You can use AWS CloudFormation to create Amazon OpenSearch Serverless resources such as collections, security policies, and VPC endpoints. For the comprehensive OpenSearch Serverless CloudFormation reference, see Amazon OpenSearch Serverless in the AWS CloudFormation User Guide.
The following sample CloudFormation template creates a simple data access policy, network policy, and security policy, as well as a matching collection. It's a good way to get up and running quickly with Amazon OpenSearch Serverless and provision the necessary elements to create and use a collection.
Important
This example uses public network access, which isn't recommended for production workloads. We recommend using VPC access to protect your collections. For more information, see AWS::OpenSearchServerless::VpcEndpoint and Access Amazon OpenSearch Serverless using an interface endpoint (AWS PrivateLink).
AWSTemplateFormatVersion: 2010-09-09
Description: 'Amazon OpenSearch Serverless template to create an IAM user, encryption policy, data access policy and collection'
Resources:
IAMUSer:
Type: 'AWS::IAM::User'
Properties:
UserName: aossadmin
DataAccessPolicy:
Type: 'AWS::OpenSearchServerless::AccessPolicy'
Properties:
Name: quickstart-access-policy
Type: data
Description: Access policy for quickstart collection
Policy: !Sub >-
[{"Description":"Access for cfn user","Rules":[{"ResourceType":"index","Resource":["index/*/*"],"Permission":["aoss:*"]},
{"ResourceType":"collection","Resource":["collection/quickstart"],"Permission":["aoss:*"]}],
"Principal":["arn:aws:iam::${AWS::AccountId}:user/aossadmin"]}]
NetworkPolicy:
Type: 'AWS::OpenSearchServerless::SecurityPolicy'
Properties:
Name: quickstart-network-policy
Type: network
Description: Network policy for quickstart collection
Policy: >-
[{"Rules":[{"ResourceType":"collection","Resource":["collection/quickstart"]}, {"ResourceType":"dashboard","Resource":["collection/quickstart"]}],"AllowFromPublic":true}]
EncryptionPolicy:
Type: 'AWS::OpenSearchServerless::SecurityPolicy'
Properties:
Name: quickstart-security-policy
Type: encryption
Description: Encryption policy for quickstart collection
Policy: >-
{"Rules":[{"ResourceType":"collection","Resource":["collection/quickstart"]}],"AWSOwnedKey":true}
Collection:
Type: 'AWS::OpenSearchServerless::Collection'
Properties:
Name: quickstart
Type: TIMESERIES
Description: Collection to holds timeseries data
DependsOn: EncryptionPolicy
Outputs:
IAMUser:
Value: !Ref IAMUSer
DashboardURL:
Value: !GetAtt Collection.DashboardEndpoint
CollectionARN:
Value: !GetAtt Collection.Arn