-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
opensearch cluster cdk package #2863
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2863 +/- ##
=======================================
Coverage 93.71% 93.71%
=======================================
Files 158 158
Lines 4391 4391
=======================================
Hits 4115 4115
Misses 276 276 Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
'node.ingest': false, | ||
}); | ||
|
||
nodeConfig.set('seed-data', { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not related with this line. Can we support creating ML nodes? node.roles: [ml]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack! @ylwu-amzn
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution, its great to have this be more reusable for the community. Is OpenSearch-Build the right place for this code, it feels like maybe it should be in its own repository?
What the plan going forward for how this will be used/supported?
Maybe this should go to https://github.com/opensearch-project/opensearch-devops? Or better, its own standalone repo? |
Yes, I have been thinking about that as well. opensearch-devops repo is currently acting as a pointer to actual repos like Helm charts, Ansible etc.. We can create a new OpenSearch-CDK repo if needed. Any other recommendation on the repo name? @dblock @peternied @gaiksaya @rishabh6788 @peterzhuamazon @prudhvigodithi |
Signed-off-by: Rishabh Singh <sngri@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks great! Needs some work with regards to documentation.
Thanks!
|
||
| Name | Type | Description | | ||
|--------------------------------------------------------|:---------|:-----------------------------------------------------------------------------------------| | ||
| distVersion (mandatory) | string | The OpenSearch distribution version (released/un-released) the user wants to deploy | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: required instead of mandatory
| vpcId (Optional) | string | Re-use existing vpc, provide vpc id | | ||
| securityGroupId (Optional) | boolean | Re-use existing security group, provide security group id | | ||
| cidr (Optional) | string | User provided CIDR block for new Vpc, default is `10.0.0.0/16` | | ||
| managerNodeCount (Optional) | number | Number of cluster manager nodes, default is 3 | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: integer/float/etc instead of number?
#### Please note the load-balancer url is internet facing and can be accessed by anyone. | ||
To restrict access please refer [Client IP Preservation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#client-ip-preservation) to restrict access on internet-facing network load balancer. | ||
You need to add the ip/prefix-list rule in the security group created in network stack. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we do something like opensearch-project/opensearch-ci#171 to restrict server access?
|--------------------------------------------------------|:---------|:-----------------------------------------------------------------------------------------| | ||
| distVersion (mandatory) | string | The OpenSearch distribution version (released/un-released) the user wants to deploy | | ||
| securityDisabled (mandatory) | boolean | Enable or disable security plugin | | ||
| minDistribution (mandatory) | boolean | Is it an un-released OpenSearch distribution with no plugins | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confused about unreleased
so using a released version will be a problem?
const app = new App(); | ||
|
||
new OsClusterEntrypoint(app, { | ||
env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommending to remove this and let the default credentials in user's workspace take effect.
| distVersion (mandatory) | string | The OpenSearch distribution version (released/un-released) the user wants to deploy | | ||
| securityDisabled (mandatory) | boolean | Enable or disable security plugin | | ||
| minDistribution (mandatory) | boolean | Is it an un-released OpenSearch distribution with no plugins | | ||
| distributionUrl (mandatory) | string | OpenSearch tar distribution url | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please specify that we are using tarball only. Maybe give an example?
@@ -0,0 +1,5 @@ | |||
cluster.name: "my-stack" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: opensearch as the cluster name?
if (props.securityGroupId === undefined) { | ||
this.osSecurityGroup = new SecurityGroup(this, 'osSecurityGroup', { | ||
vpc: this.vpc, | ||
securityGroupName: 'opensearchSG', | ||
allowAllOutbound: true, | ||
}); | ||
} else { | ||
this.osSecurityGroup = SecurityGroup.fromSecurityGroupId(this, 'osSecurityGroup', props.securityGroupId); | ||
} | ||
|
||
/* The security group allows all ip access by default to all the ports. | ||
Please update below if you want to restrict access to certain ips and ports */ | ||
this.osSecurityGroup.addIngressRule(Peer.anyIpv4(), Port.allTcp()); | ||
this.osSecurityGroup.addIngressRule(this.osSecurityGroup, Port.allTraffic()); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this pull this out into a different class to manage security altogether? Since its a critical aspect?
@@ -0,0 +1,4 @@ | |||
cluster.name: my-application |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: opensearch
This project enables uses to deploy either a single-node or a multi-node OpenSearch cluster. | ||
There are two stacks that get deployed: | ||
1. OpenSearch-Network-Stack: Use this stack to either use an existing Vpc or create a new Vpc. This stack also creates a new security group to manage access. | ||
2. OpenSearch-Infra-Stack: Sets up EC2 ASG (installs opensearch and opensearch-dashboards using userdata), cloudwatch logging, load balancer. Check your cluster log in the log group created from your stack in the cloudwatch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also specify what kind of AMI (AL2/ubuntu/etc) we are using in this? Seeing a lot of /home/ec2-user
commands so if the user uses something else, its gonna fail. Or maybe replace those commands with someone $(whoami)
. Can come as an enhancement
opensearch-cdk or opensearch-cluster-cdk are great names IMO |
Ya |
Signed-off-by: Rishabh Singh sngri@amazon.com
Description
This PR adds capability to spin up single-node and multi-node opensearch cluster using cdk.
Issues Resolved
List any issues this PR will resolve, e.g. Closes [...].
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.