@aws-solutions-constructs/aws-lambda-opensearch 2.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,982 @@
1
+ {
2
+ "Resources": {
3
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A": {
4
+ "Type": "AWS::IAM::Role",
5
+ "Properties": {
6
+ "AssumeRolePolicyDocument": {
7
+ "Statement": [
8
+ {
9
+ "Action": "sts:AssumeRole",
10
+ "Effect": "Allow",
11
+ "Principal": {
12
+ "Service": "lambda.amazonaws.com"
13
+ }
14
+ }
15
+ ],
16
+ "Version": "2012-10-17"
17
+ },
18
+ "Policies": [
19
+ {
20
+ "PolicyDocument": {
21
+ "Statement": [
22
+ {
23
+ "Action": [
24
+ "logs:CreateLogGroup",
25
+ "logs:CreateLogStream",
26
+ "logs:PutLogEvents"
27
+ ],
28
+ "Effect": "Allow",
29
+ "Resource": {
30
+ "Fn::Join": [
31
+ "",
32
+ [
33
+ "arn:",
34
+ {
35
+ "Ref": "AWS::Partition"
36
+ },
37
+ ":logs:",
38
+ {
39
+ "Ref": "AWS::Region"
40
+ },
41
+ ":",
42
+ {
43
+ "Ref": "AWS::AccountId"
44
+ },
45
+ ":log-group:/aws/lambda/*"
46
+ ]
47
+ ]
48
+ }
49
+ }
50
+ ],
51
+ "Version": "2012-10-17"
52
+ },
53
+ "PolicyName": "LambdaFunctionServiceRolePolicy"
54
+ }
55
+ ]
56
+ }
57
+ },
58
+ "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359": {
59
+ "Type": "AWS::IAM::Policy",
60
+ "Properties": {
61
+ "PolicyDocument": {
62
+ "Statement": [
63
+ {
64
+ "Action": [
65
+ "ec2:CreateNetworkInterface",
66
+ "ec2:DescribeNetworkInterfaces",
67
+ "ec2:DeleteNetworkInterface",
68
+ "ec2:AssignPrivateIpAddresses",
69
+ "ec2:UnassignPrivateIpAddresses"
70
+ ],
71
+ "Effect": "Allow",
72
+ "Resource": "*"
73
+ },
74
+ {
75
+ "Action": [
76
+ "xray:PutTraceSegments",
77
+ "xray:PutTelemetryRecords"
78
+ ],
79
+ "Effect": "Allow",
80
+ "Resource": "*"
81
+ }
82
+ ],
83
+ "Version": "2012-10-17"
84
+ },
85
+ "PolicyName": "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359",
86
+ "Roles": [
87
+ {
88
+ "Ref": "testlambdaopensearchLambdaFunctionServiceRole4722AB8A"
89
+ }
90
+ ]
91
+ },
92
+ "Metadata": {
93
+ "cfn_nag": {
94
+ "rules_to_suppress": [
95
+ {
96
+ "id": "W12",
97
+ "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC."
