OpenSearch Service CDK setup

[lewijacn]

Description

Initial implementation of an IaC solution for deploying Managed OpenSearch Service. Some initial options provided by the CDK Domain construct are configurable through the CDK context to customize domain deployment.

The major items in this task were:

• Determining proper config options for CDK
• Ensuring these options can get parsed into the primitive or object that is used for the CDK
• Fetching AWS resources for an account properly with config options
• Confirming that the CFN is generated properly and deployed into test account

Items for improvement noticed:

• Additional fault tolerance needed for parsing context values and access policies
• Additional info for README, primarily around option details
• CLI options are always provided as string and need more testing for parsing passed JSON

Issues Resolved

https://opensearch.atlassian.net/browse/MIGRATIONS-876

Testing

Unit test cases to be added, deployments have been performed to us-east-1 region

Base values provided in cdk.context.json generate following CFN template shown in AWS Console

{
 "Description": "This stack contains resources to create/manage an OpenSearch Service domain",
 "Resources": {
  "Domain66AC69E0": {
   "Type": "AWS::OpenSearchService::Domain",
   "Properties": {
    "ClusterConfig": {
     "DedicatedMasterEnabled": false,
     "InstanceCount": 1,
     "InstanceType": "r5.large.search",
     "ZoneAwarenessEnabled": false
    },
    "DomainEndpointOptions": {
     "EnforceHTTPS": false,
     "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07"
    },
    "DomainName": "cdk-os-service-domain",
    "EBSOptions": {
     "EBSEnabled": true,
     "VolumeSize": 10,
     "VolumeType": "gp2"
    },
    "EncryptionAtRestOptions": {
     "Enabled": false
    },
    "EngineVersion": "OpenSearch_1.3",
    "LogPublishingOptions": {},
    "NodeToNodeEncryptionOptions": {
     "Enabled": false
    }
   },
   "UpdateReplacePolicy": "Retain",
   "DeletionPolicy": "Retain",
   "Metadata": {
    "aws:cdk:path": "OpenSearchServiceDomainCDKStack/Domain/Resource"
   }
  },
  "CDKMetadata": {
   "Type": "AWS::CDK::Metadata",
   "Properties": {
    "Analytics": "v2:deflate64:H4sIAAAAAAAA/yXIzQ2DMAxA4Vm4JwYi1AXKBHQAFIyrGopTxfwcouxOEaf36Tl4OHCFP9TiONsvD5Beq8fZ/FcffiRKPuJHKe6MBKkNi2cxz7fcyhc70rBFpGwkjASTlnvdgKugKiZltnGTlReC7u4Ju9SBEnUAAAA="
   },
   "Metadata": {
    "aws:cdk:path": "OpenSearchServiceDomainCDKStack/CDKMetadata/Default"
   }
  }
 },
 "Parameters": {
  "BootstrapVersion": {
   "Type": "AWS::SSM::Parameter::Value<String>",
   "Default": "/cdk-bootstrap/hnb659fds/version",
   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
  }
 },
 "Rules": {
  "CheckBootstrapVersion": {
   "Assertions": [
    {
     "Assert": {
      "Fn::Not": [
       {
        "Fn::Contains": [
         [
          "1",
          "2",
          "3",
          "4",
          "5"
         ],
         {
          "Ref": "BootstrapVersion"
         }
        ]
       }
      ]
     },
     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
    }
   ]
  }
 }
}

Check List

• New functionality includes testing
  • All tests pass, including unit test, integration test and doctest
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #14 (525118b) into main (6cd1164) will not change coverage.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@           Coverage Diff           @@
##             main      #14   +/-   ##
=======================================
  Coverage   92.44%   92.44%           
=======================================
  Files          24       24           
  Lines        1086     1086           
  Branches      103      103           
=======================================
  Hits         1004     1004           
  Misses         72       72           
  Partials       10       10           

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[chelma]

Things like instance-type availability tend to region specific, so we may need to move some or all of these default into code later so we can do something more clever. Not a problem for now as long as we're explicit in our documentation and expectations that this is tied to a specific region. Please make it clear which region this is for.

[lewijacn]

Will do 👍

[chelma]

It's generally best to embed things like stage (alpha/beta/gamma/prod) and region into top-level stack names (like 'OpenSearchServiceDomainCDKStack' here) as it helps w/ naming collisions when people deploy multiple into the same account. Things like IAM Roles are global to the account and the CDK usually creates their names using the stack name and/or higher-level resource name as a suffix. This means if you deploy the same stack to two regions, and the CDK Stack has a region-agnostic name, you can end up with collisions on global resources even though the stacks themselves are deployed to separate regions.

[lewijacn]

Definitely a valid point, I will try to shape these resource names to incorporate this

[chelma]

What happens if the field isn't defined (e.g. the line isn't in the context file or command-line args)?

