This is the new *Amazon CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html).
# AWS::OpenSearchService::Domain
The AWS::OpenSearchService::Domain resource creates an Amazon OpenSearch Service domain.
## Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
### JSON
```
{
"Type" : "AWS::OpenSearchService::Domain",
"Properties" : {
"[AccessPolicies](#cfn-opensearchservice-domain-accesspolicies)" : {{Json}},
"[AdvancedOptions](#cfn-opensearchservice-domain-advancedoptions)" : {{{{{Key}}: {{Value}}, ...}}},
"[AdvancedSecurityOptions](#cfn-opensearchservice-domain-advancedsecurityoptions)" : {{AdvancedSecurityOptionsInput}},
"[AIMLOptions](#cfn-opensearchservice-domain-aimloptions)" : {{AIMLOptions}},
"[ClusterConfig](#cfn-opensearchservice-domain-clusterconfig)" : {{ClusterConfig}},
"[CognitoOptions](#cfn-opensearchservice-domain-cognitooptions)" : {{CognitoOptions}},
"[DeploymentStrategyOptions](#cfn-opensearchservice-domain-deploymentstrategyoptions)" : {{DeploymentStrategyOptions}},
"[DomainEndpointOptions](#cfn-opensearchservice-domain-domainendpointoptions)" : {{DomainEndpointOptions}},
"[DomainName](#cfn-opensearchservice-domain-domainname)" : {{String}},
"[EBSOptions](#cfn-opensearchservice-domain-ebsoptions)" : {{EBSOptions}},
"[EncryptionAtRestOptions](#cfn-opensearchservice-domain-encryptionatrestoptions)" : {{EncryptionAtRestOptions}},
"[EngineVersion](#cfn-opensearchservice-domain-engineversion)" : {{String}},
"[IdentityCenterOptions](#cfn-opensearchservice-domain-identitycenteroptions)" : {{IdentityCenterOptions}},
"[IPAddressType](#cfn-opensearchservice-domain-ipaddresstype)" : {{String}},
"[LogPublishingOptions](#cfn-opensearchservice-domain-logpublishingoptions)" : {{{{{Key}}: {{Value}}, ...}}},
"[NodeToNodeEncryptionOptions](#cfn-opensearchservice-domain-nodetonodeencryptionoptions)" : {{NodeToNodeEncryptionOptions}},
"[OffPeakWindowOptions](#cfn-opensearchservice-domain-offpeakwindowoptions)" : {{OffPeakWindowOptions}},
"[SkipShardMigrationWait](#cfn-opensearchservice-domain-skipshardmigrationwait)" : {{Boolean}},
"[SnapshotOptions](#cfn-opensearchservice-domain-snapshotoptions)" : {{SnapshotOptions}},
"[SoftwareUpdateOptions](#cfn-opensearchservice-domain-softwareupdateoptions)" : {{SoftwareUpdateOptions}},
"[Tags](#cfn-opensearchservice-domain-tags)" : {{[ Tag, ... ]}},
"[VPCOptions](#cfn-opensearchservice-domain-vpcoptions)" : {{VPCOptions}}
}
}
```
### YAML
```
Type: AWS::OpenSearchService::Domain
Properties:
[AccessPolicies](#cfn-opensearchservice-domain-accesspolicies): {{Json}}
[AdvancedOptions](#cfn-opensearchservice-domain-advancedoptions): {{
{{Key}}: {{Value}}}}
[AdvancedSecurityOptions](#cfn-opensearchservice-domain-advancedsecurityoptions): {{
AdvancedSecurityOptionsInput}}
[AIMLOptions](#cfn-opensearchservice-domain-aimloptions): {{
AIMLOptions}}
[ClusterConfig](#cfn-opensearchservice-domain-clusterconfig): {{
ClusterConfig}}
[CognitoOptions](#cfn-opensearchservice-domain-cognitooptions): {{
CognitoOptions}}
[DeploymentStrategyOptions](#cfn-opensearchservice-domain-deploymentstrategyoptions): {{
DeploymentStrategyOptions}}
[DomainEndpointOptions](#cfn-opensearchservice-domain-domainendpointoptions): {{
DomainEndpointOptions}}
[DomainName](#cfn-opensearchservice-domain-domainname): {{String}}
[EBSOptions](#cfn-opensearchservice-domain-ebsoptions): {{
EBSOptions}}
[EncryptionAtRestOptions](#cfn-opensearchservice-domain-encryptionatrestoptions): {{
EncryptionAtRestOptions}}
[EngineVersion](#cfn-opensearchservice-domain-engineversion): {{String}}
[IdentityCenterOptions](#cfn-opensearchservice-domain-identitycenteroptions): {{
