Using Amazon CloudFormation to create Amazon OpenSearch Serverless collections - Amazon OpenSearch Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Amazon CloudFormation to create Amazon OpenSearch Serverless collections

You can use Amazon CloudFormation to create Amazon OpenSearch Serverless resources such as collections, security policies, and VPC endpoints. For the comprehensive OpenSearch Serverless CloudFormation reference, see Amazon OpenSearch Serverless in the Amazon CloudFormation User Guide.

The following sample CloudFormation template creates a simple data access policy, network policy, and security policy, as well as a matching collection. It's a good way to get up and running quickly with Amazon OpenSearch Serverless and provision the necessary elements to create and use a collection.

Important

This example uses public network access, which isn't recommended for production workloads. We recommend using VPC access to protect your collections. For more information, see AWS::OpenSearchServerless::VpcEndpoint and Access Amazon OpenSearch Serverless using an interface endpoint (Amazon PrivateLink).

AWSTemplateFormatVersion: 2010-09-09 Description: 'Amazon OpenSearch Serverless template to create an IAM user, encryption policy, data access policy and collection' Resources: IAMUSer: Type: 'AWS::IAM::User' Properties: UserName: aossadmin DataAccessPolicy: Type: 'AWS::OpenSearchServerless::AccessPolicy' Properties: Name: quickstart-access-policy Type: data Description: Access policy for quickstart collection Policy: !Sub >- [{"Description":"Access for cfn user","Rules":[{"ResourceType":"index","Resource":["index/*/*"],"Permission":["aoss:*"]}, {"ResourceType":"collection","Resource":["collection/quickstart"],"Permission":["aoss:*"]}], "Principal":["arn:aws:iam::${AWS::AccountId}:user/aossadmin"]}] NetworkPolicy: Type: 'AWS::OpenSearchServerless::SecurityPolicy' Properties: Name: quickstart-network-policy Type: network Description: Network policy for quickstart collection Policy: >- [{"Rules":[{"ResourceType":"collection","Resource":["collection/quickstart"]}, {"ResourceType":"dashboard","Resource":["collection/quickstart"]}],"AllowFromPublic":true}] EncryptionPolicy: Type: 'AWS::OpenSearchServerless::SecurityPolicy' Properties: Name: quickstart-security-policy Type: encryption Description: Encryption policy for quickstart collection Policy: >- {"Rules":[{"ResourceType":"collection","Resource":["collection/quickstart"]}],"AWSOwnedKey":true} Collection: Type: 'AWS::OpenSearchServerless::Collection' Properties: Name: quickstart Type: TIMESERIES Description: Collection to holds timeseries data DependsOn: EncryptionPolicy Outputs: IAMUser: Value: !Ref IAMUSer DashboardURL: Value: !GetAtt Collection.DashboardEndpoint CollectionARN: Value: !GetAtt Collection.Arn