daniel/agent-claw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f17bbd2c377cd52b9291bf5d08aa7fc8e35519c
agent-claw/cdk/node_modules/aws-cdk-lib/aws-opensearchservice/lib/domain.d.ts
daniel 732b00fb66 agent-claw: automated task changes
2026-05-06 18:55:16 -05:00

1182 lines
40 KiB
TypeScript
Raw Blame History

import type { Construct } from 'constructs';
import { DomainGrants } from './opensearchservice-grants.generated';
import type { DomainReference, IDomainRef } from './opensearchservice.generated';
import type { EngineVersion } from './version';
import type { MetricOptions } from '../../aws-cloudwatch';
import { Metric } from '../../aws-cloudwatch';
import * as ec2 from '../../aws-ec2';
import * as iam from '../../aws-iam';
import type * as kms from '../../aws-kms';
import * as logs from '../../aws-logs';
import * as route53 from '../../aws-route53';
import * as cdk from '../../core';
import type { ICertificateRef } from '../../interfaces/generated/aws-certificatemanager-interfaces.generated';
/**
* Configures the capacity of the cluster such as the instance type and the
* number of instances.
*/
export interface CapacityConfig {
/**
* The number of instances to use for the master node.
*
* @default - no dedicated master nodes
*/
readonly masterNodes?: number;
/**
* The hardware configuration of the computer that hosts the dedicated master
* node, such as `m3.medium.search`. For valid values, see [Supported
* Instance Types](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html)
* in the Amazon OpenSearch Service Developer Guide.
*
* @default - r5.large.search
*/
readonly masterNodeInstanceType?: string;
/**
* The number of data nodes (instances) to use in the Amazon OpenSearch Service domain.
*
* @default - 1
*/
readonly dataNodes?: number;
/**
* The instance type for your data nodes, such as
* `m3.medium.search`. For valid values, see [Supported Instance
* Types](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html)
* in the Amazon OpenSearch Service Developer Guide.
*
* @default - r5.large.search
*/
readonly dataNodeInstanceType?: string;
/**
* The number of UltraWarm nodes (instances) to use in the Amazon OpenSearch Service domain.
*
* @default - no UltraWarm nodes
*/
readonly warmNodes?: number;
/**
* The instance type for your UltraWarm node, such as `ultrawarm1.medium.search`.
* For valid values, see [UltraWarm Storage
* Limits](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#limits-ultrawarm)
* in the Amazon OpenSearch Service Developer Guide.
*
* @default - ultrawarm1.medium.search
*/
readonly warmInstanceType?: string;
/**
* Indicates whether Multi-AZ with Standby deployment option is enabled.
* For more information, see [Multi-AZ with
* Standby](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-multiaz.html#managedomains-za-standby)
*
* @default - multi-az with standby if the feature flag `ENABLE_OPENSEARCH_MULTIAZ_WITH_STANDBY`
* is true, no multi-az with standby otherwise
*/
readonly multiAzWithStandbyEnabled?: boolean;
/**
* Additional node options for the domain
*
* @default - no additional node options
*/
readonly nodeOptions?: NodeOptions[];
}
/**
* Specifies zone awareness configuration options.
*/
export interface ZoneAwarenessConfig {
/**
* Indicates whether to enable zone awareness for the Amazon OpenSearch Service domain.
* When you enable zone awareness, Amazon OpenSearch Service allocates the nodes and replica
* index shards that belong to a cluster across two Availability Zones (AZs)
* in the same region to prevent data loss and minimize downtime in the event
* of node or data center failure. Don't enable zone awareness if your cluster
* has no replica index shards or is a single-node cluster. For more information,
* see [Configuring a Multi-AZ Domain](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-multiaz.html)
* in the Amazon OpenSearch Service Developer Guide.
*
* @default - false
*/
readonly enabled?: boolean;
/**
* If you enabled multiple Availability Zones (AZs), the number of AZs that you
* want the domain to use. Valid values are 2 and 3.
*
* @default - 2 if zone awareness is enabled.
*/
readonly availabilityZoneCount?: number;
}
/**
* The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that
* are attached to data nodes in the Amazon OpenSearch Service domain. For more information, see
* [Amazon EBS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html)
* in the Amazon Elastic Compute Cloud Developer Guide.