IdentityCenterOptions}}
[IPAddressType](#cfn-opensearchservice-domain-ipaddresstype): {{String}}
[LogPublishingOptions](#cfn-opensearchservice-domain-logpublishingoptions): {{
{{Key}}: {{Value}}}}
[NodeToNodeEncryptionOptions](#cfn-opensearchservice-domain-nodetonodeencryptionoptions): {{
NodeToNodeEncryptionOptions}}
[OffPeakWindowOptions](#cfn-opensearchservice-domain-offpeakwindowoptions): {{
OffPeakWindowOptions}}
[SkipShardMigrationWait](#cfn-opensearchservice-domain-skipshardmigrationwait): {{Boolean}}
[SnapshotOptions](#cfn-opensearchservice-domain-snapshotoptions): {{
SnapshotOptions}}
[SoftwareUpdateOptions](#cfn-opensearchservice-domain-softwareupdateoptions): {{
SoftwareUpdateOptions}}
[Tags](#cfn-opensearchservice-domain-tags): {{
- Tag}}
[VPCOptions](#cfn-opensearchservice-domain-vpcoptions): {{
VPCOptions}}
```
## Properties
`AccessPolicies`
An Amazon Identity and Access Management (IAM) policy document that specifies who can access the OpenSearch Service domain and their permissions. For more information, see [Configuring access policies](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/ac.html#ac-creating) in the *Amazon OpenSearch Service Developer Guide*.
*Required*: No
*Type*: Json
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`AdvancedOptions`
Additional options to specify for the OpenSearch Service domain. For more information, see [AdvancedOptions](https://docs.amazonaws.cn/opensearch-service/latest/APIReference/API_CreateDomain.html#API_CreateDomain_RequestBody) in the OpenSearch Service API reference.
*Required*: No
*Type*: Object of String
*Pattern*: `[a-zA-Z0-9]+`
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`AdvancedSecurityOptions`
Specifies options for fine-grained access control and SAML authentication.
If you specify advanced security options, you must also enable node-to-node encryption ([NodeToNodeEncryptionOptions](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-nodetonodeencryptionoptions.html)) and encryption at rest ([EncryptionAtRestOptions](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-encryptionatrestoptions.html)). You must also enable `EnforceHTTPS` within [DomainEndpointOptions](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-domainendpointoptions.html), which requires HTTPS for all traffic to the domain.
*Required*: No
*Type*: [AdvancedSecurityOptionsInput](aws-properties-opensearchservice-domain-advancedsecurityoptionsinput.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`AIMLOptions`
Container for parameters required to enable all machine learning features.
*Required*: No
*Type*: [AIMLOptions](aws-properties-opensearchservice-domain-aimloptions.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`ClusterConfig`
Container for the cluster configuration of a domain.
*Required*: No
*Type*: [ClusterConfig](aws-properties-opensearchservice-domain-clusterconfig.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`CognitoOptions`
Configures OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards.
*Required*: No
*Type*: [CognitoOptions](aws-properties-opensearchservice-domain-cognitooptions.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`DeploymentStrategyOptions`
The current status of the domain's deployment strategy options.
*Required*: No
*Type*: [DeploymentStrategyOptions](aws-properties-opensearchservice-domain-deploymentstrategyoptions.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`DomainEndpointOptions`
Specifies additional options for the domain endpoint, such as whether to require HTTPS for all traffic or whether to use a custom endpoint rather than the default endpoint.