98
+ }
99
+ ]
100
+ }
101
+ }
102
+ },
103
+ "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC": {
104
+ "Type": "AWS::EC2::SecurityGroup",
105
+ "Properties": {
106
+ "GroupDescription": "cluster-config/test-lambda-opensearch/ReplaceDefaultSecurityGroup-security-group",
107
+ "SecurityGroupEgress": [
108
+ {
109
+ "CidrIp": "0.0.0.0/0",
110
+ "Description": "Allow all outbound traffic by default",
111
+ "IpProtocol": "-1"
112
+ }
113
+ ],
114
+ "VpcId": {
115
+ "Ref": "Vpc8378EB38"
116
+ }
117
+ },
118
+ "Metadata": {
119
+ "cfn_nag": {
120
+ "rules_to_suppress": [
121
+ {
122
+ "id": "W5",
123
+ "reason": "Egress of 0.0.0.0/0 is default and generally considered OK"
124
+ },
125
+ {
126
+ "id": "W40",
127
+ "reason": "Egress IPProtocol of -1 is default and generally considered OK"
128
+ }
129
+ ]
130
+ }
131
+ }
132
+ },
133
+ "testlambdaopensearchLambdaFunction93FD38F7": {
134
+ "Type": "AWS::Lambda::Function",
135
+ "Properties": {
136
+ "Code": {
137
+ "S3Bucket": {
138
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
139
+ },
140
+ "S3Key": "abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290.zip"
141
+ },
142
+ "Role": {
143
+ "Fn::GetAtt": [
144
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
145
+ "Arn"
146
+ ]
147
+ },
148
+ "Environment": {
149
+ "Variables": {
150
+ "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1",
151
+ "DOMAIN_ENDPOINT": {
152
+ "Fn::GetAtt": [
153
+ "testlambdaopensearchOpenSearchDomainF9CCC3D3",
154
+ "DomainEndpoint"
155
+ ]
156
+ }
157
+ }
158
+ },
159
+ "Handler": "index.handler",
160
+ "Runtime": "nodejs14.x",
161
+ "TracingConfig": {
162
+ "Mode": "Active"
163
+ },
164
+ "VpcConfig": {
165
+ "SecurityGroupIds": [
166
+ {
167
+ "Fn::GetAtt": [
168
+ "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC",
169
+ "GroupId"
170
+ ]
171
+ }
172
+ ],
173
+ "SubnetIds": [
174
+ {
175
+ "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
176
+ },
177
+ {
178
+ "Ref": "VpcisolatedSubnet2Subnet39217055"
179
+ }
180
+ ]
181
+ }
182
+ },
183
+ "DependsOn": [
184
+ "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359",
185
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
186
+ "VpcisolatedSubnet1RouteTableAssociationD259E31A",
187
+ "VpcisolatedSubnet2RouteTableAssociation25A4716F"
188
+ ],
189
+ "Metadata": {
190
+ "cfn_nag": {
191
+ "rules_to_suppress": [
192
+ {
193
+ "id": "W58",
194
+ "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions."
195
+ },
196
+ {
197
+ "id": "W89",
198
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
199
+ },
200
+ {
201
+ "id": "W92",
202
+ "reason": "Impossible for us to define the correct concurrency for clients"
203
+ }
204
+ ]
205
+ }
206
+ }
207
+ },
208
+ "testlambdaopensearchCognitoUserPoolA09096F9": {
209
+ "Type": "AWS::Cognito::UserPool",
210
+ "Properties": {
211
+ "AccountRecoverySetting": {
212
+ "RecoveryMechanisms": [
213
+ {
214
+ "Name": "verified_phone_number",
215
+ "Priority": 1
216
+ },
217
+ {
218
+ "Name": "verified_email",
219
+ "Priority": 2
220
+ }
221
+ ]
222
+ },
223
+ "AdminCreateUserConfig": {
224
+ "AllowAdminCreateUserOnly": true
225
+ },
226