*/
export interface EbsOptions {
/**
* Specifies whether Amazon EBS volumes are attached to data nodes in the
* Amazon OpenSearch Service domain.
*
* @default - true
*/
readonly enabled?: boolean;
/**
* The number of I/O operations per second (IOPS) that the volume
* supports. This property applies only to the gp3 and Provisioned IOPS (SSD) EBS
* volume type.
*
* @default - iops are not set.
*/
readonly iops?: number;
/**
* The throughput (in MiB/s) of the EBS volumes attached to data nodes.
* This property applies only to the gp3 volume type.
*
* @default - throughput is not set.
*/
readonly throughput?: number;
/**
* The size (in GiB) of the EBS volume for each data node. The minimum and
* maximum size of an EBS volume depends on the EBS volume type and the
* instance type to which it is attached. For valid values, see
* [EBS volume size limits](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#ebsresource)
* in the Amazon OpenSearch Service Developer Guide.
*
* @default 10
*/
readonly volumeSize?: number;
/**
* The EBS volume type to use with the Amazon OpenSearch Service domain, such as standard, gp2, io1.
*
* @default gp2
*/
readonly volumeType?: ec2.EbsDeviceVolumeType;
}
/**
* Configures log settings for the domain.
*/
export interface LoggingOptions {
/**
* Specify if slow search logging should be set up.
* Requires Elasticsearch version 5.1 or later or OpenSearch version 1.0 or later.
* An explicit `false` is required when disabling it from `true`.
*
* @default - false
*/
readonly slowSearchLogEnabled?: boolean;
/**
* Log slow searches to this log group.
*
* @default - a new log group is created if slow search logging is enabled
*/
readonly slowSearchLogGroup?: logs.ILogGroupRef;
/**
* Specify if slow index logging should be set up.
* Requires Elasticsearch version 5.1 or later or OpenSearch version 1.0 or later.
* An explicit `false` is required when disabling it from `true`.
*
* @default - false
*/
readonly slowIndexLogEnabled?: boolean;
/**
* Log slow indices to this log group.
*
* @default - a new log group is created if slow index logging is enabled
*/
readonly slowIndexLogGroup?: logs.ILogGroupRef;
/**
* Specify if Amazon OpenSearch Service application logging should be set up.
* Requires Elasticsearch version 5.1 or later or OpenSearch version 1.0 or later.
* An explicit `false` is required when disabling it from `true`.
*
* @default - false
*/
readonly appLogEnabled?: boolean;
/**
* Log Amazon OpenSearch Service application logs to this log group.
*
* @default - a new log group is created if app logging is enabled
*/
readonly appLogGroup?: logs.ILogGroupRef;
/**
* Specify if Amazon OpenSearch Service audit logging should be set up.
* Requires Elasticsearch version 6.7 or later or OpenSearch version 1.0 or later and fine grained access control to be enabled.
*
* @default - false
*/
readonly auditLogEnabled?: boolean;
/**
* Log Amazon OpenSearch Service audit logs to this log group.
*
* @default - a new log group is created if audit logging is enabled
*/
readonly auditLogGroup?: logs.ILogGroupRef;
}
/**
* Whether the domain should encrypt data at rest, and if so, the AWS Key
* Management Service (KMS) key to use. Can only be used to create a new domain,
* not update an existing one. Requires Elasticsearch version 5.1 or later or OpenSearch version 1.0 or later.
*/
export interface EncryptionAtRestOptions {
/**
* Specify true to enable encryption at rest.
*
* @default - encryption at rest is disabled.
*/
readonly enabled?: boolean;
/**
* Supply if using KMS key for encryption at rest.
*
* @default - uses default aws/es KMS key.
*/
readonly kmsKey?: kms.IKeyRef;
}
/**
* Configures Amazon OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cognito-auth.html
*/
export interface CognitoOptions {
/**
* The Amazon Cognito identity pool ID that you want Amazon OpenSearch Service to use for OpenSearch Dashboards authentication.
*/
readonly identityPoolId: string;
/**
* A role that allows Amazon OpenSearch Service to configure your user pool and identity pool. It must have the `AmazonESCognitoAccess` policy attached to it.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cognito-auth.html#cognito-auth-prereq
*/
readonly role: iam.IRoleRef;
/**
* The Amazon Cognito user pool ID that you want Amazon OpenSearch Service to use for OpenSearch Dashboards authentication.
