Managing Amazon OpenSearch UI infrastructure as code with AWS CDK

As organizations scale their observability and analytics capabilities throughout a number of AWS Areas and environments, sustaining constant dashboards turns into more and more advanced. Groups typically spend hours manually recreating dashboards, creating workspaces, linking knowledge sources, and validating configurations throughout deployments—a repetitive and error-prone course of that slows down operational visibility.

The following technology OpenSearch UI in Amazon OpenSearch Service introduces a unified, managed analytics expertise that decouples from particular person OpenSearch domains and OpenSearch collections. It gives workspaces, devoted group areas with collaborator administration and a tailor-made atmosphere for observability, search, and safety analytics use circumstances. Every workspace can hook up with a number of knowledge sources, together with OpenSearch Service domains, Amazon OpenSearch Serverless collections, and exterior sources akin to Amazon Easy Storage Service (Amazon S3). OpenSearch UI additionally helps entry with AWS IAM Identification Middle, AWS Identification and Entry Administration (IAM), Identification supplier (IdP)-initiated single sign-on (SAML utilizing IAM federation), and AI-powered insights.)-initiated single sign-on (SAML utilizing IAM federation),and AI-powered insights.

On this submit, you’ll discover ways to use the AWS Cloud Growth Package (AWS CDK) to deploy an OpenSearch UI software and combine it with an AWS Lambda perform that routinely creates workspaces and dashboards utilizing the OpenSearch Dashboards Saved Objects APIs. Utilizing this automation signifies that environments launch with ready-to-use analytics which can be standardized, version-controlled, and constant throughout deployments. which can be standardized, version-controlled, and constant throughout deployments.

Particularly, you’ll discover ways to:

Deploy an OpenSearch UI software utilizing AWS CDK that in flip makes use of AWS CloudFormation
Robotically create workspaces and dashboards utilizing a Lambda primarily based customized useful resource
Generate and ingest pattern knowledge for quick visualization
Construct visualizations programmatically utilizing the OpenSearch Dashboards Saved Objects API
Authenticate API requests utilizing AWS Signature Model 4

All of the code samples on this submit can be found on this AWS Samples repository.

Answer overview

The next structure demonstrates how one can automate OpenSearch UI workspace and dashboard creation utilizing AWS CDK, AWS Lambda, and the OpenSearch UI APIs.

The workflow flows from left to proper:

Deploy stack – Developer runs cdk deploy to launch the infrastructure and create the CloudFormation stack.
Create area – CloudFormation creates the OpenSearch area (which serves as the info supply)
Create OpenSearch UI app – CloudFormation creates the OpenSearch UI software
Set off Lambda – CloudFormation invokes the Lambda perform as a customized useful resource
Generate and ingest knowledge – Lambda generates pattern metrics and ingests them into the area
Create workspaces and belongings utilizing saved object API – Lambda creates the workspace, index sample, visualization (pie chart), and dashboard utilizing OpenSearch UI API calls

The result’s a completely configured OpenSearch UI with pattern knowledge and a ready-to-use dashboard automated by infrastructure as code (IaC). The identical workflow may also be built-in into present infrastructure for OpenSearch UI functions to routinely create or replace dashboards throughout future deployments, sustaining consistency throughout environments. consistency throughout environments.

Conditions

To carry out the answer, you want the next conditions:

An AWS person or function with enough permissions – You’ll want permissions to create and handle AWS assets akin to OpenSearch Service domains, OpenSearch UI functions, Lambda capabilities, IAM roles and insurance policies, digital non-public cloud (VPC) networking parts (subnets and safety teams), and CloudFormation stacks. For testing or proof-of-concept deployments, we suggest utilizing an administrative function. For manufacturing, comply with the precept of least privilege.
Set up growth instruments:
Bootstrap CDK – This can be a one-time setup per account or Area:
```
cdk bootstrap <aws://123456789012/us-east-1>
```

This creates the required S3 bucket and IAM roles for AWS CDK deployments in your account.

Get the pattern code

Clone the pattern implementation from GitHub:

git clone https://github.com/aws-samples/sample-automate-opensearch-ui-dashboards-deployment.git 
cd opensearch-dashboard-automation-sample

The repository comprises:

opensearch-dashboard-automation-sample/ 
├── cdk/ 
│   ├── bin/ 
│   │   └── app.ts                           # CDK app entry level 
│   └── lib/ 
│       └── dashboard-stack.ts               # OpenSearch area, Lambda, and customized useful resource 
└── lambda/ 
    ├── dashboard_automation.py              # Fundamental Lambda for workspace and dashboard automation 
    ├── sigv4_signer.py                      # AWS SigV4 signing utility 
    └── necessities.txt                     # Python dependencies

This pattern demonstrates how one can deploy an OpenSearch UI software, create a workspace, ingest pattern knowledge, and routinely generate visualizations and dashboards utilizing IaC.

After cloning the repository, you may deploy the stack to routinely create your first OpenSearch workspace and dashboard with pattern knowledge.

Understanding the answer

Earlier than deploying, let’s study how the answer works. The next steps clarify the structure and automation logic that may execute routinely if you deploy the AWS CDK stack. The following part comprises the precise deployment instructions you’ll run.

Provision OpenSearch UI assets

The AWS CDK integrates seamlessly with AWS CloudFormation. This implies you may outline your OpenSearch assets and automation workflows as IaC. On this answer, AWS CDK provisions the OpenSearch area, OpenSearch UI software, and a Lambda primarily based customized useful resource that performs the automation logic.

When deploying OpenSearch UI automation, the order of useful resource creation is necessary to appropriately resolve dependencies. The really useful order is as follows:

Create the Lambda execution function – Required for entry to AppConfigs and APIs
Create the OpenSearch area – Serves as the first knowledge supply
Create the OpenSearch UI software – References the Lambda function in its AppConfigs
Create the Lambda perform – Defines the automation logic
Create the customized useful resource – Triggers the Lambda automation throughout stack deployment

The next code snippet (from cdk/lib/dashboard-stack.ts) reveals the important thing infrastructure definitions:

export class OpenSearchDashboardStack extends cdk.Stack { 
  constructor(scope: Assemble, id: string, props?: OpenSearchDashboardStackProps) { 
    tremendous(scope, id, props); 
 
    const masterUserArn = props?.masterUserArn ||  
      `arn:aws:iam::${this.account}:function/Admin`; 
 
    // Step 1: Create IAM Function for Lambda FIRST 
    const dashboardRole = new iam.Function(this, 'DashboardLambdaRole', { 
      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), 
      inlinePolicies: { 
        OpenSearchAccess: new iam.PolicyDocument({ 
          statements: [ 
            new iam.PolicyStatement({ 
              actions: ['opensearch:ApplicationAccessAll'], 
              assets: ['*'] 
            }), 
            new iam.PolicyStatement({ 
              actions: ['es:ESHttpPost', 'es:ESHttpPut', 'es:ESHttpGet'], 
              assets: [`arn:aws:es:${this.region}:${this.account}:domain/*`] 
            }) 
          ] 
        }) 
      } 
    }); 
 
    // Step 2: Create OpenSearch Area 
    const opensearchDomain = new opensearch.Area(this, 'OpenSearchDomain', { 
      model: opensearch.EngineVersion.OPENSEARCH_2_11, 
      capability: { dataNodes: 1, dataNodeInstanceType: 'r6g.massive.search' }, 
      // ... extra configuration 
    }); 
 
    // Step 3: Create OpenSearch UI Utility 
    const openSearchUI = new opensearch.CfnApplication(this, 'OpenSearchUI', { 
      appConfigs: [ 
        { 
          key: 'opensearchDashboards.dashboardAdmin.users', 
          value: `["${masterUserArn}"]` // Human customers 
        }, 
        { 
          key: 'opensearchDashboards.dashboardAdmin.teams', 
          worth: `["${dashboardRole.roleArn}"]` // Lambda function 
        } 
      ], 
      dataSources: [{ dataSourceArn: opensearchDomain.domainArn }], 
      // ... extra configuration 
    }); 
 
