@aws-solutions-constructs/aws-lambda-opensearch 2.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,1037 @@
1
+ {
2
+ "Resources": {
3
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A": {
4
+ "Type": "AWS::IAM::Role",
5
+ "Properties": {
6
+ "AssumeRolePolicyDocument": {
7
+ "Statement": [
8
+ {
9
+ "Action": "sts:AssumeRole",
10
+ "Effect": "Allow",
11
+ "Principal": {
12
+ "Service": "lambda.amazonaws.com"
13
+ }
14
+ }
15
+ ],
16
+ "Version": "2012-10-17"
17
+ },
18
+ "Policies": [
19
+ {
20
+ "PolicyDocument": {
21
+ "Statement": [
22
+ {
23
+ "Action": [
24
+ "logs:CreateLogGroup",
25
+ "logs:CreateLogStream",
26
+ "logs:PutLogEvents"
27
+ ],
28
+ "Effect": "Allow",
29
+ "Resource": {
30
+ "Fn::Join": [
31
+ "",
32
+ [
33
+ "arn:",
34
+ {
35
+ "Ref": "AWS::Partition"
36
+ },
37
+ ":logs:",
38
+ {
39
+ "Ref": "AWS::Region"
40
+ },
41
+ ":",
42
+ {
43
+ "Ref": "AWS::AccountId"
44
+ },
45
+ ":log-group:/aws/lambda/*"
46
+ ]
47
+ ]
48
+ }
49
+ }
50
+ ],
51
+ "Version": "2012-10-17"
52
+ },
53
+ "PolicyName": "LambdaFunctionServiceRolePolicy"
54
+ }
55
+ ]
56
+ }
57
+ },
58
+ "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359": {
59
+ "Type": "AWS::IAM::Policy",
60
+ "Properties": {
61
+ "PolicyDocument": {
62
+ "Statement": [
63
+ {
64
+ "Action": [
65
+ "ec2:CreateNetworkInterface",
66
+ "ec2:DescribeNetworkInterfaces",
67
+ "ec2:DeleteNetworkInterface",
68
+ "ec2:AssignPrivateIpAddresses",
69
+ "ec2:UnassignPrivateIpAddresses"
70
+ ],
71
+ "Effect": "Allow",
72
+ "Resource": "*"
73
+ },
74
+ {
75
+ "Action": [
76
+ "xray:PutTraceSegments",
77
+ "xray:PutTelemetryRecords"
78
+ ],
79
+ "Effect": "Allow",
80
+ "Resource": "*"
81
+ }
82
+ ],
83
+ "Version": "2012-10-17"
84
+ },
85
+ "PolicyName": "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359",
86
+ "Roles": [
87
+ {
88
+ "Ref": "testlambdaopensearchLambdaFunctionServiceRole4722AB8A"
89
+ }
90
+ ]
91
+ },
92
+ "Metadata": {
93
+ "cfn_nag": {
94
+ "rules_to_suppress": [
95
+ {
96
+ "id": "W12",
97
+ "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC."
98
+ }
99
+ ]
100
+ }
101
+ }
102
+ },
103
+ "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC": {
104
+ "Type": "AWS::EC2::SecurityGroup",
105
+ "Properties": {
106
+ "GroupDescription": "vpc-props/test-lambda-opensearch/ReplaceDefaultSecurityGroup-security-group",
107
+ "SecurityGroupEgress": [
108
+ {
109
+ "CidrIp": "0.0.0.0/0",
110
+ "Description": "Allow all outbound traffic by default",
111
+ "IpProtocol": "-1"
112
+ }
113
+ ],
114
+ "VpcId": {
115
+ "Ref": "Vpc8378EB38"
116
+ }
117
+ },
118
+ "Metadata": {
119
+ "cfn_nag": {
120
+ "rules_to_suppress": [
121
+ {
122
+ "id": "W5",
123
+ "reason": "Egress of 0.0.0.0/0 is default and generally considered OK"
124
+ },
125
+ {
126
+ "id": "W40",
127
+ "reason": "Egress IPProtocol of -1 is default and generally considered OK"
128
+ }
129
+ ]
130
+ }
131
+ }
132
+ },
133
+ "testlambdaopensearchLambdaFunction93FD38F7": {
134
+ "Type": "AWS::Lambda::Function",
135
+ "Properties": {
136
+ "Code": {
137
+ "S3Bucket": "cdk-hnb659fds-assets-12345678-test-region",
138
+ "S3Key": "abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290.zip"
139
+ },
