Skip to content

jagregory/cdk-aws-opensearch-api

BranchesTags

Repository files navigation

AWS OpenSearch API resources for AWS CDK

AWS CDK constructs for managing OpenSearch API resources.

This module can be useful when you need to manage the resources inside an OpenSearch cluster, for example creating Roles and Role Mappings for fine grained access control.

Usage

Prereqs:

  1. You must have Fine Grained Access Control enabled with a Master User, the Custom Resources in this package need the master user to authenticate.
  2. The Master User credentials must be in a Secrets Manager secret, in the format of {"username":"x","password":y"}

Roles

import { Role } from "cdk-aws-opensearch-api";

// in your Stack/Construct
new Role(this, "MyRole", {
  domain: yourOpenSearchDomain,
  roleName: "roleName",
  masterUserPasswordSecret: theMasterUserCredentialsInSecretsManager,
   
  // this definition is what you'd PUT to the OpenSearch API:
  // https://opensearch.org/docs/latest/security-plugin/access-control/api/#create-role
  roleDefinition: {
    cluster_permissions: ["indices:data/write/*"],
    index_permissions: [{
      index_patterns: ["*"],
      allowed_actions: ["crud"],
    }],
  },
});

Role Mappings

If you have access to a Role already, then you can call the addRoleMapping function to change the Role Mapping for that role:

import { Role } from "cdk-aws-opensearch-api";

const myRole = new Role(/* ... */);

myRole.addRoleMapping({
  // this definition is what you'd PUT to the OpenSearch API:
  // https://opensearch.org/docs/latest/security-plugin/access-control/api/#create-role-mapping
  backend_roles: ["starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com"],
  hosts: ["*.starfleetintranet.com"],
  users: ["worf"]
});

Otherwise, you can create a Role Mapping independently:

import { RoleMapping } from "cdk-aws-opensearch-api";

// in your Stack/Construct
new RoleMapping(this, "MyRoleMapping", {
  domain: yourOpenSearchDomain,
  roleName: "roleName",
  masterUserPasswordSecret: theMasterUserCredentialsInSecretsManager,

  // this definition is what you'd PUT to the OpenSearch API:
  // https://opensearch.org/docs/latest/security-plugin/access-control/api/#create-role-mapping
  roleDefinition: {
    backend_roles: ["starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com"],
    hosts: ["*.starfleetintranet.com"],
    users: ["worf"]
  },
});

Supported features

  • Roles
  • Role Mappings

There's also a low-level fallback resource called ApiResource which you can use to manage other API resources that don't have a construct yet. Use at your own risk.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 4

v1.0.3 Latest
Mar 4, 2022
+ 3 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages