@aws-solutions-constructs/aws-lambda-opensearch 2.51.0 → 2.52.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/.eslintignore +2 -0
  2. package/.jsii +49 -4
  3. package/integ.config.json +7 -0
  4. package/lib/index.js +1 -1
  5. package/package.json +9 -8
  6. package/test/integ.lamopn-cluster-config.js +6 -2
  7. package/test/integ.lamopn-cluster-config.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  8. package/test/integ.lamopn-cluster-config.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  9. package/test/integ.lamopn-cluster-config.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  10. package/test/integ.lamopn-cluster-config.js.snapshot/cdk.out +1 -0
  11. package/test/integ.lamopn-cluster-config.js.snapshot/integ.json +12 -0
  12. package/test/integ.lamopn-cluster-config.js.snapshot/lamopn-cluster-config.assets.json +45 -0
  13. package/test/integ.lamopn-cluster-config.js.snapshot/lamopn-cluster-config.template.json +1295 -0
  14. package/test/integ.lamopn-cluster-config.js.snapshot/lamopnclusterconfigIntegDefaultTestDeployAssertD8012D1A.assets.json +19 -0
  15. package/test/integ.lamopn-cluster-config.js.snapshot/lamopnclusterconfigIntegDefaultTestDeployAssertD8012D1A.template.json +36 -0
  16. package/test/integ.lamopn-cluster-config.js.snapshot/manifest.json +323 -0
  17. package/test/integ.lamopn-cluster-config.js.snapshot/tree.json +1795 -0
  18. package/test/integ.lamopn-disabled-zone-awareness.js +6 -2
  19. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  20. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  21. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  22. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/cdk.out +1 -0
  23. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/integ.json +12 -0
  24. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopn-disabled-zone-awareness.assets.json +45 -0
  25. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopn-disabled-zone-awareness.template.json +1228 -0
  26. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopndisabledzoneawarenessIntegDefaultTestDeployAssert7E083B68.assets.json +19 -0
  27. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopndisabledzoneawarenessIntegDefaultTestDeployAssert7E083B68.template.json +36 -0
  28. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/manifest.json +305 -0
  29. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/tree.json +1687 -0
  30. package/test/integ.lamopn-domain-arguments.js +5 -2
  31. package/test/integ.lamopn-domain-arguments.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  32. package/test/integ.lamopn-domain-arguments.js.snapshot/cdk.out +1 -0
  33. package/test/integ.lamopn-domain-arguments.js.snapshot/integ.json +12 -0
  34. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopn-domain-arguments.assets.json +32 -0
  35. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopn-domain-arguments.template.json +846 -0
  36. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopndomainargumentsIntegDefaultTestDeployAssert47534E1E.assets.json +19 -0
  37. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopndomainargumentsIntegDefaultTestDeployAssert47534E1E.template.json +36 -0
  38. package/test/integ.lamopn-domain-arguments.js.snapshot/manifest.json +233 -0
  39. package/test/integ.lamopn-domain-arguments.js.snapshot/tree.json +1256 -0
  40. package/test/integ.lamopn-existing-vpc.js +12 -6
  41. package/test/integ.lamopn-existing-vpc.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  42. package/test/integ.lamopn-existing-vpc.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  43. package/test/integ.lamopn-existing-vpc.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  44. package/test/integ.lamopn-existing-vpc.js.snapshot/cdk.out +1 -0
  45. package/test/integ.lamopn-existing-vpc.js.snapshot/integ.json +12 -0
  46. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopn-existing-vpc.assets.json +48 -0
  47. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopn-existing-vpc.template.json +1571 -0
  48. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopnexistingvpcIntegDefaultTestDeployAssert4A7EE058.assets.json +19 -0
  49. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopnexistingvpcIntegDefaultTestDeployAssert4A7EE058.template.json +36 -0
  50. package/test/integ.lamopn-existing-vpc.js.snapshot/manifest.json +419 -0
  51. package/test/integ.lamopn-existing-vpc.js.snapshot/tree.json +2207 -0
  52. package/test/integ.lamopn-no-arguments.js +5 -2
  53. package/test/integ.lamopn-no-arguments.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  54. package/test/integ.lamopn-no-arguments.js.snapshot/cdk.out +1 -0
  55. package/test/integ.lamopn-no-arguments.js.snapshot/integ.json +12 -0
  56. package/test/integ.lamopn-no-arguments.js.snapshot/lamopn-no-arguments.assets.json +32 -0
  57. package/test/integ.lamopn-no-arguments.js.snapshot/lamopn-no-arguments.template.json +846 -0
  58. package/test/integ.lamopn-no-arguments.js.snapshot/lamopnnoargumentsIntegDefaultTestDeployAssert4290A592.assets.json +19 -0
  59. package/test/integ.lamopn-no-arguments.js.snapshot/lamopnnoargumentsIntegDefaultTestDeployAssert4290A592.template.json +36 -0
  60. package/test/integ.lamopn-no-arguments.js.snapshot/manifest.json +233 -0
  61. package/test/integ.lamopn-no-arguments.js.snapshot/tree.json +1256 -0
  62. package/test/integ.lamopn-vpc-props.js +12 -6
  63. package/test/integ.lamopn-vpc-props.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  64. package/test/integ.lamopn-vpc-props.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  65. package/test/integ.lamopn-vpc-props.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  66. package/test/integ.lamopn-vpc-props.js.snapshot/cdk.out +1 -0
  67. package/test/integ.lamopn-vpc-props.js.snapshot/integ.json +12 -0
  68. package/test/integ.lamopn-vpc-props.js.snapshot/lamopn-vpc-props.assets.json +48 -0
  69. package/test/integ.lamopn-vpc-props.js.snapshot/lamopn-vpc-props.template.json +1287 -0
  70. package/test/integ.lamopn-vpc-props.js.snapshot/lamopnvpcpropsIntegDefaultTestDeployAssertC7FD49B0.assets.json +19 -0
  71. package/test/integ.lamopn-vpc-props.js.snapshot/lamopnvpcpropsIntegDefaultTestDeployAssertC7FD49B0.template.json +36 -0
  72. package/test/integ.lamopn-vpc-props.js.snapshot/manifest.json +323 -0
  73. package/test/integ.lamopn-vpc-props.js.snapshot/tree.json +1795 -0
  74. package/test/integ.lamopn-cluster-config.expected.json +0 -1153
  75. package/test/integ.lamopn-disabled-zone-awareness.expected.json +0 -1093
  76. package/test/integ.lamopn-domain-arguments.expected.json +0 -846
  77. package/test/integ.lamopn-existing-vpc.expected.json +0 -1602
  78. package/test/integ.lamopn-no-arguments.expected.json +0 -846
  79. package/test/integ.lamopn-vpc-props.expected.json +0 -1208
@@ -0,0 +1,846 @@
1
+ {
2
+ "Resources": {
3
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A": {
4
+ "Type": "AWS::IAM::Role",
5
+ "Properties": {
6
+ "AssumeRolePolicyDocument": {
7
+ "Statement": [
8
+ {
9
+ "Action": "sts:AssumeRole",
10
+ "Effect": "Allow",
11
+ "Principal": {
12
+ "Service": "lambda.amazonaws.com"
13
+ }
14
+ }
15
+ ],
16
+ "Version": "2012-10-17"
17
+ },
18
+ "Policies": [
19
+ {
20
+ "PolicyDocument": {
21
+ "Statement": [
22
+ {
23
+ "Action": [
24
+ "logs:CreateLogGroup",
25
+ "logs:CreateLogStream",
26
+ "logs:PutLogEvents"
27
+ ],
28
+ "Effect": "Allow",
29
+ "Resource": {
30
+ "Fn::Join": [
31
+ "",
32
+ [
33
+ "arn:",
34
+ {
35
+ "Ref": "AWS::Partition"
36
+ },
37
+ ":logs:",
38
+ {
39
+ "Ref": "AWS::Region"
40
+ },
41
+ ":",
42
+ {
43
+ "Ref": "AWS::AccountId"
44
+ },
45
+ ":log-group:/aws/lambda/*"
46
+ ]
47
+ ]
48
+ }
49
+ }
50
+ ],
51
+ "Version": "2012-10-17"
52
+ },
53
+ "PolicyName": "LambdaFunctionServiceRolePolicy"
54
+ }
55
+ ]
56
+ }
57
+ },
58
+ "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359": {
59
+ "Type": "AWS::IAM::Policy",
60
+ "Properties": {
61
+ "PolicyDocument": {
62
+ "Statement": [
63
+ {
64
+ "Action": [
65
+ "xray:PutTelemetryRecords",
66
+ "xray:PutTraceSegments"
67
+ ],
68
+ "Effect": "Allow",
69
+ "Resource": "*"
70
+ }
71
+ ],
72
+ "Version": "2012-10-17"
73
+ },
74
+ "PolicyName": "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359",
75
+ "Roles": [
76
+ {
77
+ "Ref": "testlambdaopensearchLambdaFunctionServiceRole4722AB8A"
78
+ }
79
+ ]
80
+ },
81
+ "Metadata": {
82
+ "cfn_nag": {
83
+ "rules_to_suppress": [
84
+ {
85
+ "id": "W12",
86
+ "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC."