140
+ "Role": {
141
+ "Fn::GetAtt": [
142
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
143
+ "Arn"
144
+ ]
145
+ },
146
+ "Environment": {
147
+ "Variables": {
148
+ "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1",
149
+ "DOMAIN_ENDPOINT": {
150
+ "Fn::GetAtt": [
151
+ "testlambdaopensearchOpenSearchDomainF9CCC3D3",
152
+ "DomainEndpoint"
153
+ ]
154
+ }
155
+ }
156
+ },
157
+ "Handler": "index.handler",
158
+ "Runtime": "nodejs14.x",
159
+ "TracingConfig": {
160
+ "Mode": "Active"
161
+ },
162
+ "VpcConfig": {
163
+ "SecurityGroupIds": [
164
+ {
165
+ "Fn::GetAtt": [
166
+ "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC",
167
+ "GroupId"
168
+ ]
169
+ }
170
+ ],
171
+ "SubnetIds": [
172
+ {
173
+ "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
174
+ },
175
+ {
176
+ "Ref": "VpcisolatedSubnet2Subnet39217055"
177
+ },
178
+ {
179
+ "Ref": "VpcisolatedSubnet3Subnet44F2537D"
180
+ }
181
+ ]
182
+ }
183
+ },
184
+ "DependsOn": [
185
+ "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359",
186
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
187
+ "VpcisolatedSubnet1RouteTableAssociationD259E31A",
188
+ "VpcisolatedSubnet2RouteTableAssociation25A4716F",
189
+ "VpcisolatedSubnet3RouteTableAssociationDC010BEB"
190
+ ],
191
+ "Metadata": {
192
+ "cfn_nag": {
193
+ "rules_to_suppress": [
194
+ {
195
+ "id": "W58",
196
+ "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions."
197
+ },
198
+ {
199
+ "id": "W89",
200
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
201
+ },
202
+ {
203
+ "id": "W92",
204
+ "reason": "Impossible for us to define the correct concurrency for clients"
205
+ }
206
+ ]
207
+ }
208
+ }
209
+ },
210
+ "testlambdaopensearchCognitoUserPoolA09096F9": {
211
+ "Type": "AWS::Cognito::UserPool",
212
+ "Properties": {
213
+ "AccountRecoverySetting": {
214
+ "RecoveryMechanisms": [
215
+ {
216
+ "Name": "verified_phone_number",
217
+ "Priority": 1
218
+ },
219
+ {
220
+ "Name": "verified_email",
221
+ "Priority": 2
222
+ }
223
+ ]
224
+ },
225
+ "AdminCreateUserConfig": {
226
+ "AllowAdminCreateUserOnly": true
227
+ },
228
+ "EmailVerificationMessage": "The verification code to your new account is {####}",
229
+ "EmailVerificationSubject": "Verify your new account",
230
+ "SmsVerificationMessage": "The verification code to your new account is {####}",
231
+ "UserPoolAddOns": {
232
+ "AdvancedSecurityMode": "ENFORCED"
233
+ },
234
+ "VerificationMessageTemplate": {
235
+ "DefaultEmailOption": "CONFIRM_WITH_CODE",
236
+ "EmailMessage": "The verification code to your new account is {####}",
237
+ "EmailSubject": "Verify your new account",
238
+ "SmsMessage": "The verification code to your new account is {####}"
239
+ }
240
+ },
241
+ "UpdateReplacePolicy": "Retain",
242
+ "DeletionPolicy": "Retain"
243
+ },
244
+ "testlambdaopensearchCognitoUserPoolClient39C21D94": {
245
+ "Type": "AWS::Cognito::UserPoolClient",
246
+ "Properties": {
247
+ "UserPoolId": {
248
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
249
+ },
250
+ "AllowedOAuthFlows": [
251
+ "implicit",
252
+ "code"
253
+ ],
254
+ "AllowedOAuthFlowsUserPoolClient": true,
255
+ "AllowedOAuthScopes": [
256