+ "EmailVerificationMessage": "The verification code to your new account is {####}",
227
+ "EmailVerificationSubject": "Verify your new account",
228
+ "SmsVerificationMessage": "The verification code to your new account is {####}",
229
+ "UserPoolAddOns": {
230
+ "AdvancedSecurityMode": "ENFORCED"
231
+ },
232
+ "VerificationMessageTemplate": {
233
+ "DefaultEmailOption": "CONFIRM_WITH_CODE",
234
+ "EmailMessage": "The verification code to your new account is {####}",
235
+ "EmailSubject": "Verify your new account",
236
+ "SmsMessage": "The verification code to your new account is {####}"
237
+ }
238
+ },
239
+ "UpdateReplacePolicy": "Retain",
240
+ "DeletionPolicy": "Retain"
241
+ },
242
+ "testlambdaopensearchCognitoUserPoolClient39C21D94": {
243
+ "Type": "AWS::Cognito::UserPoolClient",
244
+ "Properties": {
245
+ "UserPoolId": {
246
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
247
+ },
248
+ "AllowedOAuthFlows": [
249
+ "implicit",
250
+ "code"
251
+ ],
252
+ "AllowedOAuthFlowsUserPoolClient": true,
253
+ "AllowedOAuthScopes": [
254
+ "profile",
255
+ "phone",
256
+ "email",
257
+ "openid",
258
+ "aws.cognito.signin.user.admin"
259
+ ],
260
+ "CallbackURLs": [
261
+ "https://example.com"
262
+ ],
263
+ "SupportedIdentityProviders": [
264
+ "COGNITO"
265
+ ]
266
+ }
267
+ },
268
+ "testlambdaopensearchCognitoIdentityPool0B1FB311": {
269
+ "Type": "AWS::Cognito::IdentityPool",
270
+ "Properties": {
271
+ "AllowUnauthenticatedIdentities": false,
272
+ "CognitoIdentityProviders": [
273
+ {
274
+ "ClientId": {
275
+ "Ref": "testlambdaopensearchCognitoUserPoolClient39C21D94"
276
+ },
277
+ "ProviderName": {
278
+ "Fn::GetAtt": [
279
+ "testlambdaopensearchCognitoUserPoolA09096F9",
280
+ "ProviderName"
281
+ ]
282
+ },
283
+ "ServerSideTokenCheck": true
284
+ }
285
+ ]
286
+ }
287
+ },
288
+ "testlambdaopensearchUserPoolDomain98864920": {
289
+ "Type": "AWS::Cognito::UserPoolDomain",
290
+ "Properties": {
291
+ "Domain": "deploytestwithclusterconfig",
292
+ "UserPoolId": {
293
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
294
+ }
295
+ },
296
+ "DependsOn": [
297
+ "testlambdaopensearchCognitoUserPoolA09096F9"
298
+ ]
299
+ },
300
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44": {
301
+ "Type": "AWS::IAM::Role",
302
+ "Properties": {
303
+ "AssumeRolePolicyDocument": {
304
+ "Statement": [
305
+ {
306
+ "Action": "sts:AssumeRoleWithWebIdentity",
307
+ "Condition": {
308
+ "StringEquals": {
309
+ "cognito-identity.amazonaws.com:aud": {
310
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
311
+ }
312
+ },
313
+ "ForAnyValue:StringLike": {
314
+ "cognito-identity.amazonaws.com:amr": "authenticated"
315
+ }
316
+ },
317
+ "Effect": "Allow",
318
+ "Principal": {
319
+ "Federated": "cognito-identity.amazonaws.com"
320
+ }
321
+ }
322
+ ],
323
+ "Version": "2012-10-17"
324
+ },
325
+ "Policies": [
326
+ {
327
+ "PolicyDocument": {
328
+ "Statement": [
329
+ {
330
+ "Action": "es:ESHttp*",
331
+ "Effect": "Allow",
332
+ "Resource": {
333
+ "Fn::Join": [
334
+ "",
335
+ [
336
+ "arn:",
337
+ {
338
+ "Ref": "AWS::Partition"
339
+ },
340
+ ":es:",
341
+ {
342
+ "Ref": "AWS::Region"
343
+ },
344
+ ":",