87
+ }
88
+ ]
89
+ }
90
+ }
91
+ },
92
+ "testlambdaopensearchLambdaFunction93FD38F7": {
93
+ "Type": "AWS::Lambda::Function",
94
+ "Properties": {
95
+ "Code": {
96
+ "S3Bucket": {
97
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
98
+ },
99
+ "S3Key": "abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290.zip"
100
+ },
101
+ "Environment": {
102
+ "Variables": {
103
+ "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1",
104
+ "DOMAIN_ENDPOINT": {
105
+ "Fn::GetAtt": [
106
+ "testlambdaopensearchOpenSearchDomainF9CCC3D3",
107
+ "DomainEndpoint"
108
+ ]
109
+ }
110
+ }
111
+ },
112
+ "Handler": "index.handler",
113
+ "Role": {
114
+ "Fn::GetAtt": [
115
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
116
+ "Arn"
117
+ ]
118
+ },
119
+ "Runtime": "nodejs16.x",
120
+ "TracingConfig": {
121
+ "Mode": "Active"
122
+ }
123
+ },
124
+ "DependsOn": [
125
+ "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359",
126
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A"
127
+ ],
128
+ "Metadata": {
129
+ "cfn_nag": {
130
+ "rules_to_suppress": [
131
+ {
132
+ "id": "W58",
133
+ "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions."
134
+ },
135
+ {
136
+ "id": "W89",
137
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
138
+ },
139
+ {
140
+ "id": "W92",
141
+ "reason": "Impossible for us to define the correct concurrency for clients"
142
+ }
143
+ ]
144
+ }
145
+ }
146
+ },
147
+ "testlambdaopensearchCognitoUserPoolA09096F9": {
148
+ "Type": "AWS::Cognito::UserPool",
149
+ "Properties": {
150
+ "AccountRecoverySetting": {
151
+ "RecoveryMechanisms": [
152
+ {
153
+ "Name": "verified_phone_number",
154
+ "Priority": 1
155
+ },
156
+ {
157
+ "Name": "verified_email",
158
+ "Priority": 2
159
+ }
160
+ ]
161
+ },
162
+ "AdminCreateUserConfig": {
163
+ "AllowAdminCreateUserOnly": true
164
+ },
165
+ "EmailVerificationMessage": "The verification code to your new account is {####}",
166
+ "EmailVerificationSubject": "Verify your new account",
167
+ "SmsVerificationMessage": "The verification code to your new account is {####}",
168
+ "UserPoolAddOns": {
169
+ "AdvancedSecurityMode": "ENFORCED"
170
+ },
171
+ "VerificationMessageTemplate": {
172
+ "DefaultEmailOption": "CONFIRM_WITH_CODE",
173
+ "EmailMessage": "The verification code to your new account is {####}",
174
+ "EmailSubject": "Verify your new account",
175
+ "SmsMessage": "The verification code to your new account is {####}"
176
+ }
177
+ },
178
+ "UpdateReplacePolicy": "Retain",
179
+ "DeletionPolicy": "Retain"
180
+ },
181
+ "testlambdaopensearchCognitoUserPoolClient39C21D94": {
182
+ "Type": "AWS::Cognito::UserPoolClient",
183
+ "Properties": {
184
+ "AllowedOAuthFlows": [
185
+ "implicit",
186
+ "code"
187
+ ],
188
+ "AllowedOAuthFlowsUserPoolClient": true,
189
+ "AllowedOAuthScopes": [
190
+ "profile",
191
+ "phone",
192
+ "email",
193
+ "openid",
194