+ "profile",
257
+ "phone",
258
+ "email",
259
+ "openid",
260
+ "aws.cognito.signin.user.admin"
261
+ ],
262
+ "CallbackURLs": [
263
+ "https://example.com"
264
+ ],
265
+ "SupportedIdentityProviders": [
266
+ "COGNITO"
267
+ ]
268
+ }
269
+ },
270
+ "testlambdaopensearchCognitoIdentityPool0B1FB311": {
271
+ "Type": "AWS::Cognito::IdentityPool",
272
+ "Properties": {
273
+ "AllowUnauthenticatedIdentities": false,
274
+ "CognitoIdentityProviders": [
275
+ {
276
+ "ClientId": {
277
+ "Ref": "testlambdaopensearchCognitoUserPoolClient39C21D94"
278
+ },
279
+ "ProviderName": {
280
+ "Fn::GetAtt": [
281
+ "testlambdaopensearchCognitoUserPoolA09096F9",
282
+ "ProviderName"
283
+ ]
284
+ },
285
+ "ServerSideTokenCheck": true
286
+ }
287
+ ]
288
+ }
289
+ },
290
+ "testlambdaopensearchUserPoolDomain98864920": {
291
+ "Type": "AWS::Cognito::UserPoolDomain",
292
+ "Properties": {
293
+ "Domain": "deploytestwithvpcprops",
294
+ "UserPoolId": {
295
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
296
+ }
297
+ },
298
+ "DependsOn": [
299
+ "testlambdaopensearchCognitoUserPoolA09096F9"
300
+ ]
301
+ },
302
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44": {
303
+ "Type": "AWS::IAM::Role",
304
+ "Properties": {
305
+ "AssumeRolePolicyDocument": {
306
+ "Statement": [
307
+ {
308
+ "Action": "sts:AssumeRoleWithWebIdentity",
309
+ "Condition": {
310
+ "StringEquals": {
311
+ "cognito-identity.amazonaws.com:aud": {
312
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
313
+ }
314
+ },
315
+ "ForAnyValue:StringLike": {
316
+ "cognito-identity.amazonaws.com:amr": "authenticated"
317
+ }
318
+ },
319
+ "Effect": "Allow",
320
+ "Principal": {
321
+ "Federated": "cognito-identity.amazonaws.com"
322
+ }
323
+ }
324
+ ],
325
+ "Version": "2012-10-17"
326
+ },
327
+ "Policies": [
328
+ {
329
+ "PolicyDocument": {
330
+ "Statement": [
331
+ {
332
+ "Action": "es:ESHttp*",
333
+ "Effect": "Allow",
334
+ "Resource": {
335
+ "Fn::Join": [
336
+ "",
337
+ [
338
+ "arn:",
339
+ {
340
+ "Ref": "AWS::Partition"
341
+ },
342
+ ":es:",
343
+ {
344
+ "Ref": "AWS::Region"
345
+ },
346
+ ":",
347
+ {
348
+ "Ref": "AWS::AccountId"
349
+ },
350
+ ":domain/deploytestwithvpcprops/*"
351
+ ]
352
+ ]
353
+ }
354
+ }
355
+ ],
356
+ "Version": "2012-10-17"
357
+ },
358
+ "PolicyName": "CognitoAccessPolicy"
359
+ }
360
+ ]
361
+ }
362
+ },
363
+ "testlambdaopensearchIdentityPoolRoleMappingD8C765B1": {
364
+ "Type": "AWS::Cognito::IdentityPoolRoleAttachment",
365
+ "Properties": {
366
+ "IdentityPoolId": {
367
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
368
+ },
369
+ "Roles": {
370
+ "authenticated": {
371
+ "Fn::GetAtt": [
372
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44",
373
+ "Arn"
374
+ ]
375
+ }
376
+ }
377
+ }
378
+ },
379
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A": {
380
+ "Type": "AWS::IAM::Role",
381
+ "Properties": {
382
+ "AssumeRolePolicyDocument": {
383
+ "Statement": [
384
+ {
385
+ "Action": "sts:AssumeRole",
386
+ "Effect": "Allow",
387
+ "Principal": {
388
+ "Service": "es.amazonaws.com"
389
+ }
390
+ }
391
+ ],
392
+ "Version": "2012-10-17"
393
+ }
394
+ }
395
+ },
396
+ "testlambdaopensearchCognitoDashboardConfigureRolePolicyC9C6A6A2": {