345
+ {
346
+ "Ref": "AWS::AccountId"
347
+ },
348
+ ":domain/deploytestwithclusterconfig/*"
349
+ ]
350
+ ]
351
+ }
352
+ }
353
+ ],
354
+ "Version": "2012-10-17"
355
+ },
356
+ "PolicyName": "CognitoAccessPolicy"
357
+ }
358
+ ]
359
+ }
360
+ },
361
+ "testlambdaopensearchIdentityPoolRoleMappingD8C765B1": {
362
+ "Type": "AWS::Cognito::IdentityPoolRoleAttachment",
363
+ "Properties": {
364
+ "IdentityPoolId": {
365
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
366
+ },
367
+ "Roles": {
368
+ "authenticated": {
369
+ "Fn::GetAtt": [
370
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44",
371
+ "Arn"
372
+ ]
373
+ }
374
+ }
375
+ }
376
+ },
377
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A": {
378
+ "Type": "AWS::IAM::Role",
379
+ "Properties": {
380
+ "AssumeRolePolicyDocument": {
381
+ "Statement": [
382
+ {
383
+ "Action": "sts:AssumeRole",
384
+ "Effect": "Allow",
385
+ "Principal": {
386
+ "Service": "es.amazonaws.com"
387
+ }
388
+ }
389
+ ],
390
+ "Version": "2012-10-17"
391
+ }
392
+ }
393
+ },
394
+ "testlambdaopensearchCognitoDashboardConfigureRolePolicyC9C6A6A2": {
395
+ "Type": "AWS::IAM::Policy",
396
+ "Properties": {
397
+ "PolicyDocument": {
398
+ "Statement": [
399
+ {
400
+ "Action": [
401
+ "cognito-idp:DescribeUserPool",
402
+ "cognito-idp:CreateUserPoolClient",
403
+ "cognito-idp:DeleteUserPoolClient",
404
+ "cognito-idp:DescribeUserPoolClient",
405
+ "cognito-idp:AdminInitiateAuth",
406
+ "cognito-idp:AdminUserGlobalSignOut",
407
+ "cognito-idp:ListUserPoolClients",
408
+ "cognito-identity:DescribeIdentityPool",
409
+ "cognito-identity:UpdateIdentityPool",
410
+ "cognito-identity:SetIdentityPoolRoles",
411
+ "cognito-identity:GetIdentityPoolRoles",
412
+ "es:UpdateDomainConfig"
413
+ ],
414
+ "Effect": "Allow",
415
+ "Resource": [
416
+ {
417
+ "Fn::GetAtt": [
418
+ "testlambdaopensearchCognitoUserPoolA09096F9",
419
+ "Arn"
420
+ ]
421
+ },
422
+ {
423
+ "Fn::Join": [
424
+ "",
425
+ [
426
+ "arn:aws:cognito-identity:",
427
+ {
428
+ "Ref": "AWS::Region"
429
+ },
430
+ ":",
431
+ {
432
+ "Ref": "AWS::AccountId"
433
+ },
434
+ ":identitypool/",
435
+ {
436
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
437
+ }
438
+ ]
439
+ ]
440
+ },
441
+ {
442
+ "Fn::Join": [
443
+ "",
444
+ [
445
+ "arn:aws:es:",
446
+ {
447
+ "Ref": "AWS::Region"
448
+ },
449
+ ":",
450
+ {
451
+ "Ref": "AWS::AccountId"
452
+ },
453
+ ":domain/deploytestwithclusterconfig"
454
+ ]
455
+ ]
456
+ }
457
+ ]
458
+ },
459
+ {
460
+ "Action": "iam:PassRole",
461
+ "Condition": {
462
+ "StringLike": {
463
+ "iam:PassedToService": "cognito-identity.amazonaws.com"
464
+ }
465
+ },
466
+ "Effect": "Allow",
467
+ "Resource": {
468
+ "Fn::GetAtt": [
469
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A",
470
+ "Arn"
471
+ ]
472
+ }
473
+ }
474
+ ],
475
+ "Version": "2012-10-17"
476
+ },
477
+ "PolicyName": "testlambdaopensearchCognitoDashboardConfigureRolePolicyC9C6A6A2",
478
+ "Roles": [
479
+ {
480
+ "Ref": "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A"
481
+ }
482
+ ]
483
+ }
484
+ },
485
+ "testlambdaopensearchOpenSearchDomainF9CCC3D3": {
486
+ "Type": "AWS::OpenSearchService::Domain",