+ "aws.cognito.signin.user.admin"
195
+ ],
196
+ "CallbackURLs": [
197
+ "https://example.com"
198
+ ],
199
+ "SupportedIdentityProviders": [
200
+ "COGNITO"
201
+ ],
202
+ "UserPoolId": {
203
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
204
+ }
205
+ }
206
+ },
207
+ "testlambdaopensearchCognitoIdentityPool0B1FB311": {
208
+ "Type": "AWS::Cognito::IdentityPool",
209
+ "Properties": {
210
+ "AllowUnauthenticatedIdentities": false,
211
+ "CognitoIdentityProviders": [
212
+ {
213
+ "ClientId": {
214
+ "Ref": "testlambdaopensearchCognitoUserPoolClient39C21D94"
215
+ },
216
+ "ProviderName": {
217
+ "Fn::GetAtt": [
218
+ "testlambdaopensearchCognitoUserPoolA09096F9",
219
+ "ProviderName"
220
+ ]
221
+ },
222
+ "ServerSideTokenCheck": true
223
+ }
224
+ ]
225
+ }
226
+ },
227
+ "testlambdaopensearchUserPoolDomain98864920": {
228
+ "Type": "AWS::Cognito::UserPoolDomain",
229
+ "Properties": {
230
+ "Domain": {
231
+ "Fn::Join": [
232
+ "-",
233
+ [
234
+ "dn",
235
+ {
236
+ "Fn::Select": [
237
+ 4,
238
+ {
239
+ "Fn::Split": [
240
+ "-",
241
+ {
242
+ "Fn::Select": [
243
+ 2,
244
+ {
245
+ "Fn::Split": [
246
+ "/",
247
+ {
248
+ "Ref": "AWS::StackId"
249
+ }
250
+ ]
251
+ }
252
+ ]
253
+ }
254
+ ]
255
+ }
256
+ ]
257
+ }
258
+ ]
259
+ ]
260
+ },
261
+ "UserPoolId": {
262
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
263
+ }
264
+ },
265
+ "DependsOn": [
266
+ "testlambdaopensearchCognitoUserPoolA09096F9"
267
+ ]
268
+ },
269
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44": {
270
+ "Type": "AWS::IAM::Role",
271
+ "Properties": {
272
+ "AssumeRolePolicyDocument": {
273
+ "Statement": [
274
+ {
275
+ "Action": "sts:AssumeRoleWithWebIdentity",
276
+ "Condition": {
277
+ "StringEquals": {
278
+ "cognito-identity.amazonaws.com:aud": {
279
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
280
+ }
281
+ },
282
+ "ForAnyValue:StringLike": {
283
+ "cognito-identity.amazonaws.com:amr": "authenticated"
284
+ }
285
+ },
286
+ "Effect": "Allow",
287
+ "Principal": {
288
+ "Federated": "cognito-identity.amazonaws.com"
289
+ }
290
+ }
291
+ ],
292
+ "Version": "2012-10-17"
293
+ },
294
+ "Policies": [
295
+ {
296
+ "PolicyDocument": {
297
+ "Statement": [
298
+ {
299
+ "Action": "es:ESHttp*",
300
+ "Effect": "Allow",
301
+ "Resource": {
302
+ "Fn::Join": [
303
+ "",
304
+ [
305
+ "arn:",
306
+ {
307
+ "Ref": "AWS::Partition"
308
+ },
309
+ ":es:",
310
+ {
311
+ "Ref": "AWS::Region"
312
+ },
313
+ ":",
314
+ {
315
+ "Ref": "AWS::AccountId"
316
+ },
317
+ ":domain/",
318
+ {
319
+ "Fn::Join": [
320
+ "-",
321
+ [
322
+ "dn",
323
+ {
324
+ "Fn::Select": [
325
+ 4,
326
+ {
327
+ "Fn::Split": [
328
+ "-",
329
+ {
330
+ "Fn::Select": [
331
+ 2,
332
+ {
333
+ "Fn::Split": [
334
+ "/",
335
+ {
336
+ "Ref": "AWS::StackId"
337
+ }
338
+ ]
339
+ }
340
+ ]
341
+ }
342
+ ]
343
+ }
344
+ ]
345
+ }
346
+ ]
347
+ ]
348
+ },
349
+ "/*"
350
+ ]
351
+ ]
352