*Required*: No
*Type*: [DomainEndpointOptions](aws-properties-opensearchservice-domain-domainendpointoptions.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`DomainName`
A name for the OpenSearch Service domain. The name must have a minimum length of 3 and a maximum length of 28. If you don't specify a name, Amazon CloudFormation generates a unique physical ID and uses that ID for the domain name. For more information, see [Name Type](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-properties-name.html).
Required when creating a new domain.
If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
*Required*: Conditional
*Type*: String
*Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
`EBSOptions`
The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the OpenSearch Service domain. For more information, see [EBS volume size limits](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/limits.html#ebsresource) in the *Amazon OpenSearch Service Developer Guide*.
*Required*: No
*Type*: [EBSOptions](aws-properties-opensearchservice-domain-ebsoptions.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`EncryptionAtRestOptions`
Whether the domain should encrypt data at rest, and if so, the Amazon KMS key to use. See [Encryption of data at rest for Amazon OpenSearch Service](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/encryption-at-rest.html).
If no encryption at rest options were initially specified in the template, updating this property by adding it causes no interruption. However, if you change this property after it's already been set within a template, the domain is deleted and recreated in order to modify the property.
*Required*: No
*Type*: [EncryptionAtRestOptions](aws-properties-opensearchservice-domain-encryptionatrestoptions.md)
*Update requires*: [Some interruptions](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt)
`EngineVersion`
The version of OpenSearch to use. The value must be in the format `OpenSearch_X.Y` or `Elasticsearch_X.Y`. If not specified, the latest version of OpenSearch is used. For information about the versions that OpenSearch Service supports, see [Supported versions of OpenSearch and Elasticsearch](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/what-is.html#choosing-version) in the *Amazon OpenSearch Service Developer Guide*.
If you set the [EnableVersionUpgrade](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-attribute-updatepolicy.html#cfn-attributes-updatepolicy-upgradeopensearchdomain) update policy to `true`, you can update `EngineVersion` without interruption. When `EnableVersionUpgrade` is set to `false`, or is not specified, updating `EngineVersion` results in [replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement).
*Required*: Conditional
*Type*: String
*Pattern*: `^Elasticsearch_[0-9]{1}\.[0-9]{1,2}$|^OpenSearch_[0-9]{1,2}\.[0-9]{1,2}$`
*Minimum*: `14`
*Maximum*: `18`
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`IdentityCenterOptions`
Configuration options for controlling IAM Identity Center integration within a domain.
*Required*: No
*Type*: [IdentityCenterOptions](aws-properties-opensearchservice-domain-identitycenteroptions.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`IPAddressType`
Choose either dual stack or IPv4 as your IP address type. Dual stack allows you to share domain resources across IPv4 and IPv6 address types, and is the recommended option. If you set your IP address type to dual stack, you can't change your address type later.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`LogPublishingOptions`
An object with one or more of the following keys: `SEARCH_SLOW_LOGS`, `ES_APPLICATION_LOGS`, `INDEX_SLOW_LOGS`, `AUDIT_LOGS`, depending on the types of logs you want to publish. Each key needs a valid `LogPublishingOption` value. For the full syntax, see the [examples](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-resource-opensearchservice-domain.html#aws-resource-opensearchservice-domain--examples).
*Required*: No
*Type*: Object of [LogPublishingOption](aws-properties-opensearchservice-domain-logpublishingoption.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`NodeToNodeEncryptionOptions`
Specifies whether node-to-node encryption is enabled. See [Node-to-node encryption for Amazon OpenSearch Service](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/ntn.html).
*Required*: No
*Type*: [NodeToNodeEncryptionOptions](aws-properties-opensearchservice-domain-nodetonodeencryptionoptions.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`OffPeakWindowOptions`
Options for a domain's off-peak window, during which OpenSearch Service can perform mandatory configuration changes on the domain.