[lewijacn]

In the getContextForType function the initial if statement will return undefined for any missing or empty string options. Undefined props get ignored when creating the Domain construct.

[chelma]

Can we add a comment explaining that, or better yet make it clear in-code?

[lewijacn]

Should clear up in next revision

[chelma]

We have a lot of error handling here for bad input combinations. I'm concerned we're re-implementing the error handling in the OpenSearch Service API. What's the plan for keeping this up to date as API/CFN features and behaviors change, etc?

[lewijacn]

Good callout. I'm not that tied to lines 55-65 for error handling, my main intention here was to highlight that these features have required options and not to leave a user hanging if they provide a subset and then the feature doesn't get enabled (Another option here may be to provide a potentially undefined value to the Domain construct and let it handle this, which I kind of like to remove our need to keep up with any change in options here)

[lewijacn]

Lines 81-97, I feel some inkling to keep as we don't necessarily need to know the different options (and the error should probably be updated to just link the page to find the options) but it ensures a string that looks like it works but doesn't actually map to the object is called out. As far as updates, any major shift away from using these objects would require an update, but seems unlikely. Let me know if you have other opinions here

[gregschohn]

+1

[chelma]

As described above, I think we're better off inserting ourselves between the user and the AWS Resource APIs as little as possible and letting CDK/CFN surface invalid configurations.

I agree that the type conversions (lines 81+) are safer and I'm inclined to keep them as well.

[lewijacn]

Similar response in other comment

[chelma]

If we're parsing it as an int, the type label should probably be int.

[lewijacn]

I don't believe there is integer type in TS/JS (lmk if wrong here), parseInt will return a number as will numeric values place in cdk.context.json

[chelma]

Sigh, Google says you're right. Gross. Ok, disregard the comment.

[chelma]

A few questions/comments:

• Why not parse the boolean as a boolean?
• object is unclear as a type label. If we're parsing it as JSON, it should be labeled as JSON.
• What all "objects" are you expecting for this code to have to deal with?

[lewijacn]

1. A limitation of JS, there doesn't seem to be a boolean method to parse a string and many sites recommend using JSON.parse() 🤢
2. I believe this object is essentially a JSON object. I am not aware of say a JSON specific class name that we could attribute. Lmk if you have something, as this was my initial hunch but was unsuccessful in finding anything
3. The formats I expect for objects here are JSON object format {"Version": "2012-10-17", ...} and a string array format ["subnet-123", "subnet-124"]. This will be clearer when I add sample types to the readme

[chelma]

1. Bleh, OK.
2. As I read it, we're providing the "type labeling" here. It's probably just a nitpick, but I'd love to make it clear this is a JSON-ish thing. Maybe a good compromise is to change the label to json_object?
3. I see. I wouldn't invest too heavily in this sort of thing, as users that want to customize their stacks to any degree other than the most basic will probably just do it via writing TypeScript CDK. And, frankly, I think that's what we should encourage them to do rather than providing a way to pass through complex object configuration via JSON.

Action Item - can you call out in the README that users are encouraged to customize the deployment by changing the CDK TypeScript, and that the configuration-by-context option is primarily provided for testing/development purposes?

[lewijacn]

object is a TS type that we have to adhere to unfortunately

Sounds good, will make this callout in the README

[chelma]

I didn't understand what this code is supposed to do, in context. Can you explain?

[lewijacn]

This portion is essentially filtering out missing or empty values with a falsy check: https://developer.mozilla.org/en-US/docs/Glossary/Falsy

[chelma]

Err, shouldn't this result in an exception being thrown?

[lewijacn]

I was on the fence about throwing an error or warning and seeing if CDK could handle. I probably prefer the exception approach to remove some ambiguity here, will update

[lewijacn]

Addressed in next revision

[chelma]

Why use a type hint here for jsonObject if we're just indicating it can be any type? Can we be more specific?

[lewijacn]

Agree we can at least make this object

[chelma]

Which of these must a user fill in, and what is the plan to communicate defaults for the ones they don't fill in?

[lewijacn]

My plan was to require domainName(this could also be left empty) and engineVersion. Everything else could be removed or left empty here. The README would have each of these options a description and an example value that could be used

[gregschohn]

The README mentions that some are required. If the required ones are not present, what happens?

[gregschohn]

General TS/CDK UX comment - I'm not crazy about having a configuration file that the user fills out alongside other code in the repo. It's lacking a separation between library code and customization. Even if that's how CDK typically stages stuff, it still smells.

[chelma]

AFAIK, typically this sort of file wouldn't be distributed in the repo itself but left for the user to supply themselves or via command-line. I think it makes sense to have some way of supplying "default" values, but the more I think about it the more I agree that it's not by bundling this file into the repo.

How about we embed the default values in-code, but letting CDK Context override if supplied via command line or a config file? E.g. just make a default-values.ts file that contains these values?