+ }
353
+ }
354
+ ],
355
+ "Version": "2012-10-17"
356
+ },
357
+ "PolicyName": "CognitoAccessPolicy"
358
+ }
359
+ ]
360
+ }
361
+ },
362
+ "testlambdaopensearchIdentityPoolRoleMappingD8C765B1": {
363
+ "Type": "AWS::Cognito::IdentityPoolRoleAttachment",
364
+ "Properties": {
365
+ "IdentityPoolId": {
366
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
367
+ },
368
+ "Roles": {
369
+ "authenticated": {
370
+ "Fn::GetAtt": [
371
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44",
372
+ "Arn"
373
+ ]
374
+ }
375
+ }
376
+ }
377
+ },
378
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A": {
379
+ "Type": "AWS::IAM::Role",
380
+ "Properties": {
381
+ "AssumeRolePolicyDocument": {
382
+ "Statement": [
383
+ {
384
+ "Action": "sts:AssumeRole",
385
+ "Effect": "Allow",
386
+ "Principal": {
387
+ "Service": "es.amazonaws.com"
388
+ }
389
+ }
390
+ ],
391
+ "Version": "2012-10-17"
392
+ }
393
+ }
394
+ },
395
+ "testlambdaopensearchCognitoDashboardConfigureRolePolicyC9C6A6A2": {
396
+ "Type": "AWS::IAM::Policy",
397
+ "Properties": {
398
+ "PolicyDocument": {
399
+ "Statement": [
400
+ {
401
+ "Action": [
402
+ "cognito-identity:DescribeIdentityPool",
403
+ "cognito-identity:GetIdentityPoolRoles",
404
+ "cognito-identity:SetIdentityPoolRoles",
405
+ "cognito-identity:UpdateIdentityPool",
406
+ "cognito-idp:AdminInitiateAuth",
407
+ "cognito-idp:AdminUserGlobalSignOut",
408
+ "cognito-idp:CreateUserPoolClient",
409
+ "cognito-idp:DeleteUserPoolClient",
410
+ "cognito-idp:DescribeUserPool",
411
+ "cognito-idp:DescribeUserPoolClient",
412
+ "cognito-idp:ListUserPoolClients",
413
+ "es:UpdateDomainConfig"
414
+ ],
415
+ "Effect": "Allow",
416
+ "Resource": [
417
+ {
418
+ "Fn::GetAtt": [
419
+ "testlambdaopensearchCognitoUserPoolA09096F9",
420
+ "Arn"
421
+ ]
422
+ },
423
+ {
424
+ "Fn::Join": [
425
+ "",
426
+ [
427
+ "arn:",
428
+ {
429
+ "Ref": "AWS::Partition"
430
+ },
431
+ ":cognito-identity:",
432
+ {
433
+ "Ref": "AWS::Region"
434
+ },
435
+ ":",
436
+ {
437
+ "Ref": "AWS::AccountId"
438
+ },
439
+ ":identitypool/",
440
+ {
441
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
442
+ }
443
+ ]
444
+ ]
445
+ },
446
+ {
447
+ "Fn::Join": [
448
+ "",
449
+ [
450
+ "arn:",
451
+ {
452
+ "Ref": "AWS::Partition"
453
+ },
454
+ ":es:",
455
+ {
456
+ "Ref": "AWS::Region"
457
+ },
458
+ ":",
459
+ {
460
+ "Ref": "AWS::AccountId"
461
+ },
462
+ ":domain/",
463
+ {
464
+ "Fn::Join": [
465
+ "-",
466
+ [
467
+ "dn",
468
+ {
469
+ "Fn::Select": [
470
+ 4,
471
+ {
472
+ "Fn::Split": [
473
+ "-",
474
+ {
475
+ "Fn::Select": [
476
+ 2,
477
+ {
478
+ "Fn::Split": [
479
+ "/",
480
+ {
481
+ "Ref": "AWS::StackId"
482
+ }
483
+ ]
484
+ }
485
+ ]
486
+ }
487
+ ]
488
+ }
489
+ ]
490
+ }
491
+ ]
492
+ ]
493
+ }
494
+ ]
495
+ ]
496
+ }
497
+ ]
498
+ },
499
+ {
500
+ "Action": "iam:PassRole",
501
+ "Condition": {
502
+ "StringLike": {
503