*Required*: No
*Type*: [OffPeakWindowOptions](aws-properties-opensearchservice-domain-offpeakwindowoptions.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`SkipShardMigrationWait`
Property description not available.
*Required*: No
*Type*: Boolean
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`SnapshotOptions`
**DEPRECATED**. The automated snapshot configuration for the OpenSearch Service domain indexes.
*Required*: No
*Type*: [SnapshotOptions](aws-properties-opensearchservice-domain-snapshotoptions.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`SoftwareUpdateOptions`
Service software update options for the domain.
*Required*: No
*Type*: [SoftwareUpdateOptions](aws-properties-opensearchservice-domain-softwareupdateoptions.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`Tags`
An arbitrary set of tags (key–value pairs) to associate with the OpenSearch Service domain.
*Required*: No
*Type*: Array of [Tag](aws-properties-opensearchservice-domain-tag.md)
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`VPCOptions`
The virtual private cloud (VPC) configuration for the OpenSearch Service domain. For more information, see [Launching your Amazon OpenSearch Service domains within a VPC](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/vpc.html) in the *Amazon OpenSearch Service Developer Guide*.
If you remove this entity altogether, along with its associated properties, it causes a replacement. You might encounter this scenario if you're updating your security configuration from a VPC to a public endpoint.
*Required*: No
*Type*: [VPCOptions](aws-properties-opensearchservice-domain-vpcoptions.md)
*Update requires*: [Some interruptions](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt)
## Return values
### Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource name, such as `mystack-abc1d2efg3h4.` For more information about using the Ref function, see [Ref](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html).
### Fn::GetAtt
GetAtt returns a value for a specified attribute of this type. For more information, see [Fn::GetAtt](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html). The following are the available attributes and sample return values.
####
`AdvancedSecurityOptions.AnonymousAuthDisableDate`
Date and time when the migration period will be disabled. Only necessary when [enabling fine-grained access control on an existing domain](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/fgac.html#fgac-enabling-existing).
`Arn`
The Amazon Resource Name (ARN) of the CloudFormation stack.
`DomainArn`
The Amazon Resource Name (ARN) of the domain. See [Identifiers for IAM Entities ](https://docs.amazonaws.cn/IAM/latest/UserGuide/index.html) in *Using Amazon Identity and Access Management* for more information.
`DomainEndpoint`
The domain-specific endpoint used for requests to the OpenSearch APIs, such as `search-mystack-1ab2cdefghij-ab1c2deckoyb3hofw7wpqa3cm.us-west-1.es.amazonaws.com`.
`DomainEndpointV2`
If `IPAddressType` to set to `dualstack`, a version 2 domain endpoint is provisioned. This endpoint functions like a normal endpoint, except that it works with both IPv4 and IPv6 IP addresses. Normal endpoints work only with IPv4 IP addresses.
`Id`
The resource ID. For example, `123456789012/my-domain`.
`IdentityCenterOptions.IdentityCenterApplicationARN`
The Amazon Resource Name (ARN) of the domain. See [Identifiers for IAM Entities ](https://docs.amazonaws.cn/IAM/latest/UserGuide/index.html) in *Using Amazon Identity and Access Management* for more information.
`IdentityCenterOptions.IdentityStoreId`
Property description not available.
## Remarks
*Migrating stacks from Elasticsearch to OpenSearch*
**Important**
You can't directly update CloudFormation templates to use the `AWS::OpenSearchService::Domain` resource in place of `AWS::Elasticsearch::Domain`, otherwise the corresponding domain will be deleted along with all of its data.
Perform the following steps to migrate an Elasticsearch domain to an OpenSearch domain if the domain is defined within CloudFormation.
**Step 1: Prepare your existing stack for deprecation**
Make a copy of your original CloudFormation template, which contains the Elasticsearch domain resource, for use in step 3. Then add the following attributes to the Elasticsearch domain resource at the same level as `Type` and `Properties`.