    // Step 4: Create Lambda Operate 
    const dashboardFn = new lambda.Operate(this, 'DashboardSetup', { 
      runtime: lambda.Runtime.PYTHON_3_11, 
      handler: 'dashboard_automation.handler', 
      code: lambda.Code.fromAsset('../lambda'), 
      timeout: cdk.Period.minutes(5), 
      function: dashboardRole 
    }); 
 
    // Step 5: Create Customized Useful resource 
    const supplier = new cr.Supplier(this, 'DashboardProvider', { 
      onEventHandler: dashboardFn 
    }); 
 
    new cdk.CustomResource(this, 'DashboardSetupResource', { 
      serviceToken: supplier.serviceToken, 
      properties: { 
        opensearchUIEndpoint: openSearchUI.attrDashboardEndpoint, 
        domainEndpoint: opensearchDomain.domainEndpoint, 
        domainName: opensearchDomain.domainName, 
        workspaceName: 'workspace-demo', 
        area: this.area 
      } 
    }); 
  } 
}

These are some necessary implementation notes:

The Lambda function should be created earlier than the OpenSearch UI software so its Amazon Useful resource Identify (ARN) could be referenced in dashboardAdmin.teams
The Lambda function contains each opensearch:ApplicationAccessAll (for OpenSearch UI API entry) and es:ESHttp* permissions (for ingesting knowledge into the OpenSearch area)
The customized useful resource allows the automation perform to run throughout deployment, passing each OpenSearch UI and OpenSearch area endpoints as parameters

Authenticate with OpenSearch UI APIs

When programmatically interacting with the OpenSearch UI (Dashboards) APIs, correct authentication is required so your Lambda perform or automation script can securely entry the APIs. The OpenSearch UI makes use of AWS Signature Model 4 (SigV4) authentication—just like the OpenSearch area APIs—however with just a few necessary distinctions.

When signing OpenSearch UI API requests, the service identify should be opensearch, not es. This can be a frequent supply of confusion: the OpenSearch area endpoint nonetheless makes use of the legacy service identify es, however the OpenSearch UI endpoints require opensearch. Utilizing the fallacious service identify will trigger your requests to fail authentication, even when the credentials are legitimate.

For POST, PUT, or DELETE requests, embrace the next headers to fulfill the OpenSearch UI API safety necessities:

	Header	Description
1	Content material-Kind	Set to `software/json` for JSON payloads
2	osd-xsrf	Required for state-changing operations (set to `true`)
3	x-amz-content-sha256	SHA-256 hash of the request physique to make sure knowledge integrity

The SigV4 signing course of routinely computes this physique hash when utilizing the botocore AWSRequest object, sustaining request integrity and stopping tampering throughout transmission.

The next code snippet (from lambda/sigv4_signer.py) demonstrates how one can signal and ship a request to the OpenSearch UI API:

def get_common_headers(physique: bytes = b"{}") -> Dict[str, str]: 
    """ 
    Get frequent headers for OpenSearch UI API requests. 
     
    Args: 
        physique: Request physique bytes to hash 
         
    Returns: 
        Dictionary of required headers 
    """ 
    body_hash = hashlib.sha256(physique).hexdigest() 
    return { 
        "Content material-Kind": "software/json", 
        "x-amz-content-sha256": body_hash, 
        "osd-xsrf": "osd-fetch", 
        "osd-version": "3.1.0", 
    } 
 
 
def make_signed_request( 
    methodology: str, 
    url: str, 
    headers: Dict[str, str], 
    physique: bytes = b"", 
    area: str = None, 
) -> Any: 
    session = boto3.Session() 
    if not area: 
        area = session.region_name 
     
    # Create AWS request 
    request = AWSRequest(methodology=methodology, url=url, knowledge=physique, headers=headers) 
     
    # Signal with SigV4 utilizing 'opensearch' service identify (not 'es') 
    credentials = session.get_credentials() 
    SigV4Auth(credentials, "opensearch", area).add_auth(request) 
     
    # Ship request utilizing URLLib3Session 
    http_session = URLLib3Session() 
    return http_session.ship(request.put together())

This utility perform indicators the request utilizing the proper service identify (opensearch), attaches the required headers, and sends it securely to the OpenSearch UI endpoint.

