Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

opensearch cluster cdk package #2863

Closed
wants to merge 2 commits into from
Closed

opensearch cluster cdk package #2863

wants to merge 2 commits into from

Conversation

rishabh6788
Copy link
Collaborator

Signed-off-by: Rishabh Singh sngri@amazon.com

Description

This PR adds capability to spin up single-node and multi-node opensearch cluster using cdk.

Issues Resolved

List any issues this PR will resolve, e.g. Closes [...].

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@rishabh6788 rishabh6788 requested a review from a team as a code owner November 8, 2022 06:21
@codecov-commenter
Copy link

codecov-commenter commented Nov 8, 2022

Codecov Report

Merging #2863 (4debce8) into main (23d9485) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2863   +/-   ##
=======================================
  Coverage   93.71%   93.71%           
=======================================
  Files         158      158           
  Lines        4391     4391           
=======================================
  Hits         4115     4115           
  Misses        276      276           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

'node.ingest': false,
});

nodeConfig.set('seed-data', {
Copy link
Contributor

@ylwu-amzn ylwu-amzn Nov 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not related with this line. Can we support creating ML nodes? node.roles: [ml]

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack! @ylwu-amzn

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution, its great to have this be more reusable for the community. Is OpenSearch-Build the right place for this code, it feels like maybe it should be in its own repository?

What the plan going forward for how this will be used/supported?

@dblock
Copy link
Member

dblock commented Nov 8, 2022

Thanks for the contribution, its great to have this be more reusable for the community. Is OpenSearch-Build the right place for this code, it feels like maybe it should be in its own repository?

What the plan going forward for how this will be used/supported?

Maybe this should go to https://github.com/opensearch-project/opensearch-devops? Or better, its own standalone repo?

@bbarani
Copy link
Member

bbarani commented Nov 8, 2022

Thanks for the contribution, its great to have this be more reusable for the community. Is OpenSearch-Build the right place for this code, it feels like maybe it should be in its own repository?
What the plan going forward for how this will be used/supported?

Maybe this should go to https://github.com/opensearch-project/opensearch-devops? Or better, its own standalone repo?

Yes, I have been thinking about that as well. opensearch-devops repo is currently acting as a pointer to actual repos like Helm charts, Ansible etc.. We can create a new OpenSearch-CDK repo if needed. Any other recommendation on the repo name? @dblock @peternied @gaiksaya @rishabh6788 @peterzhuamazon @prudhvigodithi

Copy link
Member

@gaiksaya gaiksaya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks great! Needs some work with regards to documentation.
Thanks!


| Name | Type | Description |
|--------------------------------------------------------|:---------|:-----------------------------------------------------------------------------------------|
| distVersion (mandatory) | string | The OpenSearch distribution version (released/un-released) the user wants to deploy |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: required instead of mandatory

| vpcId (Optional) | string | Re-use existing vpc, provide vpc id |
| securityGroupId (Optional) | boolean | Re-use existing security group, provide security group id |
| cidr (Optional) | string | User provided CIDR block for new Vpc, default is `10.0.0.0/16` |
| managerNodeCount (Optional) | number | Number of cluster manager nodes, default is 3 |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: integer/float/etc instead of number?

Comment on lines +59 to +61
#### Please note the load-balancer url is internet facing and can be accessed by anyone.
To restrict access please refer [Client IP Preservation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#client-ip-preservation) to restrict access on internet-facing network load balancer.
You need to add the ip/prefix-list rule in the security group created in network stack.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we do something like opensearch-project/opensearch-ci#171 to restrict server access?

|--------------------------------------------------------|:---------|:-----------------------------------------------------------------------------------------|
| distVersion (mandatory) | string | The OpenSearch distribution version (released/un-released) the user wants to deploy |
| securityDisabled (mandatory) | boolean | Enable or disable security plugin |
| minDistribution (mandatory) | boolean | Is it an un-released OpenSearch distribution with no plugins |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confused about unreleased so using a released version will be a problem?

const app = new App();

new OsClusterEntrypoint(app, {
env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommending to remove this and let the default credentials in user's workspace take effect.

| distVersion (mandatory) | string | The OpenSearch distribution version (released/un-released) the user wants to deploy |
| securityDisabled (mandatory) | boolean | Enable or disable security plugin |
| minDistribution (mandatory) | boolean | Is it an un-released OpenSearch distribution with no plugins |
| distributionUrl (mandatory) | string | OpenSearch tar distribution url |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please specify that we are using tarball only. Maybe give an example?

@@ -0,0 +1,5 @@
cluster.name: "my-stack"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: opensearch as the cluster name?

Comment on lines +56 to +70
if (props.securityGroupId === undefined) {
this.osSecurityGroup = new SecurityGroup(this, 'osSecurityGroup', {
vpc: this.vpc,
securityGroupName: 'opensearchSG',
allowAllOutbound: true,
});
} else {
this.osSecurityGroup = SecurityGroup.fromSecurityGroupId(this, 'osSecurityGroup', props.securityGroupId);
}

/* The security group allows all ip access by default to all the ports.
Please update below if you want to restrict access to certain ips and ports */
this.osSecurityGroup.addIngressRule(Peer.anyIpv4(), Port.allTcp());
this.osSecurityGroup.addIngressRule(this.osSecurityGroup, Port.allTraffic());
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this pull this out into a different class to manage security altogether? Since its a critical aspect?

@@ -0,0 +1,4 @@
cluster.name: my-application
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: opensearch

This project enables uses to deploy either a single-node or a multi-node OpenSearch cluster.
There are two stacks that get deployed:
1. OpenSearch-Network-Stack: Use this stack to either use an existing Vpc or create a new Vpc. This stack also creates a new security group to manage access.
2. OpenSearch-Infra-Stack: Sets up EC2 ASG (installs opensearch and opensearch-dashboards using userdata), cloudwatch logging, load balancer. Check your cluster log in the log group created from your stack in the cloudwatch.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also specify what kind of AMI (AL2/ubuntu/etc) we are using in this? Seeing a lot of /home/ec2-user commands so if the user uses something else, its gonna fail. Or maybe replace those commands with someone $(whoami). Can come as an enhancement

@dblock
Copy link
Member

dblock commented Nov 9, 2022

Thanks for the contribution, its great to have this be more reusable for the community. Is OpenSearch-Build the right place for this code, it feels like maybe it should be in its own repository?
What the plan going forward for how this will be used/supported?

Maybe this should go to https://github.com/opensearch-project/opensearch-devops? Or better, its own standalone repo?

Yes, I have been thinking about that as well. opensearch-devops repo is currently acting as a pointer to actual repos like Helm charts, Ansible etc.. We can create a new OpenSearch-CDK repo if needed. Any other recommendation on the repo name? @dblock @peternied @gaiksaya @rishabh6788 @peterzhuamazon @prudhvigodithi

opensearch-cdk or opensearch-cluster-cdk are great names IMO

@prudhvigodithi
Copy link
Member

opensearch-cdk

Ya opensearch-cdk is good choice, In future we can onboard a new product of OpenSearch CDK installation to this same repo :)

@rishabh6788 rishabh6788 closed this by deleting the head repository Nov 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants