def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# elastic policy
elastic_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"es:*",
],
resources=["*"],
)
elastic_policy.add_any_principal()
self.elastic_domain = aes.Domain(
self,
"elastic_domain",
version=aes.ElasticsearchVersion.V7_9,
capacity=aes.CapacityConfig(data_node_instance_type="t3.small.elasticsearch", data_nodes=1),
ebs=aes.EbsOptions(enabled=True, volume_size=10),
access_policies=[elastic_policy],
fine_grained_access_control=aes.AdvancedSecurityOptions(
master_user_name=config.get_es_credentials()[0],
master_user_password=core.SecretValue(config.get_es_credentials()[1]),
),
zone_awareness=aes.ZoneAwarenessConfig(enabled=False),
node_to_node_encryption=True,
encryption_at_rest=aes.EncryptionAtRestOptions(enabled=True),
enforce_https=True,
removal_policy=core.RemovalPolicy.DESTROY,
)
core.Tags.of(self.elastic_domain).add("system-id", config.get_system_id())
core.CfnOutput(self, "ESDomainEndpoint", value=self.elastic_domain.domain_endpoint)
def __init__(self, scope: core.Construct, id: str, config: Dict,
vpc: ec2.Vpc, es_sg: ec2.SecurityGroup) -> None:
super().__init__(scope, id)
es_config = config['data']['elasticsearch']
# Build ES domain construct parameter
capacity_config = es.CapacityConfig(
master_node_instance_type=es_config['capacity']['masterNodes']
['instanceType'],
master_nodes=es_config['capacity']['masterNodes']['count'],
data_node_instance_type=es_config['capacity']['dataNodes']
['instanceType'],
data_nodes=es_config['capacity']['dataNodes']['count'],
)
vpc_options = es.VpcOptions(
security_groups=[es_sg],
subnets=vpc.select_subnets(
subnet_group_name=es_config['subnetGroupName']).subnets,
)
ebs_options = es.EbsOptions(volume_size=es_config['ebs']['volumeSize'])
zone_awareness = es.ZoneAwarenessConfig(
availability_zone_count=es_config['zoneAwareness']['count'],
enabled=es_config['zoneAwareness']['enabled'],
)
logging_options = es.LoggingOptions(
app_log_enabled=es_config['logging']['appLogEnabled'],
audit_log_enabled=es_config['logging']['auditLogEnabled'],
slow_index_log_enabled=es_config['logging']['slowIndexLogEnabled'],
slow_search_log_enabled=es_config['logging']
['slowIearchLogEnabled'])
access_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
principals=[iam.AnyPrincipal()],
actions=['es:*'],
resources=[
"arn:aws:es:" + config['awsRegion'] + ":" +
config['awsAccount'] + ":domain/" + es_config['domainName'] +
"/*"
])
# Create ES domain
es.Domain(
self,
'Domain',
domain_name=es_config['domainName'],
version=es.ElasticsearchVersion.of(es_config['version']),
capacity=capacity_config,
ebs=ebs_options,
zone_awareness=zone_awareness,
vpc_options=vpc_options,
logging=logging_options,
access_policies=[access_policy],
)
def __init__(self, scope: core.Construct, id: str, datalake: DataLakeLayer,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
# self.encryption_key = kms.Key(
# self, 'EncryptionKey',
# removal_policy=core.RemovalPolicy.DESTROY,
# enable_key_rotation=True)
policy = iam.PolicyStatement(sid='Allow-by-IPAddress',
actions=['es:*'],
principals=[iam.AnyPrincipal()],
resources=['*'])
# Not supported with ES in Vpc mode.
# policy.add_condition('IpAddress',{
# 'aws:SourceIp':'74.102.88.0/24'
# })
self.security_group = ec2.SecurityGroup(
self,
'SecurityGroup',
vpc=datalake.vpc,
allow_all_outbound=True,
description='Elastic Search Security Group')
self.security_group.add_ingress_rule(peer=ec2.Peer.any_ipv4(),
connection=ec2.Port.all_traffic(),
description='Allow all')
self.search = es.Domain(
self,
'SearchCluster',
version=es.ElasticsearchVersion.V7_9,
enforce_https=True,
node_to_node_encryption=True,
capacity=es.CapacityConfig(
master_nodes=3,
#warm_nodes=len(self.vpc.availability_zones),
data_nodes=2 # len(self.vpc.availability_zones),
),
zone_awareness=es.ZoneAwarenessConfig(
availability_zone_count=2 #len(self.vpc.availability_zones)
),
# encryption_at_rest=es.EncryptionAtRestOptions(
# enabled=False,
# kms_key=self.encryption_key
# ),
vpc_options=es.VpcOptions(subnets=datalake.vpc.private_subnets,
security_groups=[self.security_group]),
logging=es.LoggingOptions(
app_log_enabled=True,
app_log_group=logs.LogGroup(
self,
'SearchAppLogGroup',
removal_policy=core.RemovalPolicy.DESTROY,
retention=logs.RetentionDays.ONE_MONTH),
audit_log_enabled=False,
audit_log_group=logs.LogGroup(
self,
'SearchAuditLogs',
removal_policy=core.RemovalPolicy.DESTROY,
retention=logs.RetentionDays.ONE_MONTH),
slow_index_log_enabled=True,
slow_index_log_group=logs.LogGroup(
self,
'SearchSlowIndex',
removal_policy=core.RemovalPolicy.DESTROY,
retention=logs.RetentionDays.ONE_MONTH),
),
access_policies=[policy])
# Configre the LinkedServiceRole to update the VPC
serviceLinkedRole = core.CfnResource(
self,
'LinkedServiceRole',