Create workspace and dashboard with pattern knowledge

The Lambda perform (lambda/dashboard_automation.py) automates the complete strategy of provisioning a workspace, producing pattern knowledge, and creating visualizations and dashboards by the OpenSearch UI APIs. Go to the next lists of APIs:

Observe these steps:

Find or create a workspace. Every dashboard within the OpenSearch UI should exist inside a workspace. The perform first checks whether or not a workspace already exists and creates one if essential. The workspace associates a number of knowledge sources (for instance, an OpenSearch area or OpenSearch Serverless assortment):

def get_or_create_workspace(endpoint: str, area: str,  
                           data_source_id: str, workspace_name: str) -> Non-obligatory[str]: 
    """Get present workspace or create new one (idempotent).""" 
    # Examine for present workspace 
    workspace_id = find_workspace_by_name(endpoint, area, workspace_name) 
    if workspace_id: 
        return workspace_id 
 
    # Create new workspace 
    url = f"https://{endpoint}/api/workspaces" 
    payload = { 
        "attributes": {"identify": workspace_name, "options": ["use-case-observability"]}, 
        "settings": {"dataSources": [data_source_id]} 
    } 
    response = make_signed_request("POST", url, get_common_headers(), json.dumps(payload).encode(), area) 
    return response.json()["result"]["id"]

This logic allows repeated deployments to stay idempotent; the Lambda perform reuses present workspaces reasonably than creating duplicates.

Generate and ingest pattern knowledge. To make the dashboards significant upon first launch, the Lambda perform generates a small dataset simulating HTTP request metrics and ingests it into the OpenSearch area utilizing the Bulk API:

def generate_sample_metrics(num_docs: int = 50) -> listing: 
    """Generate real looking HTTP API request metrics.""" 
    endpoints = ["/api/users", "/api/products", "/api/orders"] 
    status_codes = [200, 201, 400, 404, 500] 
    status_weights = [0.70, 0.15, 0.08, 0.05, 0.02]  # Real looking distribution 
 
    paperwork = [] 
    for i in vary(num_docs): 
        paperwork.append({ 
            "@timestamp": generate_timestamp(), 
            "endpoint": random.selection(endpoints), 
            "status_code": random.selections(status_codes, weights=status_weights)[0], 
            "response_time_ms": random.randint(20, 500) 
        }) 
    return paperwork

The perform then ingests this knowledge into the area:

def ingest_sample_data(domain_endpoint: str, area: str, paperwork: listing) -> bool:
    """Ingest paperwork utilizing OpenSearch bulk API."""
    index_name = f"application-metrics-{datetime.utcnow().strftime('%Y.%m.%d')}"
    bulk_body = "n".be a part of([
        f'{{"index":{{"_index":"{index_name}"}}}}n{json.dumps(doc)}'
        for doc in documents
    ]) + "n"

    url = f"https://{domain_endpoint}/_bulk"
    response = make_domain_request("POST", url, headers, bulk_body.encode(), area)
    return 200 <= response.status_code < 300

This permits every deployment to incorporate pattern analytics knowledge that instantly populates the dashboard upon first login.

