opensearch cluster cdk package #2863
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2863 +/- ##
=======================================
Coverage 93.71% 93.71%
=======================================
Files 158 158
Lines 4391 4391
=======================================
Hits 4115 4115
Misses 276 276 Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
| 'node.ingest': false, | ||
| }); | ||
|
|
||
| nodeConfig.set('seed-data', { |
There was a problem hiding this comment.
Not related with this line. Can we support creating ML nodes? node.roles: [ml]
There was a problem hiding this comment.
Ack! @ylwu-amzn
There was a problem hiding this comment.
Thanks for the contribution, its great to have this be more reusable for the community. Is OpenSearch-Build the right place for this code, it feels like maybe it should be in its own repository?
What the plan going forward for how this will be used/supported?
Maybe this should go to https://github.com/opensearch-project/opensearch-devops? Or better, its own standalone repo? |
Yes, I have been thinking about that as well. opensearch-devops repo is currently acting as a pointer to actual repos like Helm charts, Ansible etc.. We can create a new OpenSearch-CDK repo if needed. Any other recommendation on the repo name? @dblock @peternied @gaiksaya @rishabh6788 @peterzhuamazon @prudhvigodithi |
Signed-off-by: Rishabh Singh <[email protected]>
|
|
||
| | Name | Type | Description | | ||
| |--------------------------------------------------------|:---------|:-----------------------------------------------------------------------------------------| | ||
| | distVersion (mandatory) | string | The OpenSearch distribution version (released/un-released) the user wants to deploy | |
There was a problem hiding this comment.
nit: required instead of mandatory
| | vpcId (Optional) | string | Re-use existing vpc, provide vpc id | | ||
| | securityGroupId (Optional) | boolean | Re-use existing security group, provide security group id | | ||
| | cidr (Optional) | string | User provided CIDR block for new Vpc, default is `10.0.0.0/16` | | ||
| | managerNodeCount (Optional) | number | Number of cluster manager nodes, default is 3 | |
There was a problem hiding this comment.
nit: integer/float/etc instead of number?
| #### Please note the load-balancer url is internet facing and can be accessed by anyone. | ||
| To restrict access please refer [Client IP Preservation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#client-ip-preservation) to restrict access on internet-facing network load balancer. | ||
| You need to add the ip/prefix-list rule in the security group created in network stack. |
There was a problem hiding this comment.
Can we do something like opensearch-project/opensearch-ci#171 to restrict server access?
| |--------------------------------------------------------|:---------|:-----------------------------------------------------------------------------------------| | ||
| | distVersion (mandatory) | string | The OpenSearch distribution version (released/un-released) the user wants to deploy | | ||
| | securityDisabled (mandatory) | boolean | Enable or disable security plugin | | ||
| | minDistribution (mandatory) | boolean | Is it an un-released OpenSearch distribution with no plugins | |
There was a problem hiding this comment.
Confused about unreleased so using a released version will be a problem?
| const app = new App(); | ||
|
|
||
| new OsClusterEntrypoint(app, { | ||
| env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, |
There was a problem hiding this comment.
Recommending to remove this and let the default credentials in user's workspace take effect.
| | distVersion (mandatory) | string | The OpenSearch distribution version (released/un-released) the user wants to deploy | | ||
| | securityDisabled (mandatory) | boolean | Enable or disable security plugin | | ||
| | minDistribution (mandatory) | boolean | Is it an un-released OpenSearch distribution with no plugins | | ||
| | distributionUrl (mandatory) | string | OpenSearch tar distribution url | |
There was a problem hiding this comment.
Please specify that we are using tarball only. Maybe give an example?
| @@ -0,0 +1,5 @@ | |||
| cluster.name: "my-stack" | |||
There was a problem hiding this comment.
nit: opensearch as the cluster name?
| if (props.securityGroupId === undefined) { | ||
| this.osSecurityGroup = new SecurityGroup(this, 'osSecurityGroup', { | ||
| vpc: this.vpc, | ||
| securityGroupName: 'opensearchSG', | ||
| allowAllOutbound: true, | ||
| }); | ||
| } else { | ||
| this.osSecurityGroup = SecurityGroup.fromSecurityGroupId(this, 'osSecurityGroup', props.securityGroupId); | ||
| } | ||
|
|
||
| /* The security group allows all ip access by default to all the ports. | ||
| Please update below if you want to restrict access to certain ips and ports */ | ||
| this.osSecurityGroup.addIngressRule(Peer.anyIpv4(), Port.allTcp()); | ||
| this.osSecurityGroup.addIngressRule(this.osSecurityGroup, Port.allTraffic()); | ||
| } |
There was a problem hiding this comment.
Should this pull this out into a different class to manage security altogether? Since its a critical aspect?
| @@ -0,0 +1,4 @@ | |||
| cluster.name: my-application | |||
| This project enables uses to deploy either a single-node or a multi-node OpenSearch cluster. | ||
| There are two stacks that get deployed: | ||
| 1. OpenSearch-Network-Stack: Use this stack to either use an existing Vpc or create a new Vpc. This stack also creates a new security group to manage access. | ||
| 2. OpenSearch-Infra-Stack: Sets up EC2 ASG (installs opensearch and opensearch-dashboards using userdata), cloudwatch logging, load balancer. Check your cluster log in the log group created from your stack in the cloudwatch. |
There was a problem hiding this comment.
Can you also specify what kind of AMI (AL2/ubuntu/etc) we are using in this? Seeing a lot of /home/ec2-user commands so if the user uses something else, its gonna fail. Or maybe replace those commands with someone $(whoami). Can come as an enhancement
opensearch-cdk or opensearch-cluster-cdk are great names IMO |
Ya |
Signed-off-by: Rishabh Singh [email protected]
Description
This PR adds capability to spin up single-node and multi-node opensearch cluster using cdk.
Issues Resolved
List any issues this PR will resolve, e.g. Closes [...].
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.