@aws-solutions-constructs/aws-lambda-opensearch 2.50.0 → 2.52.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/.eslintignore +2 -0
  2. package/.jsii +50 -5
  3. package/integ.config.json +7 -0
  4. package/lib/index.js +1 -1
  5. package/package.json +12 -11
  6. package/test/integ.lamopn-cluster-config.js +6 -2
  7. package/test/integ.lamopn-cluster-config.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  8. package/test/integ.lamopn-cluster-config.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  9. package/test/integ.lamopn-cluster-config.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  10. package/test/integ.lamopn-cluster-config.js.snapshot/cdk.out +1 -0
  11. package/test/integ.lamopn-cluster-config.js.snapshot/integ.json +12 -0
  12. package/test/integ.lamopn-cluster-config.js.snapshot/lamopn-cluster-config.assets.json +45 -0
  13. package/test/integ.lamopn-cluster-config.js.snapshot/lamopn-cluster-config.template.json +1295 -0
  14. package/test/integ.lamopn-cluster-config.js.snapshot/lamopnclusterconfigIntegDefaultTestDeployAssertD8012D1A.assets.json +19 -0
  15. package/test/integ.lamopn-cluster-config.js.snapshot/lamopnclusterconfigIntegDefaultTestDeployAssertD8012D1A.template.json +36 -0
  16. package/test/integ.lamopn-cluster-config.js.snapshot/manifest.json +323 -0
  17. package/test/integ.lamopn-cluster-config.js.snapshot/tree.json +1795 -0
  18. package/test/integ.lamopn-disabled-zone-awareness.js +6 -2
  19. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  20. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  21. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  22. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/cdk.out +1 -0
  23. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/integ.json +12 -0
  24. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopn-disabled-zone-awareness.assets.json +45 -0
  25. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopn-disabled-zone-awareness.template.json +1228 -0
  26. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopndisabledzoneawarenessIntegDefaultTestDeployAssert7E083B68.assets.json +19 -0
  27. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopndisabledzoneawarenessIntegDefaultTestDeployAssert7E083B68.template.json +36 -0
  28. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/manifest.json +305 -0
  29. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/tree.json +1687 -0
  30. package/test/integ.lamopn-domain-arguments.js +5 -2
  31. package/test/integ.lamopn-domain-arguments.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  32. package/test/integ.lamopn-domain-arguments.js.snapshot/cdk.out +1 -0
  33. package/test/integ.lamopn-domain-arguments.js.snapshot/integ.json +12 -0
  34. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopn-domain-arguments.assets.json +32 -0
  35. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopn-domain-arguments.template.json +846 -0
  36. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopndomainargumentsIntegDefaultTestDeployAssert47534E1E.assets.json +19 -0
  37. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopndomainargumentsIntegDefaultTestDeployAssert47534E1E.template.json +36 -0
  38. package/test/integ.lamopn-domain-arguments.js.snapshot/manifest.json +233 -0
  39. package/test/integ.lamopn-domain-arguments.js.snapshot/tree.json +1256 -0
  40. package/test/integ.lamopn-existing-vpc.js +12 -6
  41. package/test/integ.lamopn-existing-vpc.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  42. package/test/integ.lamopn-existing-vpc.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  43. package/test/integ.lamopn-existing-vpc.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  44. package/test/integ.lamopn-existing-vpc.js.snapshot/cdk.out +1 -0
  45. package/test/integ.lamopn-existing-vpc.js.snapshot/integ.json +12 -0
  46. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopn-existing-vpc.assets.json +48 -0
  47. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopn-existing-vpc.template.json +1571 -0
  48. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopnexistingvpcIntegDefaultTestDeployAssert4A7EE058.assets.json +19 -0
  49. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopnexistingvpcIntegDefaultTestDeployAssert4A7EE058.template.json +36 -0
  50. package/test/integ.lamopn-existing-vpc.js.snapshot/manifest.json +419 -0
  51. package/test/integ.lamopn-existing-vpc.js.snapshot/tree.json +2207 -0
  52. package/test/integ.lamopn-no-arguments.js +5 -2
  53. package/test/integ.lamopn-no-arguments.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  54. package/test/integ.lamopn-no-arguments.js.snapshot/cdk.out +1 -0
  55. package/test/integ.lamopn-no-arguments.js.snapshot/integ.json +12 -0
  56. package/test/integ.lamopn-no-arguments.js.snapshot/lamopn-no-arguments.assets.json +32 -0
  57. package/test/integ.lamopn-no-arguments.js.snapshot/lamopn-no-arguments.template.json +846 -0
  58. package/test/integ.lamopn-no-arguments.js.snapshot/lamopnnoargumentsIntegDefaultTestDeployAssert4290A592.assets.json +19 -0
  59. package/test/integ.lamopn-no-arguments.js.snapshot/lamopnnoargumentsIntegDefaultTestDeployAssert4290A592.template.json +36 -0
  60. package/test/integ.lamopn-no-arguments.js.snapshot/manifest.json +233 -0
  61. package/test/integ.lamopn-no-arguments.js.snapshot/tree.json +1256 -0
  62. package/test/integ.lamopn-vpc-props.js +12 -6
  63. package/test/integ.lamopn-vpc-props.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  64. package/test/integ.lamopn-vpc-props.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  65. package/test/integ.lamopn-vpc-props.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  66. package/test/integ.lamopn-vpc-props.js.snapshot/cdk.out +1 -0
  67. package/test/integ.lamopn-vpc-props.js.snapshot/integ.json +12 -0
  68. package/test/integ.lamopn-vpc-props.js.snapshot/lamopn-vpc-props.assets.json +48 -0
  69. package/test/integ.lamopn-vpc-props.js.snapshot/lamopn-vpc-props.template.json +1287 -0
  70. package/test/integ.lamopn-vpc-props.js.snapshot/lamopnvpcpropsIntegDefaultTestDeployAssertC7FD49B0.assets.json +19 -0
  71. package/test/integ.lamopn-vpc-props.js.snapshot/lamopnvpcpropsIntegDefaultTestDeployAssertC7FD49B0.template.json +36 -0
  72. package/test/integ.lamopn-vpc-props.js.snapshot/manifest.json +323 -0
  73. package/test/integ.lamopn-vpc-props.js.snapshot/tree.json +1795 -0
  74. package/test/integ.lamopn-cluster-config.expected.json +0 -1153
  75. package/test/integ.lamopn-disabled-zone-awareness.expected.json +0 -1093
  76. package/test/integ.lamopn-domain-arguments.expected.json +0 -846
  77. package/test/integ.lamopn-existing-vpc.expected.json +0 -1602
  78. package/test/integ.lamopn-no-arguments.expected.json +0 -846
  79. package/test/integ.lamopn-vpc-props.expected.json +0 -1208
@@ -1,1208 +0,0 @@
1
- {
2
- "Resources": {
3
- "testlambdaopensearchLambdaFunctionServiceRole4722AB8A": {
4
- "Type": "AWS::IAM::Role",
5
- "Properties": {
6
- "AssumeRolePolicyDocument": {
7
- "Statement": [
8
- {
9
- "Action": "sts:AssumeRole",
10
- "Effect": "Allow",
11
- "Principal": {
12
- "Service": "lambda.amazonaws.com"
13
- }
14
- }
15
- ],
16
- "Version": "2012-10-17"
17
- },
18
- "Policies": [
19
- {
20
- "PolicyDocument": {
21
- "Statement": [
22
- {
23
- "Action": [
24
- "logs:CreateLogGroup",
25
- "logs:CreateLogStream",
26
- "logs:PutLogEvents"
27
- ],
28
- "Effect": "Allow",
29
- "Resource": {
30
- "Fn::Join": [
31
- "",
32
- [
33
- "arn:",
34
- {
35
- "Ref": "AWS::Partition"
36
- },
37
- ":logs:",
38
- {
39
- "Ref": "AWS::Region"
40
- },
41
- ":",
42
- {
43
- "Ref": "AWS::AccountId"
44
- },
45
- ":log-group:/aws/lambda/*"
46
- ]
47
- ]
48
- }
49
- }
50
- ],
51
- "Version": "2012-10-17"
52
- },
53
- "PolicyName": "LambdaFunctionServiceRolePolicy"
54
- }
55
- ]
56
- }
57
- },
58
- "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359": {
59
- "Type": "AWS::IAM::Policy",
60
- "Properties": {
61
- "PolicyDocument": {
62
- "Statement": [
63
- {
64
- "Action": [
65
- "ec2:CreateNetworkInterface",
66
- "ec2:DescribeNetworkInterfaces",
67
- "ec2:DeleteNetworkInterface",
68
- "ec2:AssignPrivateIpAddresses",
69
- "ec2:UnassignPrivateIpAddresses"
70
- ],
71
- "Effect": "Allow",
72
- "Resource": "*"
73
- },
74
- {
75
- "Action": [
76
- "xray:PutTraceSegments",
77
- "xray:PutTelemetryRecords"
78
- ],
79
- "Effect": "Allow",
80
- "Resource": "*"
81
- }
82
- ],
83
- "Version": "2012-10-17"
84
- },
85
- "PolicyName": "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359",
86
- "Roles": [
87
- {
88
- "Ref": "testlambdaopensearchLambdaFunctionServiceRole4722AB8A"
89
- }
90
- ]
91
- },
92
- "Metadata": {
93
- "cfn_nag": {
94
- "rules_to_suppress": [
95
- {
96
- "id": "W12",
97
- "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC."