Create a visualization. After the index sample is accessible, the Lambda perform creates a pie chart visualization that reveals HTTP standing code distribution:

def create_visualization(endpoint: str, area: str,  
                        workspace_id: str, index_pattern_id: str) -> Non-obligatory[str]: 
    """Create pie chart displaying HTTP standing code distribution.""" 
    url = f"https://{endpoint}/w/{workspace_id}/api/saved_objects/visualization" 
 
    vis_state = { 
        "title": "HTTP Standing Code Distribution", 
        "kind": "pie", 
        "aggs": [ 
            {"id": "1", "type": "count", "schema": "metric"}, 
            { 
                "id": "2", 
                "type": "terms", 
                "schema": "segment", 
                "params": {"field": "status_code", "size": 10} 
            } 
        ] 
    } 
 
    payload = { 
        "attributes": { 
            "title": "HTTP Standing Code Distribution", 
            "visState": json.dumps(vis_state), 
            "kibanaSavedObjectMeta": { 
                "searchSourceJSON": json.dumps({ 
                    "index": index_pattern_id, 
                    "question": {"question": "", "language": "kuery"} 
                }) 
            } 
        } 
    } 
 
    response = make_signed_request("POST", url, get_common_headers(), json.dumps(payload).encode(), area) 
    return response.json().get("id")

This visualization will later be embedded inside a dashboard panel.

Create the dashboard. Lastly, the Lambda perform creates a dashboard that references the visualization created within the earlier step:

def create_dashboard(endpoint: str, area: str,  
                    workspace_id: str, viz_id: str) -> Non-obligatory[str]: 
    """Create dashboard containing the visualization.""" 
    url = f"https://{endpoint}/w/{workspace_id}/api/saved_objects/dashboard" 
 
    # Outline panel structure for the visualization 
    panels_json = [{ 
        "version": "2.11.0", 
        "gridData": {"x": 0, "y": 0, "w": 24, "h": 15, "i": "1"}, 
        "panelIndex": "1", 
        "embeddableConfig": {}, 
        "panelRefName": "panel_1" 
    }] 
 
    payload = { 
        "attributes": { 
            "title": "Utility Metrics", 
            "description": "HTTP request metrics dashboard", 
            "panelsJSON": json.dumps(panels_json), 
            "optionsJSON": json.dumps({"darkTheme": False}), 
            "model": 1, 
            "timeRestore": False, 
            "kibanaSavedObjectMeta": { 
                "searchSourceJSON": json.dumps({"question": {"question": "", "language": "kuery"}}) 
            } 
        }, 
        "references": [{ 
            "name": "panel_1", 
            "type": "visualization", 
            "id": viz_id 
        }] 
    } 
 
    response = make_signed_request("POST", url, get_common_headers(), json.dumps(payload).encode(), area) 
    return response.json().get("id")

This completes the dashboard creation course of, offering customers with an interactive visualization of software metrics as quickly as they entry the workspace.

The total implementation, together with logging, error dealing with, and helper utilities, is accessible within the AWS Samples GitHub repository.

Deploy the infrastructure with AWS CDK

With the AWS CDK stack and Lambda automation in place, you’re able to deploy the total answer and confirm that your OpenSearch UI dashboard is created routinely.

Deploy the stack

From the foundation listing of the cloned repository, navigate to the AWS CDK folder and deploy the stack utilizing your IAM person ARN from the Conditions part:

cd cdk 
npm set up 
npx cdk bootstrap  # First time solely 
npx cdk deploy -c masterUserArn=arn:aws:iam::123456789012:person/your-username

The deployment course of sometimes takes 20–25 minutes as a result of AWS CDK provisions the OpenSearch area, OpenSearch UI software, Lambda perform, and customized useful resource that runs the automation.

Confirm the deployment

After the deployment completes:

Open the OpenSearch UI endpoint displayed within the AWS CDK output.
Sign up utilizing your IAM credentials.
Swap to the newly created workspace-demo workspace.
Open the Utility Metrics dashboard.
View the pie chart visualization that shows the distribution of HTTP standing codes from the pattern knowledge.

The dashboard routinely shows a pie chart visualization populated with artificial software metrics, demonstrating how the Saved Objects API can be utilized to bootstrap significant analytics dashboards instantly after deployment.

