AWS OpenSearch Service Domain SAML Options

This page shows how to write Terraform and CloudFormation for OpenSearch Service Domain SAML Options and write them securely.

aws_elasticsearch_domain_saml_options (Terraform)

The Domain SAML Options in OpenSearch Service can be configured in Terraform with the resource name aws_elasticsearch_domain_saml_options. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are required:

  • domain_name - (Required) Name of the domain.

The following arguments are optional:

  • saml_options - (Optional) The SAML authentication options for an AWS Elasticsearch Domain.

saml_options

  • enabled - (Required) Whether SAML authentication is enabled.
  • idp - (Optional) Information from your identity provider.
  • master_backend_role - (Optional) This backend role from the SAML IdP receives full permissions to the cluster, equivalent to a new master user.
  • master_user_name - (Optional) This username from the SAML IdP receives full permissions to the cluster, equivalent to a new master user.
  • roles_key - (Optional) Element of the SAML assertion to use for backend roles. Default is roles.
  • session_timeout_minutes - (Optional) Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440.
  • subject_key - (Optional) Element of the SAML assertion to use for username. Default is NameID.

idp

  • entity_id - (Required) The unique Entity ID of the application in SAML Identity Provider.
  • metadata_content - (Required) The Metadata of the SAML application in xml format.

In addition to all arguments above, the following attributes are exported:

  • id - The name of the domain the SAML options are associated with.

Explanation in Terraform Registry

Manages SAML authentication options for an AWS Elasticsearch Domain.

Tips: Best Practices for The Other AWS OpenSearch Service Resources

In addition to the aws_elasticsearch_domain, AWS OpenSearch Service has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_elasticsearch_domain

Ensure Amazon Elasticsearch Service domain uses modern TLS protocols

It's better to adopt TLS v1.2+ to avoid using outdated TLS protocols.

Review your AWS OpenSearch Service settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::Elasticsearch::Domain (CloudFormation)

The Domain in Elasticsearch can be configured in CloudFormation with the resource name AWS::Elasticsearch::Domain. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

elasticSearch.yml#L3
    Type: AWS::Elasticsearch::Domain
    Properties:
      ElasticsearchVersion: '6.3'
      DomainName: transactions-search-${self:provider.stage}
      ElasticsearchClusterConfig:
        DedicatedMasterEnabled: false
ElasticSearch.yml#L3
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: ${self:provider.environment.ELASTIC_SEARCH_DOMAIN}
      EBSOptions:
        EBSEnabled: true
        VolumeType: gp2
ESDomain.yml#L2
  Type: AWS::Elasticsearch::Domain
  Properties:
    DomainName: kinesis-domain
    EBSOptions:
      EBSEnabled: true
      VolumeSize: 10
template.yml#L100
  #   Type: 'AWS::Elasticsearch::Domain'
  #   AccessPolicies: Json
  #     Version: "2012-10-17"
  #     Statement:
  #       -
  #         Effect: "Allow"
ElasticSearchDomain.yml#L1
Type: AWS::Elasticsearch::Domain
Properties:
  DomainName: austin-traffic-${self:provider.stage}
  ElasticsearchVersion: 7.1
  ElasticsearchClusterConfig:
    DedicatedMasterEnabled: false
elasticsearch_domain_no_encryption_node_to_node.json#L4
            "Type": "AWS::Elasticsearch::Domain",
            "Properties": {
                "DomainName": "nameddomain"
            }
        },
        "ElasticsearchDomainWithName2": {
elasticsearch_domain_no_encryption_at_rest.json#L4
            "Type": "AWS::Elasticsearch::Domain",
            "Properties": {
                "DomainName": "nameddomain"
            }
        },
        "ElasticsearchDomainWithName2": {
elasticsearch_domain_with_explicit_name.json#L4
      "Type": "AWS::Elasticsearch::Domain",
      "Properties": {
        "DomainName": "nameddomain"
      }
    }
  }
integ.elasticsearch.ultrawarm.expected.json#L4
      "Type": "AWS::Elasticsearch::Domain",
      "Properties": {
        "CognitoOptions": {
          "Enabled": false
        },
        "DomainEndpointOptions": {
elasticsearch_domain_without_explicit_name.json#L4
      "Type": "AWS::Elasticsearch::Domain"
    }
  }
}

Parameters

Explanation in CloudFormation Registry

The AWS::Elasticsearch::Domain resource creates an Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) domain.

Important The AWS::Elasticsearch::Domain resource is being replaced by the AWS::OpenSearchService::Domain resource. While the legacy Elasticsearch resource and options are still supported, we recommend modifying your existing Cloudformation templates to use the new OpenSearch Service resource, which supports both OpenSearch and Elasticsearch. For more information about the service rename, see New resource types in the Amazon OpenSearch Service Developer Guide.

Frequently asked questions

What is AWS OpenSearch Service Domain SAML Options?

AWS OpenSearch Service Domain SAML Options is a resource for OpenSearch Service of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS OpenSearch Service Domain SAML Options?

For CloudFormation, the paulovsm/expense-tracker, first-line-outsourcing/tools and AndrewAKG/serverless-kinesis-to-elasticsearch-typescript source code examples are useful. See the CloudFormation Example section for further details.