Publicly accessible Elasticsearch instance using CloudFormation template

2
votes

I can create an elastic instance using console using the options mentioned below:

Network configuration: Public access
Fine Grained access control - enabled
Create Master user: selected
Master Username: root
Master Password: PassWord152)
Domain access policy: Allow open access

Here is an example:

enter image description here

How do I create a cloudformation template with these parameters?

Update:

@Marcin forgot to add this line in "Properties" section -

DomainName: !Ref DomainName

Elasticsearch created a new random name that contradicted with this line...

"Resource": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*"

And I got the AccessDenied error. After adding "DomainName" parameter, it worked.

1
amazon-web-servicesamazon-cloudformationamazon-elasticsearch

1 Answers

3
votes

You can check the following template (may need to adjust it to your needs):

---

Parameters:

  InstanceType:
    Type: String
    Default: c4.large.elasticsearch

  DomainName:
    Type: String
    Default: my-es-domain

  MasterUserName:
    Type: String
    Default: root

  MasterUserPassword:
    Type: String
    NoEcho: true
    Default: PassWord152)

Resources:

  MyESDomain:
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: !Ref DomainName 
      AccessPolicies: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "*"
              },
              "Action": "es:*",
              "Resource": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*"
            }
          ]
        }
      AdvancedSecurityOptions:
          Enabled: true
          InternalUserDatabaseEnabled: true
          MasterUserOptions: 
            MasterUserName: !Ref MasterUserName
            MasterUserPassword: !Ref MasterUserPassword
      EncryptionAtRestOptions: 
        Enabled: true
      NodeToNodeEncryptionOptions:
        Enabled: true
      DomainEndpointOptions:
        EnforceHTTPS: true
      EBSOptions: 
        EBSEnabled: true
        VolumeSize: 20
        VolumeType: gp2
      ElasticsearchClusterConfig: 
        DedicatedMasterEnabled: false
        InstanceCount: 1
        InstanceType: !Ref InstanceType
        ZoneAwarenessEnabled: false
      ElasticsearchVersion: 7.7

Outputs:
  
  Id:
    Value: !Ref MyESDomain    
    
  Arn:
    Value: !GetAtt MyESDomain.Arn    

  DomainArn:
    Value: !GetAtt MyESDomain.DomainArn
    
  DomainEndpoint:
    Value: !GetAtt MyESDomain.DomainEndpoint    
    
  KibanaEndpoint:
    Value: !Sub "${MyESDomain.DomainEndpoint}/_plugin/kibana/"