Enhancement 1: Simplify dashboard creation with Saved Object Import API

As your OpenSearch Dashboards evolve, managing advanced dependencies between index patterns, visualizations, and dashboards can turn out to be more and more troublesome. Every dashboard typically references a number of saved objects, and manually recreating or syncing them throughout environments could be time-consuming and error susceptible.

To simplify this course of, we suggest utilizing the Saved Objects Import/Export API. You need to use this API to bundle complete dashboards, together with their dependent objects, right into a single transferable artifact. By utilizing this method, you may model, migrate, and deploy dashboards throughout environments as a part of your CI/CD workflow, sustaining consistency and lowering operational overhead.

Export your dashboard

You may export dashboards straight from the OpenSearch UI or use saved object export API:

Open Stack Administration after which Saved Objects
Choose the dashboard and associated objects (for instance, visualizations and index patterns)
Select Export
Save the exported file as dashboard.ndjson

This file comprises saved objects serialized in newline-delimited JSON (NDJSON) format, prepared for versioning or deployment automation.

Import dashboards programmatically

You may programmatically import the NDJSON file right into a goal workspace utilizing the Saved Objects import API:

# Pseudo code for import perform 
def import_dashboard(workspace_id, ndjson_file): 
    # Learn the exported dashboard file 
    dashboard_config = read_file(ndjson_file) 
     
     
    # POST to import to opensearch ui endpoint 
    url = f"{opensearch_ui_endpoint}/w/{workspace_id}/api/saved_objects/_import" 
    response = make_signed_request("POST", url, dashboard_config) 
     
    return response.success

By utilizing this method, you may deal with dashboards as deployable belongings, precisely like software code. You may retailer your exported dashboards in supply management, combine them into your AWS CDK or CloudFormation pipelines, and routinely deploy them to a number of environments with confidence.

Enhancement 2: Improved safety configurations

In some circumstances, you would possibly wish to enhance the safety configuration of your OpenSearch UI software, otherwise you is perhaps coping with OpenSearch domains which were deployed with extra safety configurations. On this part, we talk about how one can enhance the safety configuration of your OpenSearch UI software and nonetheless obtain IaC with AWS CDK. Extra particularly, we clarify how one can arrange your OpenSearch UI software when your OpenSearch area is in a VPC and when fine-grained entry management is enabled.

When the OpenSearch Area resides inside a VPC, extra configurations might be wanted to correctly join together with your dashboard.

Allow communication between Lambda capabilities used to ingest knowledge and the OpenSearch area within the VPC

When the OpenSearch Service area resides in a VPC, the Lambda capabilities that ingest knowledge into the area should be capable of talk with it. Probably the most simple method of doing that is to permit the Lambda perform to be executed inside the similar VPC as your OpenSearch Service area and provides it the identical safety group. An instance is offered within the GitHub repository.

Enable HTTPS communications from shoppers making an attempt to speak together with your OpenSearch Service area. On this instance, the shopper might be utilizing the identical safety group used within the OpenSearch Service area:
```
openSearchSecurityGroup.addIngressRule(
  openSearchSecurityGroup,
  ec2.Port.tcp(443),
  'Enable inbound HTTPS visitors from itself',
);
```
Add this managed coverage to the function assumed by the Lambda perform to permit it entry to the VPC:
```
iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole')
```

Specify the VPC and the safety group your Lambda perform might be utilizing. On this case, the VPC is similar one utilized by your OpenSearch Service area:

const dashboardFn = new lambda.Operate(this, 'DashboardSetup', {
  // ... extra configuration
  vpc: vpc,
  securityGroups: [openSearchSecurityGroup]
});