*/
readonly userPoolId: string;
}
/**
* The minimum TLS version required for traffic to the domain.
*/
export declare enum TLSSecurityPolicy {
/** Cipher suite TLS 1.0 */
TLS_1_0 = "Policy-Min-TLS-1-0-2019-07",
/** Cipher suite TLS 1.2 */
TLS_1_2 = "Policy-Min-TLS-1-2-2019-07",
/** Cipher suite TLS 1.2 to 1.3 with perfect forward secrecy (PFS) */
TLS_1_2_PFS = "Policy-Min-TLS-1-2-PFS-2023-10"
}
/**
* Container for information about the SAML configuration for OpenSearch Dashboards.
*/
export interface SAMLOptionsProperty {
/**
* The unique entity ID of the application in the SAML identity provider.
*/
readonly idpEntityId: string;
/**
* The metadata of the SAML application, in XML format.
*/
readonly idpMetadataContent: string;
/**
* The SAML master username, which is stored in the domain's internal user database.
* This SAML user receives full permission in OpenSearch Dashboards/Kibana.
* Creating a new master username does not delete any existing master usernames.
*
* @default - No master user name is configured
*/
readonly masterUserName?: string;
/**
* The backend role that the SAML master user is mapped to.
* Any users with this backend role receives full permission in OpenSearch Dashboards/Kibana.
* To use a SAML master backend role, configure the `rolesKey` property.
*
* @default - The master user is not mapped to a backend role
*/
readonly masterBackendRole?: string;
/**
* Element of the SAML assertion to use for backend roles.
*
* @default - roles
*/
readonly rolesKey?: string;
/**
* Element of the SAML assertion to use for the user name.
*
* @default - NameID element of the SAML assertion fot the user name
*/
readonly subjectKey?: string;
/**
* The duration, in minutes, after which a user session becomes inactive.
*
* @default - 60
*/
readonly sessionTimeoutMinutes?: number;
}
/**
* Specifies options for fine-grained access control.
*/
export interface AdvancedSecurityOptions {
/**
* ARN for the master user. Only specify this or masterUserName, but not both.
*
* @default - fine-grained access control is disabled
*/
readonly masterUserArn?: string;
/**
* Username for the master user. Only specify this or masterUserArn, but not both.
*
* @default - fine-grained access control is disabled
*/
readonly masterUserName?: string;
/**
* Password for the master user.
*
* You can use `SecretValue.unsafePlainText` to specify a password in plain text or
* use `secretsmanager.Secret.fromSecretAttributes` to reference a secret in
* Secrets Manager.
*
* @default - A Secrets Manager generated password
*/
readonly masterUserPassword?: cdk.SecretValue;
/**
* True to enable SAML authentication for a domain.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html
*
* @default - SAML authentication is disabled. Enabled if `samlAuthenticationOptions` is set.
*/
readonly samlAuthenticationEnabled?: boolean;
/**
* Container for information about the SAML configuration for OpenSearch Dashboards.
* If set, `samlAuthenticationEnabled` will be enabled.
*
* @default - no SAML authentication options
*/
readonly samlAuthenticationOptions?: SAMLOptionsProperty;
}
/**
* Configures a custom domain endpoint for the Amazon OpenSearch Service domain
*/
export interface CustomEndpointOptions {
/**
* The custom domain name to assign
*/
readonly domainName: string;
/**
* The certificate to use
* @default - create a new one
*/
readonly certificate?: ICertificateRef;
/**
* The hosted zone in Route53 to create the CNAME record in
* @default - do not create a CNAME
*/
readonly hostedZone?: route53.IHostedZone;
}
export interface WindowStartTime {
/**
* The start hour of the window in Coordinated Universal Time (UTC), using 24-hour time.
* For example, 17 refers to 5:00 P.M. UTC.
*
* @default - 22
*/
readonly hours: number;
/**
* The start minute of the window, in UTC.
*
* @default - 0
*/
readonly minutes: number;
}
/**
* The IP address type for the domain.
*/
export declare enum IpAddressType {
/**
* IPv4 addresses only
*/
IPV4 = "ipv4",
/**
* IPv4 and IPv6 addresses
*/
DUAL_STACK = "dualstack"
}
/**
* Configuration for a specific node type in OpenSearch domain
*/
export interface NodeConfig {
/**
* Whether this node type is enabled
*
* @default - false
*/
readonly enabled?: boolean;
/**
* The instance type for the nodes
*
* @default - m5.large.search
*/
readonly type?: string;
/**
* The number of nodes of this type
*
* @default - 1
*/
readonly count?: number;
}
/**
* NodeType is a string enum of the node types in OpenSearch domain
*
*/
export declare enum NodeType {
/**
* Coordinator node type
*/
COORDINATOR = "coordinator"
}
/**
* Configuration for node options in OpenSearch domain
*/
export interface NodeOptions {
/**
* The type of node. Currently only 'coordinator' is supported.
*/
readonly nodeType: NodeType;
/**
* Configuration for the node type
*/
readonly nodeConfig: NodeConfig;
}
/**
* Properties for an Amazon OpenSearch Service domain.
*/
export interface DomainProps {
/**
* Domain access policies.
*
* @default - No access policies.
*/
readonly accessPolicies?: iam.PolicyStatement[];
/**
* Additional options to specify for the Amazon OpenSearch Service domain.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html#createdomain-configure-advanced-options
* @default - no advanced options are specified
*/
readonly advancedOptions?: {
[key: string]: (string);
};
/**
* Configures Amazon OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.
*
* @default - Cognito not used for authentication to OpenSearch Dashboards.
*/
readonly cognitoDashboardsAuth?: CognitoOptions;
/**
* Enforces a particular physical domain name.
*
* @default - A name will be auto-generated.
*/
readonly domainName?: string;
/**
* The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that
* are attached to data nodes in the Amazon OpenSearch Service domain.
*
* @default - 10 GiB General Purpose (SSD) volumes per node.
*/
readonly ebs?: EbsOptions;
/**
* The cluster capacity configuration for the Amazon OpenSearch Service domain.
*
* @default - 1 r5.large.search data node; no dedicated master nodes.
*/
readonly capacity?: CapacityConfig;
/**
* The cluster zone awareness configuration for the Amazon OpenSearch Service domain.
*
* @default - no zone awareness (1 AZ)
*/
readonly zoneAwareness?: ZoneAwarenessConfig;
/**
* The Elasticsearch/OpenSearch version that your domain will leverage.
*/
readonly version: EngineVersion;
/**
* Encryption at rest options for the cluster.
*
* @default - No encryption at rest
*/
readonly encryptionAtRest?: EncryptionAtRestOptions;
/**
* Configuration log publishing configuration options.
*
* @default - No logs are published
*/
readonly logging?: LoggingOptions;
/**
* Specify true to enable node to node encryption.
* Requires Elasticsearch version 6.0 or later or OpenSearch version 1.0 or later.
*
* @default - Node to node encryption is not enabled.
*/
readonly nodeToNodeEncryption?: boolean;
/**
* The hour in UTC during which the service takes an automated daily snapshot
* of the indices in the Amazon OpenSearch Service domain. Only applies for Elasticsearch versions
* below 5.3.
*
* @default - Hourly automated snapshots not used
*/
readonly automatedSnapshotStartHour?: number;
/**
* Place the domain inside this VPC.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc.html
* @default - Domain is not placed in a VPC.
*/
readonly vpc?: ec2.IVpc;
/**
* The list of security groups that are associated with the VPC endpoints
* for the domain.
*
* Only used if `vpc` is specified.
*
* @see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
* @default - One new security group is created.
*/
readonly securityGroups?: ec2.ISecurityGroup[];
/**
* The specific vpc subnets the domain will be placed in. You must provide one subnet for each Availability Zone
* that your domain uses. For example, you must specify three subnet IDs for a three Availability Zone
* domain.
*
* Only used if `vpc` is specified.
*
* @see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html
* @default - All private subnets.
*/
readonly vpcSubnets?: ec2.SubnetSelection[];
/**
* True to require that all traffic to the domain arrive over HTTPS.
*
* @default - false
*/
readonly enforceHttps?: boolean;
/**
* The minimum TLS version required for traffic to the domain.
*
* @default - TLSSecurityPolicy.TLS_1_2
*/
readonly tlsSecurityPolicy?: TLSSecurityPolicy;
/**
* Specifies options for fine-grained access control.
* Requires Elasticsearch version 6.7 or later or OpenSearch version 1.0 or later. Enabling fine-grained access control
* also requires encryption of data at rest and node-to-node encryption, along with
* enforced HTTPS.
*
* @default - fine-grained access control is disabled
*/
readonly fineGrainedAccessControl?: AdvancedSecurityOptions;
/**
* Configures the domain so that unsigned basic auth is enabled. If no master user is provided a default master user
* with username `admin` and a dynamically generated password stored in KMS is created. The password can be retrieved
* by getting `masterUserPassword` from the domain instance.
*
* Setting this to true will also add an access policy that allows unsigned
* access, enable node to node encryption, encryption at rest. If conflicting
* settings are encountered (like disabling encryption at rest) enabling this
* setting will cause a failure.
*
* @default - false
*/
readonly useUnsignedBasicAuth?: boolean;
/**
* To upgrade an Amazon OpenSearch Service domain to a new version, rather than replacing the entire
* domain resource, use the EnableVersionUpgrade update policy.
*
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatepolicy.html#cfn-attributes-updatepolicy-upgradeopensearchdomain
*
* @default - false
*/
readonly enableVersionUpgrade?: boolean;
/**
* Policy to apply when the domain is removed from the stack
*
* @default RemovalPolicy.RETAIN
*/
readonly removalPolicy?: cdk.RemovalPolicy;
/**
* To configure a custom domain configure these options
*
* If you specify a Route53 hosted zone it will create a CNAME record and use DNS validation for the certificate
*
* @default - no custom domain endpoint will be configured
*/
readonly customEndpoint?: CustomEndpointOptions;
/**
* Options for enabling a domain's off-peak window, during which OpenSearch Service can perform mandatory
* configuration changes on the domain.
*
* Off-peak windows were introduced on February 16, 2023.
* All domains created before this date have the off-peak window disabled by default.
* You must manually enable and configure the off-peak window for these domains.
* All domains created after this date will have the off-peak window enabled by default.
* You can't disable the off-peak window for a domain after it's enabled.
*
* @see https://docs.aws.amazon.com/it_it/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-offpeakwindow.html
*
* @default - Disabled for domains created before February 16, 2023. Enabled for domains created after. Enabled if `offPeakWindowStart` is set.
*/
readonly offPeakWindowEnabled?: boolean;
/**
* Start time for the off-peak window, in Coordinated Universal Time (UTC).
* The window length will always be 10 hours, so you can't specify an end time.
* For example, if you specify 11:00 P.M. UTC as a start time, the end time will automatically be set to 9:00 A.M.
*
* @default - 10:00 P.M. local time
*/
readonly offPeakWindowStart?: WindowStartTime;
/**
* Specifies whether automatic service software updates are enabled for the domain.
*
* @see https://docs.aws.amazon.com/it_it/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-softwareupdateoptions.html
*
* @default - false
*/
readonly enableAutoSoftwareUpdate?: boolean;
/**
* Specify either dual stack or IPv4 as your IP address type.
* Dual stack allows you to share domain resources across IPv4 and IPv6 address types, and is the recommended option.
*
* If you set your IP address type to dual stack, you can't change your address type later.
*
* @default - IpAddressType.IPV4
*/
readonly ipAddressType?: IpAddressType;
/**
* Specify whether to create a CloudWatch Logs resource policy or not.
*
* When logging is enabled for the domain, a CloudWatch Logs resource policy is created by default.
* However, CloudWatch Logs supports only 10 resource policies per region.
* If you enable logging for several domains, it may hit the quota and cause an error.
* By setting this property to true, creating a resource policy is suppressed, allowing you to avoid this problem.
*
* If you set this option to true, you must create a resource policy before deployment.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html
*
* @default - false
*/
readonly suppressLogsResourcePolicy?: boolean;
/**
* Whether to enable or disable cold storage on the domain. You must enable UltraWarm storage to enable cold storage.
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cold-storage.html
*
* @default - undefined
*/
readonly coldStorageEnabled?: boolean;
/**
* Whether to enable S3 vectors engine.
* This feature allows you to offload vector data to Amazon S3 while maintaining sub-second vector search capabilities at low cost.
*
* Requirements:
* - OpenSearch version 2.19 or later
* - OpenSearch Optimized instance types (OR*, OM*, OI*) for data nodes
* - Encryption at rest must be enabled
*
* @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/s3-vector-opensearch-integration-engine.html
*
* @default undefined - AWS OpenSearch Service default is false
*/
readonly s3VectorsEngineEnabled?: boolean;
}
/**
* An interface that represents an Amazon OpenSearch Service domain - either created with the CDK, or an existing one.
*/
export interface IDomain extends cdk.IResource, IDomainRef {
/**
* Arn of the Amazon OpenSearch Service domain.
*
* @attribute
*/
readonly domainArn: string;
/**
* Domain name of the Amazon OpenSearch Service domain.
*
* @attribute
*/
readonly domainName: string;
/**
* Identifier of the Amazon OpenSearch Service domain.
*
* @attribute
*/
readonly domainId: string;
/**
* Endpoint of the Amazon OpenSearch Service domain.
*
* @attribute
*/
readonly domainEndpoint: string;
/**
* Grant read permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* @param identity The principal
*/
grantRead(identity: iam.IGrantable): iam.Grant;
/**
* Grant write permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* @param identity The principal
*/
grantWrite(identity: iam.IGrantable): iam.Grant;
/**
* Grant read/write permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* @param identity The principal
*/
grantReadWrite(identity: iam.IGrantable): iam.Grant;
/**
* Grant read permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexRead(index: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant write permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexWrite(index: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant read/write permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexReadWrite(index: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant read permissions for a specific path in this domain to an IAM
* principal (Role/Group/User).
*
* @param path The path to grant permissions for
* @param identity The principal
*/
grantPathRead(path: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant write permissions for a specific path in this domain to an IAM
* principal (Role/Group/User).
*
* @param path The path to grant permissions for
* @param identity The principal
*/
grantPathWrite(path: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant read/write permissions for a specific path in this domain to an IAM
* principal (Role/Group/User).
*
* @param path The path to grant permissions for
* @param identity The principal
*/
grantPathReadWrite(path: string, identity: iam.IGrantable): iam.Grant;
/**
* Return the given named metric for this domain.
*/
metric(metricName: string, props?: MetricOptions): Metric;
/**
* Metric for the time the cluster status is red.
*
* @default maximum over 5 minutes
*/
metricClusterStatusRed(props?: MetricOptions): Metric;
/**
* Metric for the time the cluster status is yellow.
*
* @default maximum over 5 minutes
*/
metricClusterStatusYellow(props?: MetricOptions): Metric;
/**
* Metric for the storage space of nodes in the cluster.
*
* @default minimum over 5 minutes
*/
metricFreeStorageSpace(props?: MetricOptions): Metric;
/**
* Metric for the cluster blocking index writes.
*
* @default maximum over 1 minute
*/
metricClusterIndexWritesBlocked(props?: MetricOptions): Metric;
/**
* Metric for the number of nodes.
*
* @default minimum over 1 hour
*/
metricNodes(props?: MetricOptions): Metric;
/**
* Metric for automated snapshot failures.
*
* @default maximum over 5 minutes
*/
metricAutomatedSnapshotFailure(props?: MetricOptions): Metric;
/**
* Metric for CPU utilization.
*
* @default maximum over 5 minutes
*/
metricCPUUtilization(props?: MetricOptions): Metric;
/**
* Metric for JVM memory pressure.
*
* @default maximum over 5 minutes
*/
metricJVMMemoryPressure(props?: MetricOptions): Metric;
/**
* Metric for master CPU utilization.
*
* @default maximum over 5 minutes
*/
metricMasterCPUUtilization(props?: MetricOptions): Metric;
/**
* Metric for master JVM memory pressure.
*
* @default maximum over 5 minutes
*/
metricMasterJVMMemoryPressure(props?: MetricOptions): Metric;
/**
* Metric for KMS key errors.
*
* @default maximum over 5 minutes
*/
metricKMSKeyError(props?: MetricOptions): Metric;
/**
* Metric for KMS key being inaccessible.