+ "iam:PassedToService": "cognito-identity.amazonaws.com"
504
+ }
505
+ },
506
+ "Effect": "Allow",
507
+ "Resource": {
508
+ "Fn::GetAtt": [
509
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A",
510
+ "Arn"
511
+ ]
512
+ }
513
+ }
514
+ ],
515
+ "Version": "2012-10-17"
516
+ },
517
+ "PolicyName": "testlambdaopensearchCognitoDashboardConfigureRolePolicyC9C6A6A2",
518
+ "Roles": [
519
+ {
520
+ "Ref": "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A"
521
+ }
522
+ ]
523
+ }
524
+ },
525
+ "testlambdaopensearchOpenSearchDomainF9CCC3D3": {
526
+ "Type": "AWS::OpenSearchService::Domain",
527
+ "Properties": {
528
+ "AccessPolicies": {
529
+ "Statement": [
530
+ {
531
+ "Action": "es:ESHttp*",
532
+ "Effect": "Allow",
533
+ "Principal": {
534
+ "AWS": [
535
+ {
536
+ "Fn::GetAtt": [
537
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44",
538
+ "Arn"
539
+ ]
540
+ },
541
+ {
542
+ "Fn::GetAtt": [
543
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
544
+ "Arn"
545
+ ]
546
+ }
547
+ ]
548
+ },
549
+ "Resource": {
550
+ "Fn::Join": [
551
+ "",
552
+ [
553
+ "arn:",
554
+ {
555
+ "Ref": "AWS::Partition"
556
+ },
557
+ ":es:",
558
+ {
559
+ "Ref": "AWS::Region"
560
+ },
561
+ ":",
562
+ {
563
+ "Ref": "AWS::AccountId"
564
+ },
565
+ ":domain/",
566
+ {
567
+ "Fn::Join": [
568
+ "-",
569
+ [
570
+ "dn",
571
+ {
572
+ "Fn::Select": [
573
+ 4,
574
+ {
575
+ "Fn::Split": [
576
+ "-",
577
+ {
578
+ "Fn::Select": [
579
+ 2,
580
+ {
581
+ "Fn::Split": [
582
+ "/",
583
+ {
584
+ "Ref": "AWS::StackId"
585
+ }
586
+ ]
587
+ }
588
+ ]
589
+ }
590
+ ]
591
+ }
592
+ ]
593
+ }
594
+ ]
595
+ ]
596
+ },
597
+ "/*"
598
+ ]
599
+ ]
600
+ }
601
+ }
602
+ ],
603
+ "Version": "2012-10-17"
604
+ },
605
+ "ClusterConfig": {
606
+ "DedicatedMasterCount": 3,
607
+ "DedicatedMasterEnabled": true,
608
+ "InstanceCount": 2,
609
+ "ZoneAwarenessConfig": {
610
+ "AvailabilityZoneCount": 2
611
+ },
612
+ "ZoneAwarenessEnabled": true
613
+ },
614
+ "CognitoOptions": {
615
+ "Enabled": true,
616
+ "IdentityPoolId": {
617
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
618
+ },
619
+ "RoleArn": {
620
+ "Fn::GetAtt": [
621
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A",
622
+ "Arn"
623
+ ]
624
+ },
625
+ "UserPoolId": {
626
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
627
+ }
628
+ },
629
+ "DomainEndpointOptions": {
630
+ "EnforceHTTPS": true,
631
+ "TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
632
+ },
633
+ "DomainName": {
634
+ "Fn::Join": [
635
+ "-",
636
+ [
637
+ "dn",
638
+ {
639
+ "Fn::Select": [
640
+ 4,
641
+ {
642
+ "Fn::Split": [
643
+ "-",
644
+ {
645
+ "Fn::Select": [
646
+ 2,
647
+ {
648
+ "Fn::Split": [
649
+ "/",
650
+ {
651
+ "Ref": "AWS::StackId"
652
+ }
653
+ ]
654
+ }
655
+ ]
656
+ }
657
+ ]
658
+ }
659
+ ]
660
+ }
661
+ ]
662
+ ]
663
+ },
664
+ "EBSOptions": {
665
+ "EBSEnabled": true,
666
+ "VolumeSize": 10
667
+ },