[lewijacn]

I probably agree with this. Do we want to make any assumptions about default values? I'm okay with say having this default-values.ts and maybe having a domain name and version in it but don't know if I would want to put anything else in it

[gregschohn]

I'm concerned that the list of option parameters that OpenSearch consumes are effectively repeated multiple times throughout this stack. As an exercise for later, are there any ways that we can tighten some of these mappings together - either pass them through or to guarantee that the identity bindings are preserved.

[gregschohn]

Is this considered acceptable form for TS/CDK?

[chelma]

Ah, I missed this. AFAIK, * imports are evil in TypeScript just like other languages. Can you please import the specific types you need?

[lewijacn]

👍 will address in next revision

[gregschohn]

this should be an environment variable too

[lewijacn]

👍 will address in next revision

[gregschohn]

I can pass my datatype nodes, versions, etc to ANY of these 3 commands? What happens if I pass different ones and alternate the order? Do they override the cdk.context.json file?

Could you please provide a bit more explanation for a reader that may have no experience w/ CDK to understand what the appropriate workflows should be. The notes are also missing how to tear a stack down.

[lewijacn]

Sure will add some details on using these options as mentioned and a stack tear down section

[gregschohn]

The README mentions that some are required. If the required ones are not present, what happens?

[gregschohn]

General TS/CDK UX comment - I'm not crazy about having a configuration file that the user fills out alongside other code in the repo. It's lacking a separation between library code and customization. Even if that's how CDK typically stages stuff, it still smells.

[gregschohn]

How do you know that those 3 values are required for Cognito auth? How do you know that you've got all of the possible required groupings? (maybe you don't, and it's worth calling that out)

[chelma]

Yeah, I have concerns about this too. I think the right approach is to provide a thin wrapper around the AWS APIs and let the CDK/CFN surface errors to the user if present. Don't think we want to insert ourselves into that process as it won't be sustainable.

[lewijacn]

This is based off requirements that the Domain CDK construct has on required fields for certain objects/features. I don't have much attachment here and am okay to remove these checks. From the construct side, some objects have required fields that should only be created if we have the required fields otherwise CDK will fail synthesis and produce some very ambiguous error messages such as Cannot read property 'length' of undefined for missing domain endpoint name field. To accommodate this, I feel we have to take on the required field assumption and check for this, but open to other work arounds

[gregschohn]

what happens if I pass in something undefined like OS_99.99?

[lewijacn]

It will get passed to CFN, as it is valid format, however cdk deploy will fail with unsupported version error

[gregschohn]

+1

[chelma]

Nitpick - what is the base directory you mention? I think users will find that ambiguous.

[chelma]

Can you please provide some example values this variable could take (e.g. gamma, dev, PROD) and explain how they will be incorporated into the created resources.

[chelma]

Curious what's up with these line breaks? Seems like this should either be split earlier if it's at 120 characters, or not at all.

[lewijacn]

Fixed, just my intelij not wanting to word wrap was cause

[chelma]

Nitpick - Stack and resource names have a maximum length, and the CDKStack portion of this one probably doesn't provide value. Consider removing.

[lewijacn]

I actually think the CDK portion is rather helpful to quickly identify in the Console that this was deployed with CDK which helps with identifying if a CDKToolkit stack is missing or why the CFN template looks the way it does

[lewijacn]

Will try to shorten this though

[chelma]

If the domain name is region- or account-unique, then we probably should embed the region/stage name into it. Also, we probably don't want to embed "CDK" into the name but open to it if you see value in that?

[lewijacn]

Definitely agree "cdk" not needed here and we should have a way to give region/stage here. Do you mind if I put this in a later task? I want to make it so this can be for any resource and still be embedded in the default-values.json or certain options in thecdk.context.json so there aren't any surprises when deploying

[lewijacn]

https://opensearch.atlassian.net/browse/MIGRATIONS-998

[chelma]

What happens if the VPC is left undefined here? Does one get created?

[lewijacn]

Be default no VPC is created, but an existing VPC can be specified in the context

[chelma]

Per discussion - if left undefined, the deployment of the CFN resources will still go through without error. What will happen is the Domain will be created in an OpenSearch Service managed account/VPC instead of one owned by the user. This is the default experience provided by the resource API.

[chelma]

Are we creating this if it's undefined? This seems like something folks will want out of the box.

[lewijacn]

Be default from CDK, this isn't enabled

[chelma]

Per our discussion, we ended up agreeing to go with the resource API defaults for the time being until we develop our own, evidence-based opinions on a "best practice" implementation.

[chelma]

Same comment - seems like something folks will want out of the box.

[lewijacn]

Be default from CDK, this isn't enabled

[chelma]

Ship it!

[gregschohn]

LGTM - this is a WIP & feedback will help make us calibrate