98
- }
99
- ]
100
- }
101
- }
102
- },
103
- "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC": {
104
- "Type": "AWS::EC2::SecurityGroup",
105
- "Properties": {
106
- "GroupDescription": "lamopn-vpc-props/test-lambda-opensearch/ReplaceDefaultSecurityGroup-security-group",
107
- "SecurityGroupEgress": [
108
- {
109
- "CidrIp": "0.0.0.0/0",
110
- "Description": "Allow all outbound traffic by default",
111
- "IpProtocol": "-1"
112
- }
113
- ],
114
- "VpcId": {
115
- "Ref": "Vpc8378EB38"
116
- }
117
- },
118
- "Metadata": {
119
- "cfn_nag": {
120
- "rules_to_suppress": [
121
- {
122
- "id": "W5",
123
- "reason": "Egress of 0.0.0.0/0 is default and generally considered OK"
124
- },
125
- {
126
- "id": "W40",
127
- "reason": "Egress IPProtocol of -1 is default and generally considered OK"
128
- }
129
- ]
130
- }
131
- }
132
- },
133
- "testlambdaopensearchLambdaFunction93FD38F7": {
134
- "Type": "AWS::Lambda::Function",
135
- "Properties": {
136
- "Code": {
137
- "S3Bucket": "cdk-hnb659fds-assets-12345678-test-region",
138
- "S3Key": "abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290.zip"
139
- },
140
- "Environment": {
141
- "Variables": {
142
- "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1",
143
- "DOMAIN_ENDPOINT": {
144
- "Fn::GetAtt": [
145
- "testlambdaopensearchOpenSearchDomainF9CCC3D3",
146
- "DomainEndpoint"
147
- ]
148
- }
149
- }
150
- },
151
- "Handler": "index.handler",
152
- "Role": {
153
- "Fn::GetAtt": [
154
- "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
155
- "Arn"
156
- ]
157
- },
158
- "Runtime": "nodejs16.x",
159
- "TracingConfig": {
160
- "Mode": "Active"
161
- },
162
- "VpcConfig": {
163
- "SecurityGroupIds": [
164
- {
165
- "Fn::GetAtt": [
166
- "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC",
167
- "GroupId"
168
- ]
169
- }
170
- ],
171
- "SubnetIds": [
172
- {
173
- "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
174
- },
175
- {
176
- "Ref": "VpcisolatedSubnet2Subnet39217055"
177
- },
178
- {
179
- "Ref": "VpcisolatedSubnet3Subnet44F2537D"
180
- }
181
- ]
182
- }
183
- },
184
- "DependsOn": [
185
- "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359",
186
- "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
187
- "VpcisolatedSubnet1RouteTableAssociationD259E31A",
188
- "VpcisolatedSubnet2RouteTableAssociation25A4716F",
189
- "VpcisolatedSubnet3RouteTableAssociationDC010BEB"
190
- ],
191
- "Metadata": {
192
- "cfn_nag": {
193
- "rules_to_suppress": [
194
- {
195
- "id": "W58",
196
- "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions."
197
- },
198
- {
199
- "id": "W89",
200
- "reason": "This is not a rule for the general case, just for specific use cases/industries"
201
- },
202
- {
203
- "id": "W92",
204
- "reason": "Impossible for us to define the correct concurrency for clients"
205
- }
206
- ]
207
- }
208
- }
209
- },
210
- "testlambdaopensearchCognitoUserPoolA09096F9": {
211
- "Type": "AWS::Cognito::UserPool",
212
- "Properties": {
213
- "AccountRecoverySetting": {
214
- "RecoveryMechanisms": [
215
- {
216
- "Name": "verified_phone_number",
217
- "Priority": 1
218
- },
219
- {
220
- "Name": "verified_email",
221
- "Priority": 2
222
- }
223
- ]
224
- },
225
- "AdminCreateUserConfig": {
226
- "AllowAdminCreateUserOnly": true
227
- },
228
- "EmailVerificationMessage": "The verification code to your new account is {####}",
229
- "EmailVerificationSubject": "Verify your new account",
230
- "SmsVerificationMessage": "The verification code to your new account is {####}",
231
- "UserPoolAddOns": {
232
- "AdvancedSecurityMode": "ENFORCED"
233
- },
234
- "VerificationMessageTemplate": {
235
- "DefaultEmailOption": "CONFIRM_WITH_CODE",
236
- "EmailMessage": "The verification code to your new account is {####}",
237
- "EmailSubject": "Verify your new account",
238
- "SmsMessage": "The verification code to your new account is {####}"
239
- }
240
- },
241
- "UpdateReplacePolicy": "Retain",
242
- "DeletionPolicy": "Retain"
243
- },
244
- "testlambdaopensearchCognitoUserPoolClient39C21D94": {
245
- "Type": "AWS::Cognito::UserPoolClient",
246
- "Properties": {
247
- "AllowedOAuthFlows": [
248
- "implicit",
249
- "code"
250
- ],
251
- "AllowedOAuthFlowsUserPoolClient": true,
252
- "AllowedOAuthScopes": [
253
- "profile",
254
- "phone",
255