`DeletionPolicy: Retain`
`UpdateReplacePolicy: Retain`
These settings ensure that CloudFormation doesn't delete or modify the corresponding domain when you delete this resource from your stack. If you have other custom resources defined in the stack that aren't critically important during the short migration period, you can delete them from the template and they'll be recreated when you create the new stack.
**Step 2: Upgrade your domain to OpenSearch**
After you add the two policy attributes to your template, upgrade your domain to an OpenSearch version using the normal upgrade process. For instructions, see [Starting an upgrade](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/version-migration.html#starting-upgrades). Make sure to take a snapshot of your domain before upgrading it to prevent accidental loss of data.
**Step 3: Create a new CloudFormation template**
While you wait for the upgrade to complete, prepare your new OpenSearch template. Using the copy of your original template that you made in step 1, make the following changes:
+ Change the domain resource type from `AWS::Elasticsearch::Domain` to `AWS::OpenSearchService::Domain`.
+ Add the `DeletionPolicy` and `UpdateReplacePolicy` attributes to the resource, as you did in step 1.
+ Change `ElasticsearchVersion` to `EngineVersion` and set its value to `OpenSearch_1.0` (or whichever version of OpenSearch you want to upgrade to).
+ If your resource contains `ElasticsearchClusterConfig`, change it to `ClusterConfig`.
+ Change the suffixes of all instance types from `.elasticsearch` to `.search`.
+ If there are any `Fn::GetAtt` or `!GetAtt` references to your domain ARN, change them to `!GetAtt MyDomain.Arn`.
+ Comment out any resources not currently within the stack (most likely everything except `AWS::OpenSearchService::Domain`).
See the next section for examples that demonstrate the new format.
**Step 4: Import the OpenSearch stack**
Once your domain upgrade finishes, you can import the new stack. Within CloudFormation, choose **Create stack** and **With existing resources (import resources)**, then upload the template you created in the previous step.
CloudFormation prompts you for the name (identifier value) of the existing domain. Copy the domain name directly from the OpenSearch console. Give the stack a name that's different from the current one, then choose **Import resources**.
After the stack is created, uncomment any related resources from the stack and update it to ensure they're recreated. You can remove the `DeletionPolicy` and `UpdateReplacePolicy` attributes if you want, but they can help prevent accidental deletions in the future.
**Step 5: Delete the Elasticsearch stack**
Now that your new stack is created, delete the old stack which contains the legacy Elasticsearch resource.
**Important**
Before deleting the old stack, make absolutely sure that the template contains the `DeletionPolicy: Retain` attribute.
\*The above steps were partially derived from this [blog post](https://onecloudplease.com/blog/migrating-to-opensearch-with-cloudformation).
## Examples
**Topics**
+ [Create an OpenSearch Service domain that contains two data nodes and three master nodes](#aws-resource-opensearchservice-domain--examples--Create_an_OpenSearch_Service_domain_that_contains_two_data_nodes_and_three_master_nodes)
+ [Create a domain with VPC options](#aws-resource-opensearchservice-domain--examples--Create_a_domain_with_VPC_options)
+ [Create a domain with fine-grained access control](#aws-resource-opensearchservice-domain--examples--Create_a_domain_with_fine-grained_access_control)
### Create an OpenSearch Service domain that contains two data nodes and three master nodes
The following example creates an OpenSearch Service domain running OpenSearch 1.0 that contains two data nodes and three dedicated master nodes. The domain has 40 GiB of storage and enables log publishing for application logs, search slow logs, and index slow logs. The access policy permits the root user for the Amazon Web Services account to make all HTTP requests to the domain, such as indexing documents or searching indexes.
