
Update requires: No interruption
SnapshotOptions-
DEPRECATED. The automated snapshot configuration for the OpenSearch Service domain indexes.
Required: No
Type: SnapshotOptions
Update requires: No interruption
SoftwareUpdateOptions-
Service software update options for the domain.
Required: No
Type: SoftwareUpdateOptions
Update requires: No interruption
-
An arbitrary set of tags (key–value pairs) to associate with the OpenSearch Service domain.
Required: No
Type: Array of Tag
Update requires: No interruption
VPCOptions-
The virtual private cloud (VPC) configuration for the OpenSearch Service domain. For more information, see Launching your Amazon OpenSearch Service domains within a VPC in the Amazon OpenSearch Service Developer Guide.
If you remove this entity altogether, along with its associated properties, it causes a replacement. You might encounter this scenario if you're updating your security configuration from a VPC to a public endpoint.
Required: No
Type: VPCOptions
Update requires: Some interruptions
Return values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref
returns the resource name, such as mystack-abc1d2efg3h4. For more
information about using the Ref function, see Ref.
Fn::GetAtt
GetAtt returns a value for a specified attribute of this type. For more information, see Fn::GetAtt. The following are the available attributes and sample return values.
AdvancedSecurityOptions.AnonymousAuthDisableDate-
Date and time when the migration period will be disabled. Only necessary when enabling fine-grained access control on an existing domain.
Arn-
The Amazon Resource Name (ARN) of the CloudFormation stack.
DomainArn-
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using AWS Identity and Access Management for more information.
DomainEndpoint-
The domain-specific endpoint used for requests to the OpenSearch APIs, such as
search-mystack-1ab2cdefghij-ab1c2deckoyb3hofw7wpqa3cm.us-west-1.es.amazonaws.com. DomainEndpointV2-
If
IPAddressTypeto set todualstack, a version 2 domain endpoint is provisioned. This endpoint functions like a normal endpoint, except that it works with both IPv4 and IPv6 IP addresses. Normal endpoints work only with IPv4 IP addresses. Id-
The resource ID. For example,
123456789012/my-domain. IdentityCenterOptions.IdentityCenterApplicationARN-
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using AWS Identity and Access Management for more information.
IdentityCenterOptions.IdentityStoreIdProperty description not available.
Remarks
Migrating stacks from Elasticsearch to OpenSearch
Important
You can't directly update CloudFormation templates to use the
AWS::OpenSearchService::Domain resource in place of
AWS::Elasticsearch::Domain, otherwise the corresponding domain will be
deleted along with all of its data.
Perform the following steps to migrate an Elasticsearch domain to an OpenSearch domain if the domain is defined within CloudFormation.
Step 1: Prepare your existing stack for deprecation
Make a copy of your original CloudFormation template, which contains the Elasticsearch
domain resource, for use in step 3. Then add the following attributes to the Elasticsearch
domain resource at the same level as Type and Properties.
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
These settings ensure that CloudFormation doesn't delete or modify the corresponding domain when you delete this resource from your stack. If you have other custom resources defined in the stack that aren't critically important during the short migration period, you can delete them from the template and they'll be recreated when you create the new stack.
Step 2: Upgrade your domain to OpenSearch
After you add the two policy attributes to your template, upgrade your domain to an OpenSearch version using the normal upgrade process. For instructions, see Starting an upgrade. Make sure to take a snapshot of your domain before upgrading it to prevent accidental loss of data.
Step 3: Create a new CloudFormation template
While you wait for the upgrade to complete, prepare your new OpenSearch template. Using the copy of your original template that you made in step 1, make the following changes:
-
Change the domain resource type from
AWS::Elasticsearch::DomaintoAWS::OpenSearchService::Domain. -
Add the
DeletionPolicyandUpdateReplacePolicyattributes to the resource, as you did in step 1. -
Change
ElasticsearchVersiontoEngineVersionand set its value toOpenSearch_1.0(or whichever version of OpenSearch you want to upgrade to). -
If your resource contains
ElasticsearchClusterConfig, change it toClusterConfig. -
Change the suffixes of all instance types from
.elasticsearchto.search. -
If there are any
Fn::GetAttor!GetAttreferences to your domain ARN, change them to!GetAtt MyDomain.Arn. -
Comment out any resources not currently within the stack (most likely everything except
AWS::OpenSearchService::Domain).
See the next section for examples that demonstrate the new format.
Step 4: Import the OpenSearch stack
Once your domain upgrade finishes, you can import the new stack. Within CloudFormation, choose Create stack and With existing resources (import resources), then upload the template you created in the previous step.
CloudFormation prompts you for the name (identifier value) of the existing domain. Copy the domain name directly from the OpenSearch console. Give the stack a name that's different from the current one, then choose Import resources.
After the stack is created, uncomment any related resources from the stack and update it
to ensure they're recreated. You can remove the DeletionPolicy and
UpdateReplacePolicy attributes if you want, but they can help prevent
accidental deletions in the future.
Step 5: Delete the Elasticsearch stack
Now that your new stack is created, delete the old stack which contains the legacy Elasticsearch resource.
Important
Before deleting the old stack, make absolutely sure that the template contains the
DeletionPolicy: Retain attribute.
*The above steps were partially derived from this blog
post
Examples
Create an OpenSearch Service domain that contains two data nodes and three master nodes
The following example creates an OpenSearch Service domain running OpenSearch 1.0 that contains two data nodes and three dedicated master nodes. The domain has 40 GiB of storage and enables log publishing for application logs, search slow logs, and index slow logs. The access policy permits the root user for the AWS account to make all HTTP requests to the domain, such as indexing documents or searching indexes.
JSON
"OpenSearchServiceDomain": { "Type":"AWS::OpenSearchService::Domain", "Properties": { "DomainName": "test", "EngineVersion": "OpenSearch_1.0", "ClusterConfig": { "DedicatedMasterEnabled": true, "InstanceCount": "2", "ZoneAwarenessEnabled": true, "InstanceType": "m3.medium.search", "DedicatedMasterType": "m3.medium.search", "DedicatedMasterCount": "3" }, "EBSOptions":{ "EBSEnabled": true, "Iops": "0", "VolumeSize": "20", "VolumeType": "gp2" }, "AccessPolicies": { "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/opensearch-user" }, "Action":"es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*" } ] }, "LogPublishingOptions": { "ES_APPLICATION_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-application-logs", "Enabled": true }, "SEARCH_SLOW_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-slow-logs", "Enabled": true }, "INDEX_SLOW_LOGS": { "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-index-slow-logs", "Enabled": true } }, "AdvancedOptions": { "rest.action.multi.allow_explicit_index": "true", "override_main_response_version": "true" } } }
YAML
OpenSearchServiceDomain: Type: AWS::OpenSearchService::Domain Properties: DomainName: 'test' EngineVersion: 'OpenSearch_1.0' ClusterConfig: DedicatedMasterEnabled: true InstanceCount: '2' ZoneAwarenessEnabled: true InstanceType: 'm3.medium.search' DedicatedMasterType: 'm3.medium.search' DedicatedMasterCount: '3' EBSOptions: EBSEnabled: true Iops: '0' VolumeSize: '20' VolumeType: 'gp2' AccessPolicies: Version: '2012-10-17' Statement: - Effect: 'Allow' Principal: AWS: 'arn:aws:iam::123456789012:user/opensearch-user' Action: 'es:*' Resource: 'arn:aws:es:us-east-1:846973539254:domain/test/*' LogPublishingOptions: ES_APPLICATION_LOGS: CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-application-logs' Enabled: true SEARCH_SLOW_LOGS: CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-slow-logs' Enabled: true INDEX_SLOW_LOGS: CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-index-slow-logs' Enabled: true AdvancedOptions: rest.action.multi.allow_explicit_index: 'true' override_main_response_version: 'true'
Create a domain with VPC options
The following example creates a domain with VPC options.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "OpenSearchServiceDomain resource", "Parameters": { "DomainName": { "Description": "User-defined OpenSearch domain name", "Type": "String" }, "EngineVersion": { "Description": "User-defined OpenSearch version", "Type": "String" }, "InstanceType": { "Type": "String" }, "AvailabilityZone": { "Type": "String" }, "CidrBlock": { "Type": "String" }, "GroupDescription": { "Type": "String" }, "SGName": { "Type": "String" } }, "Resources": { "OpenSearchServiceDomain": { "Type": "AWS::OpenSearchService::Domain", "Properties": { "DomainName": { "Ref": "DomainName" }, "EngineVersion": { "Ref": "EngineVersion" }, "ClusterConfig": { "InstanceCount": "1", "InstanceType": { "Ref": "InstanceType" } }, "EBSOptions": { "EBSEnabled": true, "Iops": "0", "VolumeSize": "10", "VolumeType": "standard" }, "AccessPolicies": { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "*" } ] }, "AdvancedOptions": { "rest.action.multi.allow_explicit_index": "true", "override_main_response_version": "true" }, "Tags": [ { "Key": "foo", "Value": "bar" } ], "VPCOptions": { "SubnetIds": [ { "Ref": "subnet" } ], "SecurityGroupIds": [ { "Ref": "mySecurityGroup" } ] } } }, "vpc": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }, "subnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "vpc" }, "CidrBlock": { "Ref": "CidrBlock" }, "AvailabilityZone": { "Ref": "AvailabilityZone" } } }, "mySecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": { "Ref": "GroupDescription" }, "VpcId": { "Ref": "vpc" }, "GroupName": { "Ref": "SGName" }, "SecurityGroupIngress": [ { "FromPort": 443, "IpProtocol": "tcp", "ToPort": 443, "CidrIp": "0.0.0.0/0" } ] } } }, "Outputs": { "Arn": { "Value": { "Fn::GetAtt": [ "OpenSearchServiceDomain", "Arn" ] } }, "DomainEndpoint": { "Value": { "Fn::GetAtt": [ "OpenSearchServiceDomain", "DomainEndpoint" ] } }, "SecurityGroupId": { "Value": { "Ref": "mySecurityGroup" } }, "SubnetId": { "Value": { "Ref": "subnet" } } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Description: OpenSearchServiceDomain resource Parameters: DomainName: Description: User-defined OpenSearch domain name Type: String EngineVersion: Description: User-defined OpenSearch version Type: String InstanceType: Type: String AvailabilityZone: Type: String CidrBlock: Type: String GroupDescription: Type: String SGName: Type: String Resources: OpenSearchServiceDomain: Type: 'AWS::OpenSearchService::Domain' Properties: DomainName: Ref: DomainName EngineVersion: Ref: EngineVersion ClusterConfig: InstanceCount: '1' InstanceType: Ref: InstanceType EBSOptions: EBSEnabled: true Iops: '0' VolumeSize: '10' VolumeType: 'standard' AccessPolicies: Version: '2012-10-17' Statement: - Effect: Deny Principal: AWS: '*' Action: 'es:*' Resource: '*' AdvancedOptions: rest.action.multi.allow_explicit_index: 'true' override_main_response_version: 'true' Tags: - Key: foo Value: bar VPCOptions: SubnetIds: - Ref: subnet SecurityGroupIds: - Ref: mySecurityGroup vpc: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.0.0.0/16 subnet: Type: 'AWS::EC2::Subnet' Properties: VpcId: Ref: vpc CidrBlock: Ref: CidrBlock AvailabilityZone: Ref: AvailabilityZone mySecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Ref: GroupDescription VpcId: Ref: vpc GroupName: Ref: SGName SecurityGroupIngress: - FromPort: 443 IpProtocol: tcp ToPort: 443 CidrIp: 0.0.0.0/0 Outputs: Arn: Value: 'Fn::GetAtt': - OpenSearchServiceDomain - Arn DomainEndpoint: Value: 'Fn::GetAtt': - OpenSearchServiceDomain - DomainEndpoint SecurityGroupId: Value: Ref: mySecurityGroup SubnetId: Value: Ref: subnet
Create a domain with fine-grained access control
The following example creates a domain with fine-grained access control.
JSON
{ "OpenSearchServiceDomain": { "Type": "AWS::OpenSearchService::Domain", "Properties": { "DomainName": "my-domain-logs", "EngineVersion": "OpenSearch_1.0", "ClusterConfig": { "InstanceCount": 2, "InstanceType": "r6g.xlarge.search", "DedicatedMasterEnabled": true, "DedicatedMasterCount": 3, "DedicatedMasterType": "r6g.xlarge.search" }, "EBSOptions": { "EBSEnabled": true, "VolumeSize": 10, "VolumeType": "gp2" }, "AccessPolicies": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::478253424788:role/Admin" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-1:478253424788:domain/my-domain-logs/*" } } }, "AdvancedSecurityOptions": { "Enabled": true, "InternalUserDatabaseEnabled": true, "MasterUserOptions": { "MasterUserName": "<username>", "MasterUserPassword": "<password>" } } } }
YAML
OpenSearchServiceDomain: Type: 'AWS::OpenSearchService::Domain' Properties: DomainName: my-domain-logs EngineVersion: OpenSearch_1.0 ClusterConfig: InstanceCount: 2 InstanceType: r6g.xlarge.search DedicatedMasterEnabled: true DedicatedMasterCount: 3 DedicatedMasterType: r6g.xlarge.search EBSOptions: EBSEnabled: true VolumeSize: 10 VolumeType: gp2 AccessPolicies: Version: '2012-10-17' Statement: Effect: Allow Principal: AWS: 'arn:aws:iam::478253424788:role/Admin' Action: 'es:*' Resource: 'arn:aws:es:us-east-1:478253424788:domain/my-domain-logs/*' AdvancedSecurityOptions: Enabled: true InternalUserDatabaseEnabled: true MasterUserOptions: MasterUserName: <username> MasterUserPassword: <password>