- "email",
256
- "openid",
257
- "aws.cognito.signin.user.admin"
258
- ],
259
- "CallbackURLs": [
260
- "https://example.com"
261
- ],
262
- "SupportedIdentityProviders": [
263
- "COGNITO"
264
- ],
265
- "UserPoolId": {
266
- "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
267
- }
268
- }
269
- },
270
- "testlambdaopensearchCognitoIdentityPool0B1FB311": {
271
- "Type": "AWS::Cognito::IdentityPool",
272
- "Properties": {
273
- "AllowUnauthenticatedIdentities": false,
274
- "CognitoIdentityProviders": [
275
- {
276
- "ClientId": {
277
- "Ref": "testlambdaopensearchCognitoUserPoolClient39C21D94"
278
- },
279
- "ProviderName": {
280
- "Fn::GetAtt": [
281
- "testlambdaopensearchCognitoUserPoolA09096F9",
282
- "ProviderName"
283
- ]
284
- },
285
- "ServerSideTokenCheck": true
286
- }
287
- ]
288
- }
289
- },
290
- "testlambdaopensearchUserPoolDomain98864920": {
291
- "Type": "AWS::Cognito::UserPoolDomain",
292
- "Properties": {
293
- "Domain": {
294
- "Fn::Join": [
295
- "-",
296
- [
297
- "dmn",
298
- {
299
- "Fn::Select": [
300
- 4,
301
- {
302
- "Fn::Split": [
303
- "-",
304
- {
305
- "Fn::Select": [
306
- 2,
307
- {
308
- "Fn::Split": [
309
- "/",
310
- {
311
- "Ref": "AWS::StackId"
312
- }
313
- ]
314
- }
315
- ]
316
- }
317
- ]
318
- }
319
- ]
320
- }
321
- ]
322
- ]
323
- },
324
- "UserPoolId": {
325
- "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
326
- }
327
- },
328
- "DependsOn": [
329
- "testlambdaopensearchCognitoUserPoolA09096F9"
330
- ]
331
- },
332
- "testlambdaopensearchCognitoAuthorizedRole58A1ED44": {
333
- "Type": "AWS::IAM::Role",
334
- "Properties": {
335
- "AssumeRolePolicyDocument": {
336
- "Statement": [
337
- {
338
- "Action": "sts:AssumeRoleWithWebIdentity",
339
- "Condition": {
340
- "StringEquals": {
341
- "cognito-identity.amazonaws.com:aud": {
342
- "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
343
- }
344
- },
345
- "ForAnyValue:StringLike": {
346
- "cognito-identity.amazonaws.com:amr": "authenticated"
347
- }
348
- },
349
- "Effect": "Allow",
350
- "Principal": {
351
- "Federated": "cognito-identity.amazonaws.com"
352
- }
353
- }
354
- ],
355
- "Version": "2012-10-17"
356
- },
357
- "Policies": [
358
- {
359
- "PolicyDocument": {
360
- "Statement": [
361
- {
362
- "Action": "es:ESHttp*",
363
- "Effect": "Allow",
364
- "Resource": {
365
- "Fn::Join": [
366
- "",
367
- [
368
- "arn:",
369
- {
370
- "Ref": "AWS::Partition"
371
- },
372
- ":es:",
373
- {
374
- "Ref": "AWS::Region"
375
- },
376
- ":",
377
- {
378
- "Ref": "AWS::AccountId"
379
- },
380
- ":domain/",
381
- {
382
- "Fn::Join": [
383
- "-",
384
- [
385
- "dmn",
386
- {
387
- "Fn::Select": [
388
- 4,
389
- {
390
- "Fn::Split": [
391
- "-",
392
- {
393
- "Fn::Select": [
394
- 2,
395
- {
396
- "Fn::Split": [
397
- "/",
398
- {
399
- "Ref": "AWS::StackId"
400
- }
401
- ]
402
- }
403
- ]
404
- }
405
- ]
406
- }
407
- ]
408
- }
409
- ]
410
- ]
411
- },
412
- "/*"
413
- ]
414
- ]
415
- }
416
- }
417
- ],
418
- "Version": "2012-10-17"
419
- },
420
- "PolicyName": "CognitoAccessPolicy"
421
- }
422
- ]
423
- }
424
- },
425
- "testlambdaopensearchIdentityPoolRoleMappingD8C765B1": {
426
- "Type": "AWS::Cognito::IdentityPoolRoleAttachment",
427
- "Properties": {
428
- "IdentityPoolId": {
429
- "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
430
- },
431
- "Roles": {
432
- "authenticated": {
433
- "Fn::GetAtt": [
434
- "testlambdaopensearchCognitoAuthorizedRole58A1ED44",
435
- "Arn"
436
- ]
437
- }
438
- }
439
- }
440
- },
441
- "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A": {
442
- "Type": "AWS::IAM::Role",
443
- "Properties": {
444
- "AssumeRolePolicyDocument": {
445
- "Statement": [
446
- {
447
- "Action": "sts:AssumeRole",
448
- "Effect": "Allow",
449
- "Principal": {
450
- "Service": "es.amazonaws.com"
451
- }
452
- }
453
- ],
454
- "Version": "2012-10-17"
455
- }
456
- }
457
- },
458
- "testlambdaopensearchCognitoDashboardConfigureRolePolicyC9C6A6A2": {
459
- "Type": "AWS::IAM::Policy",
460
- "Properties": {
461
- "PolicyDocument": {
462
- "Statement": [
463
- {
464
- "Action": [
465
- "cognito-idp:DescribeUserPool",
466
- "cognito-idp:CreateUserPoolClient",
467
- "cognito-idp:DeleteUserPoolClient",
468
- "cognito-idp:DescribeUserPoolClient",
469
- "cognito-idp:AdminInitiateAuth",
470