#### JSON
```
"OpenSearchServiceDomain": {
"Type":"AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": "test",
"EngineVersion": "OpenSearch_1.0",
"ClusterConfig": {
"DedicatedMasterEnabled": true,
"InstanceCount": "2",
"ZoneAwarenessEnabled": true,
"InstanceType": "m3.medium.search",
"DedicatedMasterType": "m3.medium.search",
"DedicatedMasterCount": "3"
},
"EBSOptions":{
"EBSEnabled": true,
"Iops": "0",
"VolumeSize": "20",
"VolumeType": "gp2"
},
"AccessPolicies": {
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/opensearch-user"
},
"Action":"es:*",
"Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*"
}
]
},
"LogPublishingOptions": {
"ES_APPLICATION_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-application-logs",
"Enabled": true
},
"SEARCH_SLOW_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-slow-logs",
"Enabled": true
},
"INDEX_SLOW_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-index-slow-logs",
"Enabled": true
}
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
}
}
}
```
#### YAML
```
OpenSearchServiceDomain:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: 'test'
EngineVersion: 'OpenSearch_1.0'
ClusterConfig:
DedicatedMasterEnabled: true
InstanceCount: '2'
ZoneAwarenessEnabled: true
InstanceType: 'm3.medium.search'
DedicatedMasterType: 'm3.medium.search'
DedicatedMasterCount: '3'
EBSOptions:
EBSEnabled: true
Iops: '0'
VolumeSize: '20'
VolumeType: 'gp2'
AccessPolicies:
Version: '2012-10-17 '
Statement:
-
Effect: 'Allow'
Principal:
AWS: 'arn:aws:iam::123456789012:user/opensearch-user'
Action: 'es:*'
Resource: 'arn:aws:es:us-east-1:846973539254:domain/test/*'
LogPublishingOptions:
ES_APPLICATION_LOGS:
CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-application-logs'
Enabled: true
SEARCH_SLOW_LOGS:
CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-slow-logs'
Enabled: true
INDEX_SLOW_LOGS:
CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearch/domains/opensearch-index-slow-logs'
Enabled: true
AdvancedOptions:
rest.action.multi.allow_explicit_index: 'true'
override_main_response_version: 'true'
```
### Create a domain with VPC options
The following example creates a domain with VPC options.
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "OpenSearchServiceDomain resource",
"Parameters": {
"DomainName": {
"Description": "User-defined OpenSearch domain name",
"Type": "String"
},
"EngineVersion": {
"Description": "User-defined OpenSearch version",
"Type": "String"
},
"InstanceType": {
"Type": "String"
},
"AvailabilityZone": {
"Type": "String"
},
"CidrBlock": {
"Type": "String"
},
"GroupDescription": {
"Type": "String"
},
"SGName": {
"Type": "String"
}
},
"Resources": {
"OpenSearchServiceDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"EngineVersion": {
"Ref": "EngineVersion"
},
"ClusterConfig": {
"InstanceCount": "1",
"InstanceType": {
"Ref": "InstanceType"
}
},
"EBSOptions": {
"EBSEnabled": true,
"Iops": "0",
"VolumeSize": "10",
"VolumeType": "standard"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "*"
}
]
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
],
"VPCOptions": {
"SubnetIds": [
{
"Ref": "subnet"
}
],
"SecurityGroupIds": [
{
"Ref": "mySecurityGroup"
}
]
}
}
},
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16"
}
},
"subnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"CidrBlock": {
"Ref": "CidrBlock"
},
"AvailabilityZone": {
"Ref": "AvailabilityZone"
}
}
},
"mySecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": {
"Ref": "GroupDescription"
},
"VpcId": {
"Ref": "vpc"
},
"GroupName": {
"Ref": "SGName"
},
"SecurityGroupIngress": [