*
* @default maximum over 5 minutes
*/
metricKMSKeyInaccessible(props?: MetricOptions): Metric;
/**
* Metric for number of searchable documents.
*
* @default maximum over 5 minutes
*/
metricSearchableDocuments(props?: MetricOptions): Metric;
/**
* Metric for search latency.
*
* @default p99 over 5 minutes
*/
metricSearchLatency(props?: MetricOptions): Metric;
/**
* Metric for indexing latency.
*
* @default p99 over 5 minutes
*/
metricIndexingLatency(props?: MetricOptions): Metric;
}
/**
* A new or imported domain.
*/
declare abstract class DomainBase extends cdk.Resource implements IDomain {
abstract readonly domainArn: string;
abstract readonly domainName: string;
abstract readonly domainId: string;
abstract readonly domainEndpoint: string;
/**
* Collection of grant methods for a Domain
*/
readonly grants: DomainGrants;
get domainRef(): DomainReference;
/**
* Grant read permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* [disable-awslint:no-grants]
*
* @param identity The principal
*/
grantRead(identity: iam.IGrantable): iam.Grant;
/**
* Grant write permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* [disable-awslint:no-grants]
*
* @param identity The principal
*/
grantWrite(identity: iam.IGrantable): iam.Grant;
/**
* Grant read/write permissions for this domain and its contents to an IAM
* principal (Role/Group/User).
*
* [disable-awslint:no-grants]
*
* @param identity The principal
*/
grantReadWrite(identity: iam.IGrantable): iam.Grant;
/**
* Grant read permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* [disable-awslint:no-grants]
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexRead(index: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant write permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* [disable-awslint:no-grants]
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexWrite(index: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant read/write permissions for an index in this domain to an IAM
* principal (Role/Group/User).
*
* [disable-awslint:no-grants]
*
* @param index The index to grant permissions for
* @param identity The principal
*/
grantIndexReadWrite(index: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant read permissions for a specific path in this domain to an IAM
* principal (Role/Group/User).
*
* [disable-awslint:no-grants]
*
* @param path The path to grant permissions for
* @param identity The principal
*/
grantPathRead(path: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant write permissions for a specific path in this domain to an IAM
* principal (Role/Group/User).
*
* [disable-awslint:no-grants]
*
* @param path The path to grant permissions for
* @param identity The principal
*/
grantPathWrite(path: string, identity: iam.IGrantable): iam.Grant;
/**
* Grant read/write permissions for a specific path in this domain to an IAM
* principal (Role/Group/User).
*
* [disable-awslint:no-grants]
*
* @param path The path to grant permissions for
* @param identity The principal
*/
grantPathReadWrite(path: string, identity: iam.IGrantable): iam.Grant;
/**
* Return the given named metric for this domain.
*/
metric(metricName: string, props?: MetricOptions): Metric;
/**
* Metric for the time the cluster status is red.
*
* @default maximum over 5 minutes
*/
metricClusterStatusRed(props?: MetricOptions): Metric;
/**
* Metric for the time the cluster status is yellow.
*
* @default maximum over 5 minutes
*/
metricClusterStatusYellow(props?: MetricOptions): Metric;
/**
* Metric for the storage space of nodes in the cluster.
*
* @default minimum over 5 minutes
*/
metricFreeStorageSpace(props?: MetricOptions): Metric;
/**
* Metric for the cluster blocking index writes.
*
* @default maximum over 1 minute
*/
metricClusterIndexWritesBlocked(props?: MetricOptions): Metric;
/**
* Metric for the number of nodes.
*
* @default minimum over 1 hour
*/
metricNodes(props?: MetricOptions): Metric;
/**
* Metric for automated snapshot failures.
*
* @default maximum over 5 minutes
*/
metricAutomatedSnapshotFailure(props?: MetricOptions): Metric;
/**
* Metric for CPU utilization.
*
* @default maximum over 5 minutes
*/
metricCPUUtilization(props?: MetricOptions): Metric;
/**
* Metric for JVM memory pressure.
*
* @default maximum over 5 minutes
*/
metricJVMMemoryPressure(props?: MetricOptions): Metric;
/**
* Metric for master CPU utilization.