type="AWS::IAM::ServiceLinkedRole",
properties={
'AWSServiceName': "es.amazonaws.com",
'Description': "Role for ES to access resources in my VPC"
})
self.search.node.add_dependency(serviceLinkedRole)
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
role = iam.Role(
scope=self,
id='AwsCustomResourceRole',
assumed_by=iam.ServicePrincipal('lambda.amazonaws.com'))
role.add_to_policy(
iam.PolicyStatement(actions=['iam:PassRole'], resources=['*']))
my_custom_resource = cr.AwsCustomResource(
scope=self,
id='MyAwsCustomResource',
role=role,
policy=cr.AwsCustomResourcePolicy.from_sdk_calls(resources=['*']),
on_create=cr.AwsSdkCall(
action='listBuckets',
service='s3',
physical_resource_id=cr.PhysicalResourceId.of('BucketsList'),
))
vpc = VPCConstruct(self, id_='test-vpc', num_of_azs=2)
security_group = SecurityGroup(
self,
id='test-security-group',
vpc=vpc,
security_group_name='test-security-group')
security_group.add_ingress_rule(connection=Port.tcp(443),
peer=vpc.lambdas_sg)
domain = es.Domain(
scope=self,
id='Domain',
version=es.ElasticsearchVersion.V7_9,
domain_name="es-domain-name",
enable_version_upgrade=False,
enforce_https=True,
fine_grained_access_control=None,
node_to_node_encryption=True,
tls_security_policy=es.TLSSecurityPolicy.TLS_1_0,
logging=es.LoggingOptions(
app_log_enabled=True,
slow_index_log_enabled=True,
slow_search_log_enabled=True,
app_log_group=LogGroup(
scope=self,
id="app-log-group",
log_group_name=f'/aws/aes/domains/esdomain/app-log-group',
removal_policy=core.RemovalPolicy.DESTROY),
slow_index_log_group=LogGroup(
scope=self,
id="slow-index-log-group",
log_group_name=
f'/aws/aes/domains/esdomain/slow-index-log-group',
removal_policy=core.RemovalPolicy.DESTROY),
slow_search_log_group=LogGroup(
scope=self,
id="slow-search-log-group",
log_group_name=
f'/aws/aes/domains/esdomain/slow-search-log-group',
removal_policy=core.RemovalPolicy.DESTROY)),
removal_policy=core.RemovalPolicy.DESTROY,
zone_awareness=es.ZoneAwarenessConfig(availability_zone_count=2,
enabled=True),
vpc_options=es.VpcOptions(
security_groups=[security_group],
subnets=vpc.audit_vpc.select_subnets(
subnet_group_name=PRIVATE_SUBNET_GROUP).subnets))
def __init__(self, scope: core.Construct, id: str, VPC: ec2.Vpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
elastic_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"es:*",
],
resources=["*"],
)
elastic_policy.add_any_principal()
elastic_document = iam.PolicyDocument()
elastic_document.add_statements(elastic_policy)
appLog = logs.LogGroup(self,
"appLog",
log_group_name="/statement-demo/es/app",
removal_policy=core.RemovalPolicy.DESTROY,
retention=logs.RetentionDays.ONE_WEEK)
searchLog = logs.LogGroup(self,
"searchLog",
log_group_name="/statement-demo/es/search",
removal_policy=core.RemovalPolicy.DESTROY,
retention=logs.RetentionDays.ONE_WEEK)
indexLog = logs.LogGroup(self,
"indexLog",
log_group_name="/statement-demo/es/index",
removal_policy=core.RemovalPolicy.DESTROY,
retention=logs.RetentionDays.ONE_WEEK)
auditLog = logs.LogGroup(self,
"auditLog",
log_group_name="/statement-demo/es/audit",
removal_policy=core.RemovalPolicy.DESTROY,
retention=logs.RetentionDays.ONE_WEEK)
self.secret = sm.Secret(
self,
"masterUserSecret",
generate_secret_string=sm.SecretStringGenerator(
password_length=8,
exclude_characters="\"#$%&'()*+,./:;<=>?[\\]^_`{|}~",
),
removal_policy=core.RemovalPolicy.DESTROY,
)
self.domain = es.Domain(
self,
"elastic_domain",
version=es.ElasticsearchVersion.V7_7,
access_policies=[elastic_policy],
advanced_options=None,
capacity=es.CapacityConfig(
data_node_instance_type=self.node.try_get_context(
"elastic")['instanceType'],
data_nodes=self.node.try_get_context(
"elastic")['instanceCount'],
master_node_instance_type=self.node.try_get_context(
"elastic")['master']['type']
if self.node.try_get_context("elastic")['master']['dedicated']
else None,
master_nodes=self.node.try_get_context(
"elastic")['master']['count']
if self.node.try_get_context("elastic")['master']['dedicated']
else None),
domain_name="statement-demo",
ebs=es.EbsOptions(enabled=(not self.node.try_get_context("elastic")
['instanceType'].startswith("i3"))),
encryption_at_rest=es.EncryptionAtRestOptions(enabled=True),
enforce_https=True,
fine_grained_access_control=es.AdvancedSecurityOptions(
master_user_name="admin",
master_user_password=self.secret.secret_value),
logging=es.LoggingOptions(app_log_enabled=True,
app_log_group=appLog,
slow_index_log_enabled=True,
slow_index_log_group=indexLog,
slow_search_log_enabled=True,
slow_search_log_group=searchLog),
node_to_node_encryption=True,
tls_security_policy=es.TLSSecurityPolicy.TLS_1_2,
use_unsigned_basic_auth=True,
vpc_options=es.VpcOptions(security_groups=[],
subnets=VPC.private_subnets),
zone_awareness=es.ZoneAwarenessConfig(availability_zone_count=3,
enabled=True))