- "cognito-idp:AdminUserGlobalSignOut",
471
- "cognito-idp:ListUserPoolClients",
472
- "cognito-identity:DescribeIdentityPool",
473
- "cognito-identity:UpdateIdentityPool",
474
- "cognito-identity:SetIdentityPoolRoles",
475
- "cognito-identity:GetIdentityPoolRoles",
476
- "es:UpdateDomainConfig"
477
- ],
478
- "Effect": "Allow",
479
- "Resource": [
480
- {
481
- "Fn::GetAtt": [
482
- "testlambdaopensearchCognitoUserPoolA09096F9",
483
- "Arn"
484
- ]
485
- },
486
- {
487
- "Fn::Join": [
488
- "",
489
- [
490
- "arn:",
491
- {
492
- "Ref": "AWS::Partition"
493
- },
494
- ":cognito-identity:",
495
- {
496
- "Ref": "AWS::Region"
497
- },
498
- ":",
499
- {
500
- "Ref": "AWS::AccountId"
501
- },
502
- ":identitypool/",
503
- {
504
- "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
505
- }
506
- ]
507
- ]
508
- },
509
- {
510
- "Fn::Join": [
511
- "",
512
- [
513
- "arn:",
514
- {
515
- "Ref": "AWS::Partition"
516
- },
517
- ":es:",
518
- {
519
- "Ref": "AWS::Region"
520
- },
521
- ":",
522
- {
523
- "Ref": "AWS::AccountId"
524
- },
525
- ":domain/",
526
- {
527
- "Fn::Join": [
528
- "-",
529
- [
530
- "dmn",
531
- {
532
- "Fn::Select": [
533
- 4,
534
- {
535
- "Fn::Split": [
536
- "-",
537
- {
538
- "Fn::Select": [
539
- 2,
540
- {
541
- "Fn::Split": [
542
- "/",
543
- {
544
- "Ref": "AWS::StackId"
545
- }
546
- ]
547
- }
548
- ]
549
- }
550
- ]
551
- }
552
- ]
553
- }
554
- ]
555
- ]
556
- }
557
- ]
558
- ]
559
- }
560
- ]
561
- },
562
- {
563
- "Action": "iam:PassRole",
564
- "Condition": {
565
- "StringLike": {
566
- "iam:PassedToService": "cognito-identity.amazonaws.com"
567
- }
568
- },
569
- "Effect": "Allow",
570
- "Resource": {
571
- "Fn::GetAtt": [
572
- "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A",
573
- "Arn"
574
- ]
575
- }
576
- }
577
- ],
578
- "Version": "2012-10-17"
579
- },
580
- "PolicyName": "testlambdaopensearchCognitoDashboardConfigureRolePolicyC9C6A6A2",
581
- "Roles": [
582
- {
583
- "Ref": "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A"
584
- }
585
- ]
586
- }
587
- },
588
- "testlambdaopensearchOpenSearchDomainF9CCC3D3": {
589
- "Type": "AWS::OpenSearchService::Domain",
590
- "Properties": {
591
- "AccessPolicies": {
592
- "Statement": [
593
- {
594
- "Action": "es:ESHttp*",
595
- "Effect": "Allow",
596
- "Principal": {
597
- "AWS": [
598
- {
599
- "Fn::GetAtt": [
600
- "testlambdaopensearchCognitoAuthorizedRole58A1ED44",
601
- "Arn"
602
- ]
603
- },
604
- {
605
- "Fn::GetAtt": [
606
- "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
607
- "Arn"
608
- ]
609
- }
610
- ]
611
- },
612
- "Resource": {
613
- "Fn::Join": [
614
- "",
615
- [
616
- "arn:",
617
- {
618
- "Ref": "AWS::Partition"
619
- },
620
- ":es:",
621
- {
622
- "Ref": "AWS::Region"
623
- },
624
- ":",
625
- {
626
- "Ref": "AWS::AccountId"
627
- },
628
- ":domain/",
629
- {
630
- "Fn::Join": [
631
- "-",
632
- [
633
- "dmn",
634
- {
635
- "Fn::Select": [
636
- 4,
637
- {
638
- "Fn::Split": [
639
- "-",
640
- {
641
- "Fn::Select": [
642
- 2,
643
- {
644
- "Fn::Split": [
645
- "/",
646
- {
647
- "Ref": "AWS::StackId"
648
- }
649
- ]
650
- }
651
- ]
652
- }
653
- ]
654
- }
655
- ]
656
- }
657
- ]
658
- ]
659
- },
660
- "/*"
661
- ]
662
- ]
663
- }
664
- }
665
- ],
666
- "Version": "2012-10-17"
667
- },
668
- "ClusterConfig": {
669
- "DedicatedMasterCount": 3,
670
- "DedicatedMasterEnabled": true,
671
- "InstanceCount": 3,
672
- "ZoneAwarenessConfig": {
673
- "AvailabilityZoneCount": 3
674
- },
675
- "ZoneAwarenessEnabled": true
676
- },
677
- "CognitoOptions": {
678
- "Enabled": true,
679
- "IdentityPoolId": {
680
- "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
681
- },
682
- "RoleArn": {
683
- "Fn::GetAtt": [
684
- "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A",
685
- "Arn"
686
- ]
687
- },
688
- "UserPoolId": {
689
- "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
690
- }
691
- },
692
- "DomainEndpointOptions": {
693
- "EnforceHTTPS": true,
694
- "TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
695
- },
696
- "DomainName": {
697
- "Fn::Join": [
698
- "-",
699
- [
700
- "dmn",
701
- {
702
- "Fn::Select": [
703
- 4,
704
- {
705
- "Fn::Split": [
706
- "-",
707
- {
708
- "Fn::Select": [
709
- 2,
710
- {
711
- "Fn::Split": [
712
- "/",
713
- {
714
- "Ref": "AWS::StackId"
715
- }
716
