DomainProps
- class aws_cdk.aws_opensearchservice.DomainProps(*, version, access_policies=None, advanced_options=None, automated_snapshot_start_hour=None, capacity=None, cognito_dashboards_auth=None, custom_endpoint=None, domain_name=None, ebs=None, enable_version_upgrade=None, encryption_at_rest=None, enforce_https=None, fine_grained_access_control=None, logging=None, node_to_node_encryption=None, removal_policy=None, security_groups=None, tls_security_policy=None, use_unsigned_basic_auth=None, vpc=None, vpc_subnets=None, zone_awareness=None)
Bases:
objectProperties for an Amazon OpenSearch Service domain.
- Parameters:
version (
EngineVersion) – The Elasticsearch/OpenSearch version that your domain will leverage.access_policies (
Optional[Sequence[PolicyStatement]]) – Domain access policies. Default: - No access policies.advanced_options (
Optional[Mapping[str,str]]) – Additional options to specify for the Amazon OpenSearch Service domain. Default: - no advanced options are specifiedautomated_snapshot_start_hour (
Union[int,float,None]) – The hour in UTC during which the service takes an automated daily snapshot of the indices in the Amazon OpenSearch Service domain. Only applies for Elasticsearch versions below 5.3. Default: - Hourly automated snapshots not usedcapacity (
Union[CapacityConfig,Dict[str,Any],None]) – The cluster capacity configuration for the Amazon OpenSearch Service domain. Default: - 1 r5.large.search data node; no dedicated master nodes.cognito_dashboards_auth (
Union[CognitoOptions,Dict[str,Any],None]) – Configures Amazon OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards. Default: - Cognito not used for authentication to OpenSearch Dashboards.custom_endpoint (
Union[CustomEndpointOptions,Dict[str,Any],None]) – To configure a custom domain configure these options. If you specify a Route53 hosted zone it will create a CNAME record and use DNS validation for the certificate Default: - no custom domain endpoint will be configureddomain_name (
Optional[str]) – Enforces a particular physical domain name. Default: - A name will be auto-generated.ebs (
Union[EbsOptions,Dict[str,Any],None]) – The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the Amazon OpenSearch Service domain. Default: - 10 GiB General Purpose (SSD) volumes per node.enable_version_upgrade (
Optional[bool]) – To upgrade an Amazon OpenSearch Service domain to a new version, rather than replacing the entire domain resource, use the EnableVersionUpgrade update policy. Default: - falseencryption_at_rest (
Union[EncryptionAtRestOptions,Dict[str,Any],None]) – Encryption at rest options for the cluster. Default: - No encryption at restenforce_https (
Optional[bool]) – True to require that all traffic to the domain arrive over HTTPS. Default: - falsefine_grained_access_control (
Union[AdvancedSecurityOptions,Dict[str,Any],None]) – Specifies options for fine-grained access control. Requires Elasticsearch version 6.7 or later or OpenSearch version 1.0 or later. Enabling fine-grained access control also requires encryption of data at rest and node-to-node encryption, along with enforced HTTPS. Default: - fine-grained access control is disabledlogging (
Union[LoggingOptions,Dict[str,Any],None]) – Configuration log publishing configuration options. Default: - No logs are publishednode_to_node_encryption (
Optional[bool]) – Specify true to enable node to node encryption. Requires Elasticsearch version 6.0 or later or OpenSearch version 1.0 or later. Default: - Node to node encryption is not enabled.removal_policy (
Optional[RemovalPolicy]) – Policy to apply when the domain is removed from the stack. Default: RemovalPolicy.RETAINsecurity_groups (
Optional[Sequence[ISecurityGroup]]) – The list of security groups that are associated with the VPC endpoints for the domain. Only used ifvpcis specified. Default: - One new security group is created.tls_security_policy (
Optional[TLSSecurityPolicy]) – The minimum TLS version required for traffic to the domain. Default: - TLSSecurityPolicy.TLS_1_0use_unsigned_basic_auth (
Optional[bool]) – Configures the domain so that unsigned basic auth is enabled. If no master user is provided a default master user with usernameadminand a dynamically generated password stored in KMS is created. The password can be retrieved by gettingmasterUserPasswordfrom the domain instance. Setting this to true will also add an access policy that allows unsigned access, enable node to node encryption, encryption at rest. If conflicting settings are encountered (like disabling encryption at rest) enabling this setting will cause a failure. Default: - falsevpc (
Optional[IVpc]) – Place the domain inside this VPC. Default: - Domain is not placed in a VPC.vpc_subnets (
Optional[Sequence[Union[SubnetSelection,Dict[str,Any]]]]) – The specific vpc subnets the domain will be placed in. You must provide one subnet for each Availability Zone that your domain uses. For example, you must specify three subnet IDs for a three Availability Zone domain. Only used ifvpcis specified. Default: - All private subnets.zone_awareness (
Union[ZoneAwarenessConfig,Dict[str,Any],None]) – The cluster zone awareness configuration for the Amazon OpenSearch Service domain. Default: - no zone awareness (1 AZ)
- ExampleMetadata:
infused
Example:
domain = opensearch.Domain(self, "Domain", version=opensearch.EngineVersion.OPENSEARCH_1_0, ebs=opensearch.EbsOptions( volume_size=100, volume_type=ec2.EbsDeviceVolumeType.GENERAL_PURPOSE_SSD ), node_to_node_encryption=True, encryption_at_rest=opensearch.EncryptionAtRestOptions( enabled=True ) )
Attributes
- access_policies
Domain access policies.
- Default:
No access policies.
- advanced_options
Additional options to specify for the Amazon OpenSearch Service domain.
- Default:
no advanced options are specified
- See:
- automated_snapshot_start_hour
The hour in UTC during which the service takes an automated daily snapshot of the indices in the Amazon OpenSearch Service domain.
Only applies for Elasticsearch versions below 5.3.
- Default:
Hourly automated snapshots not used
- capacity
The cluster capacity configuration for the Amazon OpenSearch Service domain.
- Default:
1 r5.large.search data node; no dedicated master nodes.
- cognito_dashboards_auth
Configures Amazon OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.
- Default:
Cognito not used for authentication to OpenSearch Dashboards.
- custom_endpoint
To configure a custom domain configure these options.
If you specify a Route53 hosted zone it will create a CNAME record and use DNS validation for the certificate
- Default:
no custom domain endpoint will be configured
- domain_name
Enforces a particular physical domain name.
- Default:
A name will be auto-generated.
- ebs
The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the Amazon OpenSearch Service domain.
- Default:
10 GiB General Purpose (SSD) volumes per node.
- enable_version_upgrade
To upgrade an Amazon OpenSearch Service domain to a new version, rather than replacing the entire domain resource, use the EnableVersionUpgrade update policy.
- encryption_at_rest
Encryption at rest options for the cluster.
- Default:
No encryption at rest
- enforce_https
True to require that all traffic to the domain arrive over HTTPS.
- Default:
false
- fine_grained_access_control
Specifies options for fine-grained access control.
Requires Elasticsearch version 6.7 or later or OpenSearch version 1.0 or later. Enabling fine-grained access control also requires encryption of data at rest and node-to-node encryption, along with enforced HTTPS.
- Default:
fine-grained access control is disabled
- logging
Configuration log publishing configuration options.
- Default:
No logs are published
- node_to_node_encryption
Specify true to enable node to node encryption.
Requires Elasticsearch version 6.0 or later or OpenSearch version 1.0 or later.
- Default:
Node to node encryption is not enabled.
- removal_policy
Policy to apply when the domain is removed from the stack.
- Default:
RemovalPolicy.RETAIN
- security_groups
The list of security groups that are associated with the VPC endpoints for the domain.
Only used if
vpcis specified.- Default:
One new security group is created.
- See:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
- tls_security_policy
The minimum TLS version required for traffic to the domain.
- Default:
TLSSecurityPolicy.TLS_1_0
- use_unsigned_basic_auth
Configures the domain so that unsigned basic auth is enabled.
If no master user is provided a default master user with username
adminand a dynamically generated password stored in KMS is created. The password can be retrieved by gettingmasterUserPasswordfrom the domain instance.Setting this to true will also add an access policy that allows unsigned access, enable node to node encryption, encryption at rest. If conflicting settings are encountered (like disabling encryption at rest) enabling this setting will cause a failure.
- Default:
false
- version
The Elasticsearch/OpenSearch version that your domain will leverage.
- vpc
Place the domain inside this VPC.
- Default:
Domain is not placed in a VPC.
- See:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc.html
- vpc_subnets
The specific vpc subnets the domain will be placed in.
You must provide one subnet for each Availability Zone that your domain uses. For example, you must specify three subnet IDs for a three Availability Zone domain.
Only used if
vpcis specified.- Default:
All private subnets.
- See:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html
- zone_awareness
The cluster zone awareness configuration for the Amazon OpenSearch Service domain.
- Default:
no zone awareness (1 AZ)