668
+ "EncryptionAtRestOptions": {
669
+ "Enabled": true
670
+ },
671
+ "EngineVersion": "OpenSearch_1.3",
672
+ "NodeToNodeEncryptionOptions": {
673
+ "Enabled": true
674
+ },
675
+ "SnapshotOptions": {
676
+ "AutomatedSnapshotStartHour": 1
677
+ }
678
+ },
679
+ "Metadata": {
680
+ "cfn_nag": {
681
+ "rules_to_suppress": [
682
+ {
683
+ "id": "W28",
684
+ "reason": "The OpenSearch Service domain is passed dynamically as as parameter and explicitly specified to ensure that IAM policies are configured to lockdown access to this specific OpenSearch Service instance only"
685
+ },
686
+ {
687
+ "id": "W90",
688
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
689
+ }
690
+ ]
691
+ }
692
+ }
693
+ },
694
+ "testlambdaopensearchStatusRedAlarm1627144D": {
695
+ "Type": "AWS::CloudWatch::Alarm",
696
+ "Properties": {
697
+ "AlarmDescription": "At least one primary shard and its replicas are not allocated to a node. ",
698
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
699
+ "EvaluationPeriods": 1,
700
+ "MetricName": "ClusterStatus.red",
701
+ "Namespace": "AWS/ES",
702
+ "Period": 60,
703
+ "Statistic": "Maximum",
704
+ "Threshold": 1
705
+ }
706
+ },
707
+ "testlambdaopensearchStatusYellowAlarm57139CF0": {
708
+ "Type": "AWS::CloudWatch::Alarm",
709
+ "Properties": {
710
+ "AlarmDescription": "At least one replica shard is not allocated to a node.",
711
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
712
+ "EvaluationPeriods": 1,
713
+ "MetricName": "ClusterStatus.yellow",
714
+ "Namespace": "AWS/ES",
715
+ "Period": 60,
716
+ "Statistic": "Maximum",
717
+ "Threshold": 1
718
+ }
719
+ },
720
+ "testlambdaopensearchFreeStorageSpaceTooLowAlarm6A5E1E96": {
721
+ "Type": "AWS::CloudWatch::Alarm",
722
+ "Properties": {
723
+ "AlarmDescription": "A node in your cluster is down to 20 GiB of free storage space.",
724
+ "ComparisonOperator": "LessThanOrEqualToThreshold",
725
+ "EvaluationPeriods": 1,
726
+ "MetricName": "FreeStorageSpace",
727
+ "Namespace": "AWS/ES",
728
+ "Period": 60,
729
+ "Statistic": "Minimum",
730
+ "Threshold": 20000
731
+ }
732
+ },
733
+ "testlambdaopensearchIndexWritesBlockedTooHighAlarmD2E041A3": {
734
+ "Type": "AWS::CloudWatch::Alarm",
735
+ "Properties": {
736
+ "AlarmDescription": "Your cluster is blocking write requests.",
737
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
738
+ "EvaluationPeriods": 1,
739
+ "MetricName": "ClusterIndexWritesBlocked",
740
+ "Namespace": "AWS/ES",
741
+ "Period": 300,
742
+ "Statistic": "Maximum",
743
+ "Threshold": 1
744
+ }
745
+ },
746
+ "testlambdaopensearchAutomatedSnapshotFailureTooHighAlarm9A4D0B1F": {
747
+ "Type": "AWS::CloudWatch::Alarm",
748
+ "Properties": {
749
+ "AlarmDescription": "An automated snapshot failed. This failure is often the result of a red cluster health status.",
750
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
751
+ "EvaluationPeriods": 1,