- ]
717
- }
718
- ]
719
- }
720
- ]
721
- }
722
- ]
723
- }
724
- ]
725
- ]
726
- },
727
- "EBSOptions": {
728
- "EBSEnabled": true,
729
- "VolumeSize": 10
730
- },
731
- "EncryptionAtRestOptions": {
732
- "Enabled": true
733
- },
734
- "EngineVersion": "OpenSearch_1.3",
735
- "NodeToNodeEncryptionOptions": {
736
- "Enabled": true
737
- },
738
- "SnapshotOptions": {
739
- "AutomatedSnapshotStartHour": 1
740
- },
741
- "VPCOptions": {
742
- "SecurityGroupIds": [
743
- {
744
- "Fn::GetAtt": [
745
- "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC",
746
- "GroupId"
747
- ]
748
- }
749
- ],
750
- "SubnetIds": [
751
- {
752
- "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
753
- },
754
- {
755
- "Ref": "VpcisolatedSubnet2Subnet39217055"
756
- },
757
- {
758
- "Ref": "VpcisolatedSubnet3Subnet44F2537D"
759
- }
760
- ]
761
- }
762
- },
763
- "Metadata": {
764
- "cfn_nag": {
765
- "rules_to_suppress": [
766
- {
767
- "id": "W28",
768
- "reason": "The OpenSearch Service domain is passed dynamically as as parameter and explicitly specified to ensure that IAM policies are configured to lockdown access to this specific OpenSearch Service instance only"
769
- },
770
- {
771
- "id": "W90",
772
- "reason": "This is not a rule for the general case, just for specific use cases/industries"
773
- }
774
- ]
775
- }
776
- }
777
- },
778
- "testlambdaopensearchStatusRedAlarm1627144D": {
779
- "Type": "AWS::CloudWatch::Alarm",
780
- "Properties": {
781
- "AlarmDescription": "At least one primary shard and its replicas are not allocated to a node. ",
782
- "ComparisonOperator": "GreaterThanOrEqualToThreshold",
783
- "EvaluationPeriods": 1,
784
- "MetricName": "ClusterStatus.red",
785
- "Namespace": "AWS/ES",
786
- "Period": 60,
787
- "Statistic": "Maximum",
788
- "Threshold": 1
789
- }
790
- },
791
- "testlambdaopensearchStatusYellowAlarm57139CF0": {
792
- "Type": "AWS::CloudWatch::Alarm",
793
- "Properties": {
794
- "AlarmDescription": "At least one replica shard is not allocated to a node.",
795
- "ComparisonOperator": "GreaterThanOrEqualToThreshold",
796
- "EvaluationPeriods": 1,
797
- "MetricName": "ClusterStatus.yellow",
798
- "Namespace": "AWS/ES",
799
- "Period": 60,
800
- "Statistic": "Maximum",
801
- "Threshold": 1
802
- }
803
- },
804
- "testlambdaopensearchFreeStorageSpaceTooLowAlarm6A5E1E96": {
805
- "Type": "AWS::CloudWatch::Alarm",
806
- "Properties": {
807
- "AlarmDescription": "A node in your cluster is down to 20 GiB of free storage space.",
808
- "ComparisonOperator": "LessThanOrEqualToThreshold",
809
- "EvaluationPeriods": 1,
810
- "MetricName": "FreeStorageSpace",
811
- "Namespace": "AWS/ES",
812
- "Period": 60,
813
- "Statistic": "Minimum",
814
- "Threshold": 20000
815
- }
816
- },
817
- "testlambdaopensearchIndexWritesBlockedTooHighAlarmD2E041A3": {
818
- "Type": "AWS::CloudWatch::Alarm",
819
- "Properties": {
820
- "AlarmDescription": "Your cluster is blocking write requests.",
821
- "ComparisonOperator": "GreaterThanOrEqualToThreshold",
822
- "EvaluationPeriods": 1,
823
- "MetricName": "ClusterIndexWritesBlocked",
824
- "Namespace": "AWS/ES",
825
- "Period": 300,
826
- "Statistic": "Maximum",
827
- "Threshold": 1
828
- }
829
- },
830
- "testlambdaopensearchAutomatedSnapshotFailureTooHighAlarm9A4D0B1F": {
831
- "Type": "AWS::CloudWatch::Alarm",
832
- "Properties": {
833
- "AlarmDescription": "An automated snapshot failed. This failure is often the result of a red cluster health status.",
834
- "ComparisonOperator": "GreaterThanOrEqualToThreshold",
835
- "EvaluationPeriods": 1,
836
- "MetricName": "AutomatedSnapshotFailure",
837
- "Namespace": "AWS/ES",
838
- "Period": 60,
839
- "Statistic": "Maximum",
840
- "Threshold": 1
841
- }
842
- },
843
- "testlambdaopensearchCPUUtilizationTooHighAlarmC4850758": {
844
- "Type": "AWS::CloudWatch::Alarm",
845
- "Properties": {
846
- "AlarmDescription": "100% CPU utilization is not uncommon, but sustained high usage is problematic. Consider using larger instance types or adding instances.",
847
- "ComparisonOperator": "GreaterThanOrEqualToThreshold",
848
- "EvaluationPeriods": 3,
849
- "MetricName": "CPUUtilization",
850
- "Namespace": "AWS/ES",
851
- "Period": 900,
852
- "Statistic": "Average",
853
- "Threshold": 80
854
- }
855
- },
856