*
* @default maximum over 5 minutes
*/
metricMasterCPUUtilization(props?: MetricOptions): Metric;
/**
* Metric for master JVM memory pressure.
*
* @default maximum over 5 minutes
*/
metricMasterJVMMemoryPressure(props?: MetricOptions): Metric;
/**
* Metric for KMS key errors.
*
* @default maximum over 5 minutes
*/
metricKMSKeyError(props?: MetricOptions): Metric;
/**
* Metric for KMS key being inaccessible.
*
* @default maximum over 5 minutes
*/
metricKMSKeyInaccessible(props?: MetricOptions): Metric;
/**
* Metric for number of searchable documents.
*
* @default maximum over 5 minutes
*/
metricSearchableDocuments(props?: MetricOptions): Metric;
/**
* Metric for search latency.
*
* @default p99 over 5 minutes
*/
metricSearchLatency(props?: MetricOptions): Metric;
/**
* Metric for indexing latency.
*
* @default p99 over 5 minutes
*/
metricIndexingLatency(props?: MetricOptions): Metric;
private grant;
}
/**
* Reference to an Amazon OpenSearch Service domain.
*/
export interface DomainAttributes {
/**
* The ARN of the Amazon OpenSearch Service domain.
*/
readonly domainArn: string;
/**
* The domain endpoint of the Amazon OpenSearch Service domain.
*/
readonly domainEndpoint: string;
}
/**
* Provides an Amazon OpenSearch Service domain.
*/
export declare class Domain extends DomainBase implements IDomain, ec2.IConnectable {
/**
* Uniquely identifies this class.
*/
static readonly PROPERTY_INJECTION_ID: string;
/**
* Creates a domain construct that represents an external domain via domain endpoint.
*
* @param scope The parent creating construct (usually `this`).
* @param id The construct's name.
* @param domainEndpoint The domain's endpoint.
*/
static fromDomainEndpoint(scope: Construct, id: string, domainEndpoint: string): IDomain;
/**
* Creates a domain construct that represents an external domain.
*
* @param scope The parent creating construct (usually `this`).
* @param id The construct's name.
* @param attrs A `DomainAttributes` object.
*/
static fromDomainAttributes(scope: Construct, id: string, attrs: DomainAttributes): IDomain;
get domainArn(): string;
get domainName(): string;
readonly domainId: string;
readonly domainEndpoint: string;
/**
* Log group that slow searches are logged to.
*
* @attribute
*/
get slowSearchLogGroup(): logs.ILogGroup | undefined;
/**
* Log group that slow indices are logged to.
*
* @attribute
*/
get slowIndexLogGroup(): logs.ILogGroup | undefined;
/**
* Log group that application logs are logged to.
*
* @attribute
*/
get appLogGroup(): logs.ILogGroup | undefined;
/**
* Log group that audit logs are logged to.
*
* @attribute
*/
get auditLogGroup(): logs.ILogGroup | undefined;
/**
* Master user password if fine grained access control is configured.
*/
readonly masterUserPassword?: cdk.SecretValue;
private readonly _slowSearchLogGroup?;
private readonly _slowIndexLogGroup?;
private readonly _appLogGroup?;
private readonly _auditLogGroup?;
private readonly domain;
private accessPolicy?;
private encryptionAtRestOptions?;
private readonly _connections;
constructor(scope: Construct, id: string, props: DomainProps);
/**
* Validate windowStartTime property according to
* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-windowstarttime.html
*/
private validateWindowStartTime;
/**
* Validate SAML configuration according to
* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-samloptions.html
*/
private validateSamlAuthenticationOptions;
/**
* Manages network connections to the domain. This will throw an error in case the domain
* is not placed inside a VPC.
*/
get connections(): ec2.Connections;
/**
* Add policy statements to the domain access policy
*/
addAccessPolicies(...accessPolicyStatements: iam.PolicyStatement[]): void;
/**
* Selects the appropriate KMS key identifier (keyId or keyArn) based on whether
* the key is from the same account and region as the domain.
*
* For cross-account or cross-region KMS keys, OpenSearch requires the full ARN.
* For same-account, same-region keys, keyId is sufficient.
*/
private selectKmsKeyIdentifier;
}
export {};
Reference in New Issue View Git Blame Copy Permalink