752
+ "MetricName": "AutomatedSnapshotFailure",
753
+ "Namespace": "AWS/ES",
754
+ "Period": 60,
755
+ "Statistic": "Maximum",
756
+ "Threshold": 1
757
+ }
758
+ },
759
+ "testlambdaopensearchCPUUtilizationTooHighAlarmC4850758": {
760
+ "Type": "AWS::CloudWatch::Alarm",
761
+ "Properties": {
762
+ "AlarmDescription": "100% CPU utilization is not uncommon, but sustained high usage is problematic. Consider using larger instance types or adding instances.",
763
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
764
+ "EvaluationPeriods": 3,
765
+ "MetricName": "CPUUtilization",
766
+ "Namespace": "AWS/ES",
767
+ "Period": 900,
768
+ "Statistic": "Average",
769
+ "Threshold": 80
770
+ }
771
+ },
772
+ "testlambdaopensearchJVMMemoryPressureTooHighAlarmEFB09A7C": {
773
+ "Type": "AWS::CloudWatch::Alarm",
774
+ "Properties": {
775
+ "AlarmDescription": "Average JVM memory pressure over last 15 minutes too high. Consider scaling vertically.",
776
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
777
+ "EvaluationPeriods": 1,
778
+ "MetricName": "JVMMemoryPressure",
779
+ "Namespace": "AWS/ES",
780
+ "Period": 900,
781
+ "Statistic": "Average",
782
+ "Threshold": 80
783
+ }
784
+ },
785
+ "testlambdaopensearchMasterCPUUtilizationTooHighAlarm124D5748": {
786
+ "Type": "AWS::CloudWatch::Alarm",
787
+ "Properties": {
788
+ "AlarmDescription": "Average CPU utilization over last 45 minutes too high. Consider using larger instance types for your dedicated master nodes.",
789
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
790
+ "EvaluationPeriods": 3,
791
+ "MetricName": "MasterCPUUtilization",
792
+ "Namespace": "AWS/ES",
793
+ "Period": 900,
794
+ "Statistic": "Average",
795
+ "Threshold": 50
796
+ }
797
+ },
798
+ "testlambdaopensearchMasterJVMMemoryPressureTooHighAlarmBC9524D3": {
799
+ "Type": "AWS::CloudWatch::Alarm",
800
+ "Properties": {
801
+ "AlarmDescription": "Average JVM memory pressure over last 15 minutes too high. Consider scaling vertically.",
802
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
803
+ "EvaluationPeriods": 1,
804
+ "MetricName": "MasterJVMMemoryPressure",
805
+ "Namespace": "AWS/ES",
806
+ "Period": 900,
807
+ "Statistic": "Average",
808
+ "Threshold": 50
809
+ }
810
+ }
811
+ },
812
+ "Parameters": {
813
+ "BootstrapVersion": {
814
+ "Type": "AWS::SSM::Parameter::Value<String>",
815
+ "Default": "/cdk-bootstrap/hnb659fds/version",
816
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
817
+ }
818
+ },
819
+ "Rules": {
820
+ "CheckBootstrapVersion": {
821
+ "Assertions": [
822
+ {
823
+ "Assert": {
824
+ "Fn::Not": [
825
+ {
826
+ "Fn::Contains": [
827
+ [
828
+ "1",
829
+ "2",
830
+ "3",
831
+ "4",
832
+ "5"
833
+ ],
834
+ {
835
+ "Ref": "BootstrapVersion"
836
+ }
837
+ ]
838
+ }
839
+ ]
840
+ },
841
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
842
+ }
843
+ ]
844
+ }
845
+ }
846
+ }