487
+ "Properties": {
488
+ "AccessPolicies": {
489
+ "Statement": [
490
+ {
491
+ "Action": "es:ESHttp*",
492
+ "Effect": "Allow",
493
+ "Principal": {
494
+ "AWS": [
495
+ {
496
+ "Fn::GetAtt": [
497
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44",
498
+ "Arn"
499
+ ]
500
+ },
501
+ {
502
+ "Fn::GetAtt": [
503
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
504
+ "Arn"
505
+ ]
506
+ }
507
+ ]
508
+ },
509
+ "Resource": {
510
+ "Fn::Join": [
511
+ "",
512
+ [
513
+ "arn:aws:es:",
514
+ {
515
+ "Ref": "AWS::Region"
516
+ },
517
+ ":",
518
+ {
519
+ "Ref": "AWS::AccountId"
520
+ },
521
+ ":domain/deploytestwithclusterconfig/*"
522
+ ]
523
+ ]
524
+ }
525
+ }
526
+ ],
527
+ "Version": "2012-10-17"
528
+ },
529
+ "ClusterConfig": {
530
+ "DedicatedMasterCount": 3,
531
+ "DedicatedMasterEnabled": true,
532
+ "InstanceCount": 2,
533
+ "ZoneAwarenessConfig": {
534
+ "AvailabilityZoneCount": 2
535
+ },
536
+ "ZoneAwarenessEnabled": true
537
+ },
538
+ "CognitoOptions": {
539
+ "Enabled": true,
540
+ "IdentityPoolId": {
541
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
542
+ },
543
+ "RoleArn": {
544
+ "Fn::GetAtt": [
545
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A",
546
+ "Arn"
547
+ ]
548
+ },
549
+ "UserPoolId": {
550
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
551
+ }
552
+ },
553
+ "DomainName": "deploytestwithclusterconfig",
554
+ "EBSOptions": {
555
+ "EBSEnabled": true,
556
+ "VolumeSize": 10
557
+ },
558
+ "EncryptionAtRestOptions": {
559
+ "Enabled": true
560
+ },
561
+ "EngineVersion": "OpenSearch_1.3",
562
+ "NodeToNodeEncryptionOptions": {
563
+ "Enabled": true
564
+ },
565
+ "SnapshotOptions": {
566
+ "AutomatedSnapshotStartHour": 1
567
+ },
568
+ "VPCOptions": {
569
+ "SecurityGroupIds": [
570
+ {
571
+ "Fn::GetAtt": [
572
+ "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC",
573
+ "GroupId"
574
+ ]
575
+ }
576
+ ],
577
+ "SubnetIds": [
578
+ {
579
+ "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
580
+ },
581
+ {
582
+ "Ref": "VpcisolatedSubnet2Subnet39217055"
583
+ }
584
+ ]
585
+ }
586
+ },
587
+ "Metadata": {
588
+ "cfn_nag": {
589
+ "rules_to_suppress": [
590
+ {
591
+ "id": "W28",
592
+ "reason": "The OpenSearch Service domain is passed dynamically as as parameter and explicitly specified to ensure that IAM policies are configured to lockdown access to this specific OpenSearch Service instance only"
593
+ },
594
+ {
595
+ "id": "W90",
596
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
597
+ }
598
+ ]
599
+ }
600
+ }
601
+ },
602
+ "testlambdaopensearchStatusRedAlarm1627144D": {
603
+ "Type": "AWS::CloudWatch::Alarm",
604
+ "Properties": {
605
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
606
+ "EvaluationPeriods": 1,
607
+ "AlarmDescription": "At least one primary shard and its replicas are not allocated to a node. ",
608
+ "MetricName": "ClusterStatus.red",
609
+ "Namespace": "AWS/ES",
610
+ "Period": 60,
611
+ "Statistic": "Maximum",
612
+ "Threshold": 1
613
+ }
614
+ },
615
+ "testlambdaopensearchStatusYellowAlarm57139CF0": {
616
+ "Type": "AWS::CloudWatch::Alarm",
617
+ "Properties": {
618