- "testlambdaopensearchJVMMemoryPressureTooHighAlarmEFB09A7C": {
857
- "Type": "AWS::CloudWatch::Alarm",
858
- "Properties": {
859
- "AlarmDescription": "Average JVM memory pressure over last 15 minutes too high. Consider scaling vertically.",
860
- "ComparisonOperator": "GreaterThanOrEqualToThreshold",
861
- "EvaluationPeriods": 1,
862
- "MetricName": "JVMMemoryPressure",
863
- "Namespace": "AWS/ES",
864
- "Period": 900,
865
- "Statistic": "Average",
866
- "Threshold": 80
867
- }
868
- },
869
- "testlambdaopensearchMasterCPUUtilizationTooHighAlarm124D5748": {
870
- "Type": "AWS::CloudWatch::Alarm",
871
- "Properties": {
872
- "AlarmDescription": "Average CPU utilization over last 45 minutes too high. Consider using larger instance types for your dedicated master nodes.",
873
- "ComparisonOperator": "GreaterThanOrEqualToThreshold",
874
- "EvaluationPeriods": 3,
875
- "MetricName": "MasterCPUUtilization",
876
- "Namespace": "AWS/ES",
877
- "Period": 900,
878
- "Statistic": "Average",
879
- "Threshold": 50
880
- }
881
- },
882
- "testlambdaopensearchMasterJVMMemoryPressureTooHighAlarmBC9524D3": {
883
- "Type": "AWS::CloudWatch::Alarm",
884
- "Properties": {
885
- "AlarmDescription": "Average JVM memory pressure over last 15 minutes too high. Consider scaling vertically.",
886
- "ComparisonOperator": "GreaterThanOrEqualToThreshold",
887
- "EvaluationPeriods": 1,
888
- "MetricName": "MasterJVMMemoryPressure",
889
- "Namespace": "AWS/ES",
890
- "Period": 900,
891
- "Statistic": "Average",
892
- "Threshold": 50
893
- }
894
- },
895
- "Vpc8378EB38": {
896
- "Type": "AWS::EC2::VPC",
897
- "Properties": {
898
- "CidrBlock": "172.168.0.0/16",
899
- "EnableDnsHostnames": true,
900
- "EnableDnsSupport": true,
901
- "InstanceTenancy": "default",
902
- "Tags": [
903
- {
904
- "Key": "Name",
905
- "Value": "lamopn-vpc-props/Vpc"
906
- }
907
- ]
908
- }
909
- },
910
- "VpcisolatedSubnet1SubnetE62B1B9B": {
911
- "Type": "AWS::EC2::Subnet",
912
- "Properties": {
913
- "AvailabilityZone": "test-region-1a",
914
- "CidrBlock": "172.168.0.0/18",
915
- "MapPublicIpOnLaunch": false,
916
- "Tags": [
917
- {
918
- "Key": "aws-cdk:subnet-name",
919
- "Value": "isolated"
920
- },
921
- {
922
- "Key": "aws-cdk:subnet-type",
923
- "Value": "Isolated"
924
- },
925
- {
926
- "Key": "Name",
927
- "Value": "lamopn-vpc-props/Vpc/isolatedSubnet1"
928
- }
929
- ],
930
- "VpcId": {
931
- "Ref": "Vpc8378EB38"
932
- }
933
- }
934
- },
935
- "VpcisolatedSubnet1RouteTableE442650B": {
936
- "Type": "AWS::EC2::RouteTable",
937
- "Properties": {
938
- "Tags": [
939
- {
940
- "Key": "Name",
941
- "Value": "lamopn-vpc-props/Vpc/isolatedSubnet1"
942
- }
943
- ],
944
- "VpcId": {
945
- "Ref": "Vpc8378EB38"
946
- }
947
- }
948
- },
949
- "VpcisolatedSubnet1RouteTableAssociationD259E31A": {
950
- "Type": "AWS::EC2::SubnetRouteTableAssociation",
951
- "Properties": {
952
- "RouteTableId": {
953
- "Ref": "VpcisolatedSubnet1RouteTableE442650B"
954
- },
955
- "SubnetId": {
956
- "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
957
- }
958
- }
959
- },
960
- "VpcisolatedSubnet2Subnet39217055": {
961
- "Type": "AWS::EC2::Subnet",
962
- "Properties": {
963
- "AvailabilityZone": "test-region-1b",
964
- "CidrBlock": "172.168.64.0/18",
965
- "MapPublicIpOnLaunch": false,
966
- "Tags": [
967
- {
968
- "Key": "aws-cdk:subnet-name",
969
- "Value": "isolated"
970
- },
971
- {
972
- "Key": "aws-cdk:subnet-type",
973
- "Value": "Isolated"
974
- },
975
- {
976
- "Key": "Name",
977
- "Value": "lamopn-vpc-props/Vpc/isolatedSubnet2"
978
- }
979
- ],
980
- "VpcId": {
981
- "Ref": "Vpc8378EB38"
982
- }
983
- }
984
- },
985
- "VpcisolatedSubnet2RouteTable334F9764": {
986
- "Type": "AWS::EC2::RouteTable",
987
- "Properties": {
988
- "Tags": [
989
- {
990
- "Key": "Name",
991
- "Value": "lamopn-vpc-props/Vpc/isolatedSubnet2"
992
- }
993
- ],
994
- "VpcId": {
995
- "Ref": "Vpc8378EB38"
996
- }
997
- }
998
- },
999
- "VpcisolatedSubnet2RouteTableAssociation25A4716F": {
1000
- "Type": "AWS::EC2::SubnetRouteTableAssociation",
1001
- "Properties": {
1002
- "RouteTableId": {
1003
- "Ref": "VpcisolatedSubnet2RouteTable334F9764"
1004
- },
1005
- "SubnetId": {
1006
- "Ref": "VpcisolatedSubnet2Subnet39217055"
1007
- }
1008
- }
1009
- },
1010
- "VpcisolatedSubnet3Subnet44F2537D": {
1011
- "Type": "AWS::EC2::Subnet",
1012
- "Properties": {
1013
- "AvailabilityZone": "test-region-1c",
1014
- "CidrBlock": "172.168.128.0/18",
1015
- "MapPublicIpOnLaunch": false,
1016
- "Tags": [
1017
- {
1018
- "Key": "aws-cdk:subnet-name",
1019
- "Value": "isolated"
1020
- },
1021
- {
1022
- "Key": "aws-cdk:subnet-type",
1023
- "Value": "Isolated"
1024
- },
1025
- {
1026
- "Key": "Name",
1027
- "Value": "lamopn-vpc-props/Vpc/isolatedSubnet3"
1028
- }
1029
- ],
1030
- "VpcId": {
1031
- "Ref": "Vpc8378EB38"
1032
- }
1033
- }
1034
- },
1035
- "VpcisolatedSubnet3RouteTableA2F6BBC0": {
1036
- "Type": "AWS::EC2::RouteTable",
1037
- "Properties": {
1038
- "Tags": [
1039
- {
1040
- "Key": "Name",
1041
- "Value": "lamopn-vpc-props/Vpc/isolatedSubnet3"
1042
- }
1043
- ],
1044
- "VpcId": {
1045
- "Ref": "Vpc8378EB38"
1046
- }
1047
- }
1048
- },
1049
- "VpcisolatedSubnet3RouteTableAssociationDC010BEB": {
1050
- "Type": "AWS::EC2::SubnetRouteTableAssociation",
1051
- "Properties": {
1052
- "RouteTableId": {
1053
- "Ref": "VpcisolatedSubnet3RouteTableA2F6BBC0"
1054
- },
1055
- "SubnetId": {
1056
- "Ref": "VpcisolatedSubnet3Subnet44F2537D"
1057
- }
1058
- }
1059
- },
1060
- "VpcFlowLogIAMRole6A475D41": {
1061
- "Type": "AWS::IAM::Role",
1062
- "Properties": {
1063
- "AssumeRolePolicyDocument": {
1064
- "Statement": [
1065
- {
1066
- "Action": "sts:AssumeRole",
1067
- "Effect": "Allow",
1068
- "Principal": {
1069
- "Service": "vpc-flow-logs.amazonaws.com"
1070
- }
1071
- }
1072
- ],
1073
- "Version": "2012-10-17"
1074
- },
1075
- "Tags": [
1076
- {
1077
- "Key": "Name",
1078
- "Value": "lamopn-vpc-props/Vpc/FlowLog"
1079
- }
1080
- ]
1081
- }
1082
- },
1083
- "VpcFlowLogIAMRoleDefaultPolicy406FB995": {
1084
- "Type": "AWS::IAM::Policy",
1085
- "Properties": {
1086
- "PolicyDocument": {
1087
- "Statement": [
1088
- {
1089
- "Action": [
1090
- "logs:CreateLogStream",
1091
- "logs:PutLogEvents",
1092
- "logs:DescribeLogStreams"
1093
- ],
1094
- "Effect": "Allow",
1095
- "Resource": {
1096
- "Fn::GetAtt": [
1097
- "VpcFlowLogLogGroup7B5C56B9",
1098
- "Arn"
1099
- ]
1100
- }
1101
- },
1102
- {
1103
- "Action": "iam:PassRole",
1104
- "Effect": "Allow",
1105
- "Resource": {
1106
- "Fn::GetAtt": [
1107
- "VpcFlowLogIAMRole6A475D41",
1108
- "Arn"
1109
- ]
1110
- }
1111
- }
1112
- ],
1113
- "Version": "2012-10-17"
1114
- },
1115
- "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995",
1116
- "Roles": [
1117
- {
1118
- "Ref": "VpcFlowLogIAMRole6A475D41"
1119
- }
1120
- ]
1121
- }
1122
- },
1123
- "VpcFlowLogLogGroup7B5C56B9": {
1124
- "Type": "AWS::Logs::LogGroup",
1125
- "Properties": {
1126
- "RetentionInDays": 731,
1127
- "Tags": [
1128
- {
1129
- "Key": "Name",
1130
- "Value": "lamopn-vpc-props/Vpc/FlowLog"
1131
- }
1132
- ]
1133
- },
1134
- "UpdateReplacePolicy": "Retain",
1135
- "DeletionPolicy": "Retain",
1136
- "Metadata": {
1137
- "cfn_nag": {
1138
- "rules_to_suppress": [
1139
- {
1140
- "id": "W84",
1141
- "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)"
1142
- }
1143
- ]
1144
- }
1145
- }
1146
- },
1147
- "VpcFlowLog8FF33A73": {
1148
- "Type": "AWS::EC2::FlowLog",
1149
- "Properties": {
1150
- "DeliverLogsPermissionArn": {
1151
- "Fn::GetAtt": [
1152
- "VpcFlowLogIAMRole6A475D41",
1153
- "Arn"
1154
- ]
1155
- },
1156
- "LogDestinationType": "cloud-watch-logs",
1157
- "LogGroupName": {
1158
- "Ref": "VpcFlowLogLogGroup7B5C56B9"
1159
- },
1160
- "ResourceId": {
1161
- "Ref": "Vpc8378EB38"
1162
- },
1163
- "ResourceType": "VPC",
1164
- "Tags": [
1165
- {
1166
- "Key": "Name",
1167
- "Value": "lamopn-vpc-props/Vpc/FlowLog"
1168
- }
1169
- ],
1170
- "TrafficType": "ALL"
1171
- }
1172
- }
1173
- },
1174
- "Parameters": {
1175
- "BootstrapVersion": {
1176
- "Type": "AWS::SSM::Parameter::Value<String>",
1177
- "Default": "/cdk-bootstrap/hnb659fds/version",
1178
- "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
1179
- }
1180
- },
1181
- "Rules": {
1182
- "CheckBootstrapVersion": {
1183
- "Assertions": [
1184
- {
1185
- "Assert": {
1186
- "Fn::Not": [
1187
- {
1188
- "Fn::Contains": [
1189
- [
1190
- "1",
1191
- "2",
1192
- "3",
1193
- "4",
1194
- "5"
1195
- ],
1196
- {
1197
- "Ref": "BootstrapVersion"
1198
- }
1199
- ]
1200
- }
1201
- ]
1202
- },
1203
- "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
1204
- }
1205
- ]
1206
- }
1207
- }
1208
- }