Authorize OpenSearch UI service for VPC endpoint entry

For the OpenSearch Service area to be accessible to your dashboard, VPC endpoint entry should be enabled. This may be achieved through the use of a customized useful resource, as proven within the following configuration:

const authorizeOpenSearchUIVpcAccess = new cr.AwsCustomResource(this, 'AuthorizeOpenSearchUIVpcAccess', {
  onUpdate: {
    service: 'OpenSearch',
    motion: 'authorizeVpcEndpointAccess',
    parameters: {
      DomainName: opensearchDomain.domainName,
      Service: 'software.opensearchservice.amazonaws.com',
    },
    physicalResourceId: cr.PhysicalResourceId.of(`${opensearchDomain.domainName}-VpcEndpointAccess`),
  },
  coverage: cr.AwsCustomResourcePolicy.fromStatements([
    new iam.PolicyStatement({
      actions: ['es:AuthorizeVpcEndpointAccess'],
      assets: [opensearchDomain.domainArn],
    }),
  ]),
});

Allow fine-grained entry management

Whenever you use fine-grained entry management together with an OpenSearch UI, you might have extra management over which operations are allowed for every person. This may be particularly helpful if you wish to restrict your customers’ actions past the admin, learn, or write permissions that include OpenSearch UI. Distinctive roles could be created and mapped to a number of customers to realize exact management over who can entry what performance.

Within the earlier sections, the identical Lambda was used to make requests to each the OpenSearch Service area and the OpenSearch UI. Nevertheless, in conditions the place the primary function isn’t the identical between the OpenSearch Service area and the OpenSearch UI, we suggest making a Lambda perform for every function. Once more, when deploying OpenSearch UI automation, the order of useful resource creation is necessary to appropriately resolve dependencies. As illustrated beforehand, the really useful order is as follows:

Create the dashboard Lambda execution function – Required for entry to AppConfigs and APIs
Create the OpenSearch area fundamental function – Required for area creation and APIs
Create the OpenSearch area – Serves as the first knowledge supply
Create the OpenSearch area Lambda perform – Defines the automation logic for the OpenSearch area
Create the OpenSearch area customized assets – Triggers the Lambda automation throughout stack deployment
Create the OpenSearch UI software – References the Lambda function in its AppConfigs
Create the OpenSearch UI Lambda perform – Defines the automation logic for the OpenSearch UI
Create the OpenSearch UI customized useful resource – Triggers the Lambda automation throughout stack deployment

When creating the OpenSearch Service area, specify the fine-grained entry management parameter, as follows:

// Step 3: Create OpenSearch Area
const opensearchDomain = new opensearch.Area(this, 'OpenSearchDomain', {
  // ... extra configuration
  // Allow Nice-Grained Entry Management in your OpenSearch Area
  fineGrainedAccessControl: {
    masterUserArn: openSearchMasterRole.roleArn,
  }
});

The Lambda perform accountable for speaking with the OpenSearch Service area ought to have the required permissions to put in writing to it. The next is a configuration instance the place the Lambda perform assumes the area’s fundamental function:

// Step 4: Create Lambda Operate for OpenSearch Area
const domainFn = new lambda.Operate(this, 'DomainSetup', {
  // ... extra configuration
  function: openSearchMasterRole
});

Then, add the customized assets to create the roles and function mappings, as wanted:

// Step 5: Create Customized Sources for OpenSearch Area
const domainProvider = new cr.Supplier(this, 'DomainProvider', {
  onEventHandler: domainFn
});

// A customized useful resource to create roles (Non-obligatory)
new cdk.CustomResource(this, 'DomainRoleSetupResource', {
  serviceToken: domainProvider.serviceToken,
  // ... extra configuration
});

// A customized useful resource to create function mappings (Non-obligatory)
new cdk.CustomResource(this, 'DomainRolesMappingSetupResource', {
  serviceToken: domainProvider.serviceToken,
  // ... extra configuration
});

Create extra roles within the OpenSearch Service area (Non-obligatory)

If you wish to grant particular permissions to some customers, we suggest creating roles for them. This may be achieved by making the next requests to the OpenSearch Service area endpoint.

For extra details about the roles endpoint, overview the Create function within the OpenSearch documentation.