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
619
+ "EvaluationPeriods": 1,
620
+ "AlarmDescription": "At least one replica shard is not allocated to a node.",
621
+ "MetricName": "ClusterStatus.yellow",
622
+ "Namespace": "AWS/ES",
623
+ "Period": 60,
624
+ "Statistic": "Maximum",
625
+ "Threshold": 1
626
+ }
627
+ },
628
+ "testlambdaopensearchFreeStorageSpaceTooLowAlarm6A5E1E96": {
629
+ "Type": "AWS::CloudWatch::Alarm",
630
+ "Properties": {
631
+ "ComparisonOperator": "LessThanOrEqualToThreshold",
632
+ "EvaluationPeriods": 1,
633
+ "AlarmDescription": "A node in your cluster is down to 20 GiB of free storage space.",
634
+ "MetricName": "FreeStorageSpace",
635
+ "Namespace": "AWS/ES",
636
+ "Period": 60,
637
+ "Statistic": "Minimum",
638
+ "Threshold": 20000
639
+ }
640
+ },
641
+ "testlambdaopensearchIndexWritesBlockedTooHighAlarmD2E041A3": {
642
+ "Type": "AWS::CloudWatch::Alarm",
643
+ "Properties": {
644
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
645
+ "EvaluationPeriods": 1,
646
+ "AlarmDescription": "Your cluster is blocking write requests.",
647
+ "MetricName": "ClusterIndexWritesBlocked",
648
+ "Namespace": "AWS/ES",
649
+ "Period": 300,
650
+ "Statistic": "Maximum",
651
+ "Threshold": 1
652
+ }
653
+ },
654
+ "testlambdaopensearchAutomatedSnapshotFailureTooHighAlarm9A4D0B1F": {
655
+ "Type": "AWS::CloudWatch::Alarm",
656
+ "Properties": {
657
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
658
+ "EvaluationPeriods": 1,
659
+ "AlarmDescription": "An automated snapshot failed. This failure is often the result of a red cluster health status.",
660
+ "MetricName": "AutomatedSnapshotFailure",
661
+ "Namespace": "AWS/ES",
662
+ "Period": 60,
663
+ "Statistic": "Maximum",
664
+ "Threshold": 1
665
+ }
666
+ },
667
+ "testlambdaopensearchCPUUtilizationTooHighAlarmC4850758": {
668
+ "Type": "AWS::CloudWatch::Alarm",
669
+ "Properties": {
670
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
671
+ "EvaluationPeriods": 3,
672
+ "AlarmDescription": "100% CPU utilization is not uncommon, but sustained high usage is problematic. Consider using larger instance types or adding instances.",
673
+ "MetricName": "CPUUtilization",
674
+ "Namespace": "AWS/ES",
675
+ "Period": 900,
676
+ "Statistic": "Average",
677
+ "Threshold": 80
678
+ }
679
+ },
680
+ "testlambdaopensearchJVMMemoryPressureTooHighAlarmEFB09A7C": {
681
+ "Type": "AWS::CloudWatch::Alarm",
682
+ "Properties": {
683
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
684
+ "EvaluationPeriods": 1,
685
+ "AlarmDescription": "Average JVM memory pressure over last 15 minutes too high. Consider scaling vertically.",
686
+ "MetricName": "JVMMemoryPressure",
687
+ "Namespace": "AWS/ES",
688
+ "Period": 900,
689
+ "Statistic": "Average",
690
+ "Threshold": 80
691
+ }
692
+ },
693
+ "testlambdaopensearchMasterCPUUtilizationTooHighAlarm124D5748": {
694
+ "Type": "AWS::CloudWatch::Alarm",
695
+ "Properties": {
696
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
697
+ "EvaluationPeriods": 3,
698
+ "AlarmDescription": "Average CPU utilization over last 45 minutes too high. Consider using larger instance types for your dedicated master nodes.",
699
+ "MetricName": "MasterCPUUtilization",
700
+ "Namespace": "AWS/ES",
701
+ "Period": 900,
702
+ "Statistic": "Average",
703
+ "Threshold": 50
704
+ }
705
+ },
706
+ "testlambdaopensearchMasterJVMMemoryPressureTooHighAlarmBC9524D3": {
707
+ "Type": "AWS::CloudWatch::Alarm",
708
+ "Properties": {
709
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
710
+ "EvaluationPeriods": 1,
711
+ "AlarmDescription": "Average JVM memory pressure over last 15 minutes too high. Consider scaling vertically.",
712
+ "MetricName": "MasterJVMMemoryPressure",
713
+ "Namespace": "AWS/ES",
714
+ "Period": 900,
715
+ "Statistic": "Average",
716
+ "Threshold": 50
717
+ }
718
+ },
719
+ "Vpc8378EB38": {
720
+ "Type": "AWS::EC2::VPC",
721
+ "Properties": {
722
+ "CidrBlock": "10.0.0.0/16",
723
+ "EnableDnsHostnames": true,
724
+ "EnableDnsSupport": true,
725
+ "InstanceTenancy": "default",
726
+ "Tags": [
727
+ {
728
+ "Key": "Name",
729
+ "Value": "cluster-config/Vpc"
730
+ }
731
+ ]
732
+ }
733
+ },
734
+ "VpcisolatedSubnet1SubnetE62B1B9B": {
735
+ "Type": "AWS::EC2::Subnet",
736
+ "Properties": {
737
+ "VpcId": {
738
+ "Ref": "Vpc8378EB38"
739
+ },
740
+ "AvailabilityZone": "test-region-1a",
741
+ "CidrBlock": "10.0.0.0/18",
742
+ "MapPublicIpOnLaunch": false,
743
+ "Tags": [
744
+ {
745
+ "Key": "aws-cdk:subnet-name",
746
+ "Value": "isolated"
747
+ },
748
+ {
749
+ "Key": "aws-cdk:subnet-type",
750
+ "Value": "Isolated"
751
+ },
752
+ {
753
+ "Key": "Name",
754
+ "Value": "cluster-config/Vpc/isolatedSubnet1"
755
+ }
756
+ ]
757
+ }
758
+ },
759
+ "VpcisolatedSubnet1RouteTableE442650B": {
760
+ "Type": "AWS::EC2::RouteTable",
761
+ "Properties": {
762
+ "VpcId": {
763
+ "Ref": "Vpc8378EB38"
764
+ },
765
+ "Tags": [
766
+ {
767
+ "Key": "Name",
768
+ "Value": "cluster-config/Vpc/isolatedSubnet1"
769
+ }
770
+ ]
771
+ }
772
+ },
773
+ "VpcisolatedSubnet1RouteTableAssociationD259E31A": {
774
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
775
+ "Properties": {
776
+ "RouteTableId": {
777
+ "Ref": "VpcisolatedSubnet1RouteTableE442650B"
778
+ },
779
+ "SubnetId": {
780
+ "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
781
+ }
782
+ }
783
+ },
784
+ "VpcisolatedSubnet2Subnet39217055": {
785
+ "Type": "AWS::EC2::Subnet",
786
+ "Properties": {
787
+ "VpcId": {
788
+ "Ref": "Vpc8378EB38"
789
+ },
790
+ "AvailabilityZone": "test-region-1b",
791
+ "CidrBlock": "10.0.64.0/18",
792
+ "MapPublicIpOnLaunch": false,
793
+ "Tags": [
794
+ {
795
+ "Key": "aws-cdk:subnet-name",
796
+ "Value": "isolated"
797
+ },
798
+ {
799
+ "Key": "aws-cdk:subnet-type",
800
+ "Value": "Isolated"
801
+ },
802
+ {
803
+ "Key": "Name",
804
+ "Value": "cluster-config/Vpc/isolatedSubnet2"
805
+ }
806
+ ]
807
+ }
808
+ },
809
+ "VpcisolatedSubnet2RouteTable334F9764": {
810
+ "Type": "AWS::EC2::RouteTable",
811
+ "Properties": {
812
+ "VpcId": {
813
+ "Ref": "Vpc8378EB38"
814
+ },
815
+ "Tags": [
816
+ {
817
+ "Key": "Name",
818
+ "Value": "cluster-config/Vpc/isolatedSubnet2"
819
+ }
820
+ ]
821
+ }
822
+ },
823
+ "VpcisolatedSubnet2RouteTableAssociation25A4716F": {
824
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
825
+ "Properties": {
826
+ "RouteTableId": {
827
+ "Ref": "VpcisolatedSubnet2RouteTable334F9764"
828
+ },
829
+ "SubnetId": {
830
+ "Ref": "VpcisolatedSubnet2Subnet39217055"
831
+ }
832
+ }
833
+ },
834
+ "VpcFlowLogIAMRole6A475D41": {
835
+ "Type": "AWS::IAM::Role",
836
+ "Properties": {
837
+ "AssumeRolePolicyDocument": {
838
+ "Statement": [
839
+ {
840
+ "Action": "sts:AssumeRole",
841
+ "Effect": "Allow",
842
+ "Principal": {
843
+ "Service": "vpc-flow-logs.amazonaws.com"
844
+ }
845
+ }
846
+ ],
847
+ "Version": "2012-10-17"
848
+ },
849
+ "Tags": [
850
+ {
851
+ "Key": "Name",
852
+ "Value": "cluster-config/Vpc"
853
+ }
854
+ ]
855
+ }
856
+ },
857
+ "VpcFlowLogIAMRoleDefaultPolicy406FB995": {
858
+ "Type": "AWS::IAM::Policy",
859
+ "Properties": {
860
+ "PolicyDocument": {
861
+ "Statement": [
862
+ {
863
+ "Action": [
864
+ "logs:CreateLogStream",
865
+ "logs:PutLogEvents",
866
+ "logs:DescribeLogStreams"
867
+ ],
868
+ "Effect": "Allow",
869
+ "Resource": {
870
+ "Fn::GetAtt": [
871
+ "VpcFlowLogLogGroup7B5C56B9",
872
+ "Arn"
873
+ ]
874
+ }
875
+ },
876
+ {
877
+ "Action": "iam:PassRole",
878
+ "Effect": "Allow",
879
+ "Resource": {
880
+ "Fn::GetAtt": [
881
+ "VpcFlowLogIAMRole6A475D41",
882
+ "Arn"
883
+ ]
884
+ }
885
+ }
886
+ ],
887
+ "Version": "2012-10-17"
888
+ },
889
+ "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995",
890
+ "Roles": [
891
+ {
892
+ "Ref": "VpcFlowLogIAMRole6A475D41"
893
+ }
894
+ ]
895
+ }
896
+ },
897
+ "VpcFlowLogLogGroup7B5C56B9": {
898
+ "Type": "AWS::Logs::LogGroup",
899
+ "Properties": {
900
+ "RetentionInDays": 731,
901
+ "Tags": [
902
+ {
903
+ "Key": "Name",
904
+ "Value": "cluster-config/Vpc"
905
+ }
906
+ ]
907
+ },
908
+ "UpdateReplacePolicy": "Retain",
909
+ "DeletionPolicy": "Retain",
910
+ "Metadata": {
911
+ "cfn_nag": {
912
+ "rules_to_suppress": [
913
+ {
914
+ "id": "W84",
915
+ "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)"
916
+ }
917
+ ]
918
+ }
919
+ }
920
+ },
921
+ "VpcFlowLog8FF33A73": {
922
+ "Type": "AWS::EC2::FlowLog",
923
+ "Properties": {
924
+ "ResourceId": {
925
+ "Ref": "Vpc8378EB38"
926
+ },
927
+ "ResourceType": "VPC",
928
+ "TrafficType": "ALL",
929
+ "DeliverLogsPermissionArn": {
930
+ "Fn::GetAtt": [
931
+ "VpcFlowLogIAMRole6A475D41",
932
+ "Arn"
933
+ ]
934
+ },
935
+ "LogDestinationType": "cloud-watch-logs",
936
+ "LogGroupName": {
937
+ "Ref": "VpcFlowLogLogGroup7B5C56B9"
938
+ },
939
+ "Tags": [
940
+ {
941
+ "Key": "Name",
942
+ "Value": "cluster-config/Vpc"
943
+ }
944
+ ]
945
+ }
946
+ }
947
+ },
948
+ "Parameters": {
949
+ "BootstrapVersion": {
950
+ "Type": "AWS::SSM::Parameter::Value<String>",
951
+ "Default": "/cdk-bootstrap/hnb659fds/version",
952
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
953
+ }
954
+ },
955
+ "Rules": {
956
+ "CheckBootstrapVersion": {
957
+ "Assertions": [
958
+ {
959
+ "Assert": {
960
+ "Fn::Not": [
961
+ {
962
+ "Fn::Contains": [
963
+ [
964
+ "1",
965
+ "2",
966
+ "3",
967
+ "4",
968
+ "5"
969
+ ],
970
+ {
971
+ "Ref": "BootstrapVersion"
972
+ }
973
+ ]
974
+ }
975
+ ]
976
+ },
977
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
978
+ }
979
+ ]
980
+ }
981
+ }
982
+ }