{
"FromPort": 443,
"IpProtocol": "tcp",
"ToPort": 443,
"CidrIp": "0.0.0.0/0"
}
]
}
}
},
"Outputs": {
"Arn": {
"Value": {
"Fn::GetAtt": [
"OpenSearchServiceDomain",
"Arn"
]
}
},
"DomainEndpoint": {
"Value": {
"Fn::GetAtt": [
"OpenSearchServiceDomain",
"DomainEndpoint"
]
}
},
"SecurityGroupId": {
"Value": {
"Ref": "mySecurityGroup"
}
},
"SubnetId": {
"Value": {
"Ref": "subnet"
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: OpenSearchServiceDomain resource
Parameters:
DomainName:
Description: User-defined OpenSearch domain name
Type: String
EngineVersion:
Description: User-defined OpenSearch version
Type: String
InstanceType:
Type: String
AvailabilityZone:
Type: String
CidrBlock:
Type: String
GroupDescription:
Type: String
SGName:
Type: String
Resources:
OpenSearchServiceDomain:
Type: 'AWS::OpenSearchService::Domain'
Properties:
DomainName:
Ref: DomainName
EngineVersion:
Ref: EngineVersion
ClusterConfig:
InstanceCount: '1'
InstanceType:
Ref: InstanceType
EBSOptions:
EBSEnabled: true
Iops: '0'
VolumeSize: '10'
VolumeType: 'standard'
AccessPolicies:
Version: '2012-10-17 '
Statement:
- Effect: Deny
Principal:
AWS: '*'
Action: 'es:*'
Resource: '*'
AdvancedOptions:
rest.action.multi.allow_explicit_index: 'true'
override_main_response_version: 'true'
Tags:
- Key: foo
Value: bar
VPCOptions:
SubnetIds:
- Ref: subnet
SecurityGroupIds:
- Ref: mySecurityGroup
vpc:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.0.0.0/16
subnet:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId:
Ref: vpc
CidrBlock:
Ref: CidrBlock
AvailabilityZone:
Ref: AvailabilityZone
mySecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription:
Ref: GroupDescription
VpcId:
Ref: vpc
GroupName:
Ref: SGName
SecurityGroupIngress:
- FromPort: 443
IpProtocol: tcp
ToPort: 443
CidrIp: 0.0.0.0/0
Outputs:
Arn:
Value:
'Fn::GetAtt':
- OpenSearchServiceDomain
- Arn
DomainEndpoint:
Value:
'Fn::GetAtt':
- OpenSearchServiceDomain
- DomainEndpoint
SecurityGroupId:
Value:
Ref: mySecurityGroup
SubnetId:
Value:
Ref: subnet
```
### Create a domain with fine-grained access control
The following example creates a domain with fine-grained access control.
#### JSON
```
{
"OpenSearchServiceDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": "my-domain-logs",
"EngineVersion": "OpenSearch_1.0",
"ClusterConfig": {
"InstanceCount": 2,
"InstanceType": "r6g.xlarge.search",
"DedicatedMasterEnabled": true,
"DedicatedMasterCount": 3,
"DedicatedMasterType": "r6g.xlarge.search"
},
"EBSOptions": {
"EBSEnabled": true,
"VolumeSize": 10,
"VolumeType": "gp2"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::478253424788:role/Admin"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:478253424788:domain/my-domain-logs/*"
}
}
},
"AdvancedSecurityOptions": {
"Enabled": true,
"InternalUserDatabaseEnabled": true,
"MasterUserOptions": {
"MasterUserName": "",
"MasterUserPassword": ""
}
}
}
}
```
#### YAML
```
OpenSearchServiceDomain:
Type: 'AWS::OpenSearchService::Domain'
Properties:
DomainName: my-domain-logs
EngineVersion: OpenSearch_1.0
ClusterConfig:
InstanceCount: 2
InstanceType: r6g.xlarge.search
DedicatedMasterEnabled: true
DedicatedMasterCount: 3
DedicatedMasterType: r6g.xlarge.search
EBSOptions:
EBSEnabled: true
VolumeSize: 10
VolumeType: gp2
AccessPolicies:
Version: '2012-10-17 '
Statement:
Effect: Allow
Principal:
AWS: 'arn:aws:iam::478253424788:role/Admin'
Action: 'es:*'
Resource: 'arn:aws:es:us-east-1:478253424788:domain/my-domain-logs/*'
AdvancedSecurityOptions:
Enabled: true
InternalUserDatabaseEnabled: true
MasterUserOptions:
MasterUserName:
MasterUserPassword:
```