# Pseudo code to create a task
def create_role(domain_endpoint: str, area: str, 
                        new_role_name: str) -> bool:
    """Create a brand new function"""
    url = f"https://{domain_endpoint}/_plugins/_security/api/roles/{new_role_name}"

    payload = {
        "description": "",
        "cluster_permissions": [
            // ... Permisions
        ],
        "index_permissions": [
            {
                "index_patterns": [
                    // ... Index patterns
                ],
                "fls": [],
                "masked_fields": [],
                "allowed_actions": [
                    // ... Allowed actions
                ],
            },
        ],
    }
    
    response = make_domain_request("PUT", url, headers, json.dumps(payload).encode(), area)
    return response.success

Create function mappings within the OpenSearch area in your dashboard customers (Non-obligatory)

Customers could be mapped to a number of roles to manage their entry to the OpenSearch Service area, which might be mirrored within the OpenSearch UI dashboard related to the area.

For extra details about the rolesmapping endpoint, overview the Create function mapping within the OpenSearch documentation.

# Pseudo code to create a task mapping
def create_role_mapping(domain_endpoint: str, area: str, 
                        new_role_name: str) -> bool:
    """Create a brand new function mapping"""
    url = f"https://{domain_endpoint}/_plugins/_security/api/rolesmapping/{new_role_name}"

    payload = {
        "backend_roles": [
            "<ROLE_ARN_1>",
            "<ROLE_ARN_2>",
        ],
    }

    response = make_domain_request("PUT", url, headers, json.dumps(payload).encode(), area)
    return response.success

These are some necessary implementation notes:

By default, the OpenSearch Area will create a task mapping for its fundamental person, below all_access and security_manager. If you happen to modify these mappings, we suggest holding the primary person within the listing to forestall unintended lack of entry.
When fine-grained entry management is used, if a person opens the OpenSearch UI with out being mapped to a task within the OpenSearch Area, they are going to be unable to visualise or modify the info situated within the OpenSearch Area, even when they’re a part of the OpenSearch UI’s admin group. Because of this, we suggest creating customized assets so as to add the suitable function mappings. OpenSearch UI admins will nonetheless be capable of make modifications to the OpenSearch UI dashboards.
When programmatically interacting with the OpenSearch Area APIs, correct authentication is required so your Lambda perform or automation script can securely entry the APIs. The OpenSearch Area makes use of SigV4 authentication. When signing the OpenSearch Area API requests, the service identify should be es.

Price concerns

This answer makes use of a number of AWS companies, every with its personal price part:

Amazon OpenSearch Service – That is the primary price driver. Expenses are primarily based on occasion kind, variety of nodes, and Amazon Elastic Block Retailer (Amazon EBS) storage. For testing, you should use a smaller occasion (for instance, t3.small.search) or delete the area after use to reduce price.) or delete the area after use to reduce price.
AWS Lambda – The automation perform runs solely throughout deployment and incurs minimal prices for just a few brief invocations.
AWS CDK and CloudFormation – Create momentary IAM roles and Amazon S3 deployment belongings with negligible price.

For pricing particulars, consult with Amazon OpenSearch Service Pricing.

Clear Up

To keep away from incurring ongoing prices, clear up the assets created by this answer if you’ve accomplished your testing.Open your challenge listing and destroy the AWS CDK stack:

This command removes the assets provisioned by the AWS CDK stack, together with:

The Amazon OpenSearch Service area
The OpenSearch UI software
The AWS Lambda perform and customized useful resource
IAM roles and insurance policies related to the deployment

By cleansing up, you cease the associated prices and preserve a tidy, cost-efficient AWS atmosphere.

Extra assets

Conclusion

By integrating the Saved Objects API with the next-generation Amazon OpenSearch UI, you may programmatically create complete analytics experiences—together with workspaces, pattern knowledge, visualizations, and dashboards—straight out of your IaC.

This method brings the ability of IaC to your analytics layer. Utilizing AWS CDK and AWS Lambda, you may model, deploy, and replace dashboards persistently throughout environments, lowering handbook setup whereas bettering reliability and governance. With this automation in place, your groups can deal with insights reasonably than setup—delivering observability-as-code that scales together with your group.