397
+ "Type": "AWS::IAM::Policy",
398
+ "Properties": {
399
+ "PolicyDocument": {
400
+ "Statement": [
401
+ {
402
+ "Action": [
403
+ "cognito-idp:DescribeUserPool",
404
+ "cognito-idp:CreateUserPoolClient",
405
+ "cognito-idp:DeleteUserPoolClient",
406
+ "cognito-idp:DescribeUserPoolClient",
407
+ "cognito-idp:AdminInitiateAuth",
408
+ "cognito-idp:AdminUserGlobalSignOut",
409
+ "cognito-idp:ListUserPoolClients",
410
+ "cognito-identity:DescribeIdentityPool",
411
+ "cognito-identity:UpdateIdentityPool",
412
+ "cognito-identity:SetIdentityPoolRoles",
413
+ "cognito-identity:GetIdentityPoolRoles",
414
+ "es:UpdateDomainConfig"
415
+ ],
416
+ "Effect": "Allow",
417
+ "Resource": [
418
+ {
419
+ "Fn::GetAtt": [
420
+ "testlambdaopensearchCognitoUserPoolA09096F9",
421
+ "Arn"
422
+ ]
423
+ },
424
+ {
425
+ "Fn::Join": [
426
+ "",
427
+ [
428
+ "arn:aws:cognito-identity:",
429
+ {
430
+ "Ref": "AWS::Region"
431
+ },
432
+ ":",
433
+ {
434
+ "Ref": "AWS::AccountId"
435
+ },
436
+ ":identitypool/",
437
+ {
438
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
439
+ }
440
+ ]
441
+ ]
442
+ },
443
+ {
444
+ "Fn::Join": [
445
+ "",
446
+ [
447
+ "arn:aws:es:",
448
+ {
449
+ "Ref": "AWS::Region"
450
+ },
451
+ ":",
452
+ {
453
+ "Ref": "AWS::AccountId"
454
+ },
455
+ ":domain/deploytestwithvpcprops"
456
+ ]
457
+ ]
458
+ }
459
+ ]
460
+ },
461
+ {
462
+ "Action": "iam:PassRole",
463
+ "Condition": {
464
+ "StringLike": {
465
+ "iam:PassedToService": "cognito-identity.amazonaws.com"
466
+ }
467
+ },
468
+ "Effect": "Allow",
469
+ "Resource": {
470
+ "Fn::GetAtt": [
471
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A",
472
+ "Arn"
473
+ ]
474
+ }
475
+ }
476
+ ],
477
+ "Version": "2012-10-17"
478
+ },
479
+ "PolicyName": "testlambdaopensearchCognitoDashboardConfigureRolePolicyC9C6A6A2",
480
+ "Roles": [
481
+ {
482
+ "Ref": "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A"
483
+ }
484
+ ]
485
+ }
486
+ },
487
+ "testlambdaopensearchOpenSearchDomainF9CCC3D3": {
488
+ "Type": "AWS::OpenSearchService::Domain",
489
+ "Properties": {
490
+ "AccessPolicies": {
491
+ "Statement": [
492
+ {
493
+ "Action": "es:ESHttp*",
494
+ "Effect": "Allow",
495
+ "Principal": {
496
+ "AWS": [
497
+ {
498
+ "Fn::GetAtt": [
499
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44",
500
+ "Arn"
501
+ ]
502
+ },
503
+ {
504
+ "Fn::GetAtt": [
505
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
506
+ "Arn"
507
+ ]
508
+ }
509
+ ]
510
+ },
511
+ "Resource": {
512
+ "Fn::Join": [
513
+ "",
514
+ [
515
+ "arn:aws:es:",
516
+ {
517
+ "Ref": "AWS::Region"
518
+ },
519
+ ":",
520
+ {
521
+ "Ref": "AWS::AccountId"
522
+ },
523
+ ":domain/deploytestwithvpcprops/*"
524
+ ]
525
+ ]
526
+ }
527
+ }
528
+ ],
529
+ "Version": "2012-10-17"
530
+ },
531
+ "ClusterConfig": {
532
+ "DedicatedMasterCount": 3,
533
+ "DedicatedMasterEnabled": true,
534
+ "InstanceCount": 3,
535
+ "ZoneAwarenessConfig": {
536
+ "AvailabilityZoneCount": 3
537
+ },
538
+ "ZoneAwarenessEnabled": true
539
+ },
540
+ "CognitoOptions": {
541
+ "Enabled": true,
542
+ "IdentityPoolId": {
543
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
544
+ },
545
+ "RoleArn": {
546
+ "Fn::GetAtt": [
547
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A",
548
+ "Arn"
549
+ ]
550
+ },
551
+ "UserPoolId": {
552
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
553
+ }
554
+ },
555
+ "DomainName": "deploytestwithvpcprops",
556
+ "EBSOptions": {
557
+ "EBSEnabled": true,
558
+ "VolumeSize": 10
559
+ },
560
+ "EncryptionAtRestOptions": {
561
+ "Enabled": true
562
+ },
563
+ "EngineVersion": "OpenSearch_1.3",
564
+ "NodeToNodeEncryptionOptions": {
565
+ "Enabled": true
566
+ },
567
+ "SnapshotOptions": {
568
+ "AutomatedSnapshotStartHour": 1
569
+ },
570
+ "VPCOptions": {
571
+ "SecurityGroupIds": [
572
+ {
573
+ "Fn::GetAtt": [
574
+ "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC",
575
+ "GroupId"
576
+ ]
577
+ }
578
+ ],
579
+ "SubnetIds": [
580
+ {
581
+ "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
582
+ },
583
+ {
584
+ "Ref": "VpcisolatedSubnet2Subnet39217055"
585
+ },
586
+ {
587
+ "Ref": "VpcisolatedSubnet3Subnet44F2537D"
588
+ }
589
+ ]
590
+ }
591
+ },
592
+ "Metadata": {
593
+ "cfn_nag": {
594
+ "rules_to_suppress": [
595
+ {
596
+ "id": "W28",
597
+ "reason": "The OpenSearch Service domain is passed dynamically as as parameter and explicitly specified to ensure that IAM policies are configured to lockdown access to this specific OpenSearch Service instance only"
598
+ },
599
+ {
600
+ "id": "W90",
601
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
602
+ }
603
+ ]
604
+ }
605
+ }
606
+ },
607
+ "testlambdaopensearchStatusRedAlarm1627144D": {
608
+ "Type": "AWS::CloudWatch::Alarm",
609
+ "Properties": {
610
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
611
+ "EvaluationPeriods": 1,
612
+ "AlarmDescription": "At least one primary shard and its replicas are not allocated to a node. ",
613
+ "MetricName": "ClusterStatus.red",
614
+ "Namespace": "AWS/ES",
615
+ "Period": 60,
616
+ "Statistic": "Maximum",
617
+ "Threshold": 1
618
+ }
619
+ },
620
+ "testlambdaopensearchStatusYellowAlarm57139CF0": {
621
+ "Type": "AWS::CloudWatch::Alarm",
622
+ "Properties": {
623
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
624
+ "EvaluationPeriods": 1,
625
+ "AlarmDescription": "At least one replica shard is not allocated to a node.",
626
+ "MetricName": "ClusterStatus.yellow",
627
+ "Namespace": "AWS/ES",
628
+ "Period": 60,
629
+ "Statistic": "Maximum",
630
+ "Threshold": 1
631
+ }
632
+ },
633
+ "testlambdaopensearchFreeStorageSpaceTooLowAlarm6A5E1E96": {
634
+ "Type": "AWS::CloudWatch::Alarm",
635
+ "Properties": {
636
+ "ComparisonOperator": "LessThanOrEqualToThreshold",
637
+ "EvaluationPeriods": 1,
638
+ "AlarmDescription": "A node in your cluster is down to 20 GiB of free storage space.",
639
+ "MetricName": "FreeStorageSpace",
640
+ "Namespace": "AWS/ES",
641
+ "Period": 60,
642
+ "Statistic": "Minimum",
643
+ "Threshold": 20000
644
+ }
645
+ },
646
+ "testlambdaopensearchIndexWritesBlockedTooHighAlarmD2E041A3": {
647
+ "Type": "AWS::CloudWatch::Alarm",
648
+ "Properties": {
649
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
650
+ "EvaluationPeriods": 1,
651
+ "AlarmDescription": "Your cluster is blocking write requests.",
652
+ "MetricName": "ClusterIndexWritesBlocked",
653
+ "Namespace": "AWS/ES",
654
+ "Period": 300,
655
+ "Statistic": "Maximum",
656
+ "Threshold": 1
657
+ }
658
+ },
659
+ "testlambdaopensearchAutomatedSnapshotFailureTooHighAlarm9A4D0B1F": {
660
+ "Type": "AWS::CloudWatch::Alarm",
661
+ "Properties": {
662
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
663
+ "EvaluationPeriods": 1,
664
+ "AlarmDescription": "An automated snapshot failed. This failure is often the result of a red cluster health status.",
665
+ "MetricName": "AutomatedSnapshotFailure",
666
+ "Namespace": "AWS/ES",
667
+ "Period": 60,
668
+ "Statistic": "Maximum",
669
+ "Threshold": 1
670
+ }
671
+ },
672
+ "testlambdaopensearchCPUUtilizationTooHighAlarmC4850758": {
673
+ "Type": "AWS::CloudWatch::Alarm",
674
+ "Properties": {
675
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
676
+ "EvaluationPeriods": 3,
677
+ "AlarmDescription": "100% CPU utilization is not uncommon, but sustained high usage is problematic. Consider using larger instance types or adding instances.",
678
+ "MetricName": "CPUUtilization",
679
+ "Namespace": "AWS/ES",
680
+ "Period": 900,
681
+ "Statistic": "Average",
682
+ "Threshold": 80
683
+ }
684
+ },
685
+ "testlambdaopensearchJVMMemoryPressureTooHighAlarmEFB09A7C": {
686
+ "Type": "AWS::CloudWatch::Alarm",
687
+ "Properties": {
688
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
689
+ "EvaluationPeriods": 1,
690
+ "AlarmDescription": "Average JVM memory pressure over last 15 minutes too high. Consider scaling vertically.",
691
+ "MetricName": "JVMMemoryPressure",
692
+ "Namespace": "AWS/ES",
693
+ "Period": 900,
694
+ "Statistic": "Average",
695
+ "Threshold": 80
696
+ }
697
+ },
698
+ "testlambdaopensearchMasterCPUUtilizationTooHighAlarm124D5748": {
699
+ "Type": "AWS::CloudWatch::Alarm",
700
+ "Properties": {
701
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
702
+ "EvaluationPeriods": 3,
703
+ "AlarmDescription": "Average CPU utilization over last 45 minutes too high. Consider using larger instance types for your dedicated master nodes.",
704
+ "MetricName": "MasterCPUUtilization",
705
+ "Namespace": "AWS/ES",
706
+ "Period": 900,
707
+ "Statistic": "Average",
708
+ "Threshold": 50
709
+ }
710
+ },
711
+ "testlambdaopensearchMasterJVMMemoryPressureTooHighAlarmBC9524D3": {
712
+ "Type": "AWS::CloudWatch::Alarm",
713
+ "Properties": {
714
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
715
+ "EvaluationPeriods": 1,
716
+ "AlarmDescription": "Average JVM memory pressure over last 15 minutes too high. Consider scaling vertically.",
717
+ "MetricName": "MasterJVMMemoryPressure",
718
+ "Namespace": "AWS/ES",
719
+ "Period": 900,
720
+ "Statistic": "Average",
721
+ "Threshold": 50
722
+ }
723
+ },
724
+ "Vpc8378EB38": {
725
+ "Type": "AWS::EC2::VPC",
726
+ "Properties": {
727
+ "CidrBlock": "172.168.0.0/16",
728
+ "EnableDnsHostnames": true,
729
+ "EnableDnsSupport": true,
730
+ "InstanceTenancy": "default",
731
+ "Tags": [
732
+ {
733
+ "Key": "Name",
734
+ "Value": "vpc-props/Vpc"
735
+ }
736
+ ]
737
+ }
738
+ },
739
+ "VpcisolatedSubnet1SubnetE62B1B9B": {
740
+ "Type": "AWS::EC2::Subnet",
741
+ "Properties": {
742
+ "VpcId": {
743
+ "Ref": "Vpc8378EB38"
744
+ },
745
+ "AvailabilityZone": "test-region-1a",
746
+ "CidrBlock": "172.168.0.0/18",
747
+ "MapPublicIpOnLaunch": false,
748
+ "Tags": [
749
+ {
750
+ "Key": "aws-cdk:subnet-name",
751
+ "Value": "isolated"
752
+ },
753
+ {
754
+ "Key": "aws-cdk:subnet-type",
755
+ "Value": "Isolated"
756
+ },
757
+ {
758
+ "Key": "Name",
759
+ "Value": "vpc-props/Vpc/isolatedSubnet1"
760
+ }
761
+ ]
762
+ }
763
+ },
764
+ "VpcisolatedSubnet1RouteTableE442650B": {
765
+ "Type": "AWS::EC2::RouteTable",
766
+ "Properties": {
767
+ "VpcId": {
768
+ "Ref": "Vpc8378EB38"
769
+ },
770
+ "Tags": [
771
+ {
772
+ "Key": "Name",
773
+ "Value": "vpc-props/Vpc/isolatedSubnet1"
774
+ }
775
+ ]
776
+ }
777
+ },
778
+ "VpcisolatedSubnet1RouteTableAssociationD259E31A": {
779
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
780
+ "Properties": {
781
+ "RouteTableId": {
782
+ "Ref": "VpcisolatedSubnet1RouteTableE442650B"
783
+ },
784
+ "SubnetId": {
785
+ "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
786
+ }
787
+ }
788
+ },
789
+ "VpcisolatedSubnet2Subnet39217055": {
790
+ "Type": "AWS::EC2::Subnet",
791
+ "Properties": {
792
+ "VpcId": {
793
+ "Ref": "Vpc8378EB38"
794
+ },
795
+ "AvailabilityZone": "test-region-1b",
796
+ "CidrBlock": "172.168.64.0/18",
797
+ "MapPublicIpOnLaunch": false,
798
+ "Tags": [
799
+ {
800
+ "Key": "aws-cdk:subnet-name",
801
+ "Value": "isolated"
802
+ },
803
+ {
804
+ "Key": "aws-cdk:subnet-type",
805
+ "Value": "Isolated"
806
+ },
807
+ {
808
+ "Key": "Name",
809
+ "Value": "vpc-props/Vpc/isolatedSubnet2"
810
+ }
811
+ ]
812
+ }
813
+ },
814
+ "VpcisolatedSubnet2RouteTable334F9764": {
815
+ "Type": "AWS::EC2::RouteTable",
816
+ "Properties": {
817
+ "VpcId": {
818
+ "Ref": "Vpc8378EB38"
819
+ },
820
+ "Tags": [
821
+ {
822
+ "Key": "Name",
823
+ "Value": "vpc-props/Vpc/isolatedSubnet2"
824
+ }
825
+ ]
826
+ }
827
+ },
828
+ "VpcisolatedSubnet2RouteTableAssociation25A4716F": {
829
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
830
+ "Properties": {
831
+ "RouteTableId": {
832
+ "Ref": "VpcisolatedSubnet2RouteTable334F9764"
833
+ },
834
+ "SubnetId": {
835
+ "Ref": "VpcisolatedSubnet2Subnet39217055"
836
+ }
837
+ }
838
+ },
839
+ "VpcisolatedSubnet3Subnet44F2537D": {
840
+ "Type": "AWS::EC2::Subnet",
841
+ "Properties": {
842
+ "VpcId": {
843
+ "Ref": "Vpc8378EB38"
844
+ },
845
+ "AvailabilityZone": "test-region-1c",
846
+ "CidrBlock": "172.168.128.0/18",
847
+ "MapPublicIpOnLaunch": false,
848
+ "Tags": [
849
+ {
850
+ "Key": "aws-cdk:subnet-name",
851
+ "Value": "isolated"
852
+ },
853
+ {
854
+ "Key": "aws-cdk:subnet-type",
855
+ "Value": "Isolated"
856
+ },
857
+ {
858
+ "Key": "Name",
859
+ "Value": "vpc-props/Vpc/isolatedSubnet3"
860
+ }
861
+ ]
862
+ }
863
+ },
864
+ "VpcisolatedSubnet3RouteTableA2F6BBC0": {
865
+ "Type": "AWS::EC2::RouteTable",
866
+ "Properties": {
867
+ "VpcId": {
868
+ "Ref": "Vpc8378EB38"
869
+ },
870
+ "Tags": [
871
+ {
872
+ "Key": "Name",
873
+ "Value": "vpc-props/Vpc/isolatedSubnet3"
874
+ }
875
+ ]
876
+ }
877
+ },
878
+ "VpcisolatedSubnet3RouteTableAssociationDC010BEB": {
879
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
880
+ "Properties": {
881
+ "RouteTableId": {
882
+ "Ref": "VpcisolatedSubnet3RouteTableA2F6BBC0"
883
+ },
884
+ "SubnetId": {
885
+ "Ref": "VpcisolatedSubnet3Subnet44F2537D"
886
+ }
887
+ }
888
+ },
889
+ "VpcFlowLogIAMRole6A475D41": {
890
+ "Type": "AWS::IAM::Role",
891
+ "Properties": {
892
+ "AssumeRolePolicyDocument": {
893
+ "Statement": [
894
+ {
895
+ "Action": "sts:AssumeRole",
896
+ "Effect": "Allow",
897
+ "Principal": {
898
+ "Service": "vpc-flow-logs.amazonaws.com"
899
+ }
900
+ }
901
+ ],
902
+ "Version": "2012-10-17"
903
+ },
904
+ "Tags": [
905
+ {
906
+ "Key": "Name",
907
+ "Value": "vpc-props/Vpc"
908
+ }
909
+ ]
910
+ }
911
+ },
912
+ "VpcFlowLogIAMRoleDefaultPolicy406FB995": {
913
+ "Type": "AWS::IAM::Policy",
914
+ "Properties": {
915
+ "PolicyDocument": {
916
+ "Statement": [
917
+ {
918
+ "Action": [
919
+ "logs:CreateLogStream",
920
+ "logs:PutLogEvents",
921
+ "logs:DescribeLogStreams"
922
+ ],
923
+ "Effect": "Allow",
924
+ "Resource": {
925
+ "Fn::GetAtt": [
926
+ "VpcFlowLogLogGroup7B5C56B9",
927
+ "Arn"
928
+ ]
929
+ }
930
+ },
931
+ {
932
+ "Action": "iam:PassRole",
933
+ "Effect": "Allow",
934
+ "Resource": {
935
+ "Fn::GetAtt": [
936
+ "VpcFlowLogIAMRole6A475D41",
937
+ "Arn"
938
+ ]
939
+ }
940
+ }
941
+ ],
942
+ "Version": "2012-10-17"
943
+ },
944
+ "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995",
945
+ "Roles": [
946
+ {
947
+ "Ref": "VpcFlowLogIAMRole6A475D41"
948
+ }
949
+ ]
950
+ }
951
+ },
952
+ "VpcFlowLogLogGroup7B5C56B9": {
953
+ "Type": "AWS::Logs::LogGroup",
954
+ "Properties": {
955
+ "RetentionInDays": 731,
956
+ "Tags": [
957
+ {
958
+ "Key": "Name",
959
+ "Value": "vpc-props/Vpc"
960
+ }
961
+ ]
962
+ },
963
+ "UpdateReplacePolicy": "Retain",
964
+ "DeletionPolicy": "Retain",
965
+ "Metadata": {
966
+ "cfn_nag": {
967
+ "rules_to_suppress": [
968
+ {
969
+ "id": "W84",
970
+ "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)"
971
+ }
972
+ ]
973
+ }
974
+ }
975
+ },
976
+ "VpcFlowLog8FF33A73": {
977
+ "Type": "AWS::EC2::FlowLog",
978
+ "Properties": {
979
+ "ResourceId": {
980
+ "Ref": "Vpc8378EB38"
981
+ },
982
+ "ResourceType": "VPC",
983
+ "TrafficType": "ALL",
984
+ "DeliverLogsPermissionArn": {
985
+ "Fn::GetAtt": [
986
+ "VpcFlowLogIAMRole6A475D41",
987
+ "Arn"
988
+ ]
989
+ },
990
+ "LogDestinationType": "cloud-watch-logs",
991
+ "LogGroupName": {
992
+ "Ref": "VpcFlowLogLogGroup7B5C56B9"
993
+ },
994
+ "Tags": [
995
+ {
996
+ "Key": "Name",
997
+ "Value": "vpc-props/Vpc"
998
+ }
999
+ ]
1000
+ }
1001
+ }
1002
+ },
1003
+ "Parameters": {
1004
+ "BootstrapVersion": {
1005
+ "Type": "AWS::SSM::Parameter::Value<String>",
1006
+ "Default": "/cdk-bootstrap/hnb659fds/version",
1007
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
1008
+ }
1009
+ },
1010
+ "Rules": {
1011
+ "CheckBootstrapVersion": {
1012
+ "Assertions": [
1013
+ {
1014
+ "Assert": {
1015
+ "Fn::Not": [
1016
+ {
1017
+ "Fn::Contains": [
1018
+ [
1019
+ "1",
1020
+ "2",
1021
+ "3",
1022
+ "4",
1023
+ "5"
1024
+ ],
1025
+ {
1026
+ "Ref": "BootstrapVersion"
1027
+ }
1028
+ ]
1029
+ }
1030
+ ]
1031
+ },
1032
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
1033
+ }
1034
+ ]
1035
+ }
1036
+ }
1037
+ }