AWS OpenSearch Service Domain SAML Options
This page shows how to write Terraform and CloudFormation for OpenSearch Service Domain SAML Options and write them securely.
aws_elasticsearch_domain_saml_options (Terraform)
The Domain SAML Options in OpenSearch Service can be configured in Terraform with the resource name aws_elasticsearch_domain_saml_options. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are required:
domain_name- (Required) Name of the domain.
The following arguments are optional:
saml_options- (Optional) The SAML authentication options for an AWS Elasticsearch Domain.
saml_options
enabled- (Required) Whether SAML authentication is enabled.idp- (Optional) Information from your identity provider.master_backend_role- (Optional) This backend role from the SAML IdP receives full permissions to the cluster, equivalent to a new master user.master_user_name- (Optional) This username from the SAML IdP receives full permissions to the cluster, equivalent to a new master user.roles_key- (Optional) Element of the SAML assertion to use for backend roles. Default is roles.session_timeout_minutes- (Optional) Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440.subject_key- (Optional) Element of the SAML assertion to use for username. Default is NameID.
idp
entity_id- (Required) The unique Entity ID of the application in SAML Identity Provider.metadata_content- (Required) The Metadata of the SAML application in xml format.
In addition to all arguments above, the following attributes are exported:
id- The name of the domain the SAML options are associated with.
Explanation in Terraform Registry
Manages SAML authentication options for an AWS Elasticsearch Domain.
Tips: Best Practices for The Other AWS OpenSearch Service Resources
In addition to the aws_elasticsearch_domain, AWS OpenSearch Service has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_elasticsearch_domain
Ensure Amazon Elasticsearch Service domain uses modern TLS protocols
It's better to adopt TLS v1.2+ to avoid using outdated TLS protocols.
AWS::Elasticsearch::Domain (CloudFormation)
The Domain in Elasticsearch can be configured in CloudFormation with the resource name AWS::Elasticsearch::Domain. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: ${self:provider.environment.ELASTIC_SEARCH_DOMAIN}
EBSOptions:
EBSEnabled: true
VolumeType: gp2
Type: AWS::Elasticsearch::Domain
Properties:
ElasticsearchVersion: '6.3'
DomainName: transactions-search-${self:provider.stage}
ElasticsearchClusterConfig:
DedicatedMasterEnabled: false
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: kinesis-domain
EBSOptions:
EBSEnabled: true
VolumeSize: 10
# Type: 'AWS::Elasticsearch::Domain'
# AccessPolicies: Json
# Version: "2012-10-17"
# Statement:
# -
# Effect: "Allow"
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: austin-traffic-${self:provider.stage}
ElasticsearchVersion: 7.1
ElasticsearchClusterConfig:
DedicatedMasterEnabled: false
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "nameddomain"
}
}
}
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"CognitoOptions": {
"Enabled": false
},
"DomainEndpointOptions": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "nameddomain"
}
},
"ElasticsearchDomainWithName2": {
"Type": "AWS::Elasticsearch::Domain"
}
}
}
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "nameddomain"
}
},
"ElasticsearchDomainWithName2": {
Parameters
-
AccessPoliciesoptional - Json -
AdvancedOptionsoptional - Map -
AdvancedSecurityOptionsoptional - AdvancedSecurityOptionsInput -
CognitoOptionsoptional - CognitoOptions -
DomainEndpointOptionsoptional - DomainEndpointOptions -
DomainNameoptional - String -
EBSOptionsoptional - EBSOptions -
ElasticsearchClusterConfigoptional - ElasticsearchClusterConfig -
ElasticsearchVersionoptional - String -
EncryptionAtRestOptionsoptional - EncryptionAtRestOptions -
LogPublishingOptionsoptional - Map of LogPublishingOption -
NodeToNodeEncryptionOptionsoptional - NodeToNodeEncryptionOptions -
SnapshotOptionsoptional - SnapshotOptions -
Tagsoptional - List of Tag -
VPCOptionsoptional - VPCOptions
Explanation in CloudFormation Registry
The AWS::Elasticsearch::Domain resource creates an Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) domain.
Important The
AWS::Elasticsearch::Domainresource is being replaced by the AWS::OpenSearchService::Domain resource. While the legacy Elasticsearch resource and options are still supported, we recommend modifying your existing Cloudformation templates to use the new OpenSearch Service resource, which supports both OpenSearch and Elasticsearch. For more information about the service rename, see New resource types in the Amazon OpenSearch Service Developer Guide.
Frequently asked questions
What is AWS OpenSearch Service Domain SAML Options?
AWS OpenSearch Service Domain SAML Options is a resource for OpenSearch Service of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS OpenSearch Service Domain SAML Options?
For CloudFormation, the first-line-outsourcing/tools, paulovsm/expense-tracker and AndrewAKG/serverless-kinesis-to-elasticsearch-typescript source code examples are useful. See the CloudFormation Example section for further details.
