-
Notifications
You must be signed in to change notification settings - Fork 1
/
aws-es-domain.yml
161 lines (160 loc) · 4.74 KB
/
aws-es-domain.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
AWSTemplateFormatVersion: "2010-09-09"
Description: Template to create Elastic Search Domain with Kibana and Cognito
Parameters:
DomainName:
Type: String
Default: unique-domain-name
PoolName:
Type: String
Default: unique-pool-name
PoolDomain:
Type: String
Default: global-unique-pool-domain
Resources:
AuthenticatedRole:
Type: AWS::IAM::Role
Properties:
RoleName: "kibana_es_Cognito_Auth_Role"
Tags:
- Key: "dev"
Value: "cloud"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Policies:
- PolicyName: "kibana_es_Auth_Policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "mobileanalytics:PutEvents"
- "cognito-sync:*"
- "cognito-identity:*"
- "es:ESHttp*"
Resource: "*"
Path: "/"
UnAuthenticatedRole:
Type: AWS::IAM::Role
Properties:
RoleName: "kibana_es_Cognito_Unauth_Role"
Tags:
- Key: "dev"
Value: "cloud"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Policies:
- PolicyName: "kibana_es_Unauth_Policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "mobileanalytics:PutEvents"
- "cognito-sync:*"
Resource: "*"
Path: "/"
CognitoAccessForAmazonES:
Type: AWS::IAM::Role
Properties:
RoleName: "CognitoAccessForAmazonES"
Tags:
- Key: "dev"
Value: "cloud"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: "es.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AmazonESCognitoAccess"
Path: "/"
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: !Ref PoolName
UserPoolTags:
dev: "cloud"
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
CognitoUserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Properties:
Domain: !Ref PoolDomain
UserPoolId: !Ref CognitoUserPool
CognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
AllowClassicFlow: true
AllowUnauthenticatedIdentities: true
IdentityPoolName: !Ref PoolName
IdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref CognitoIdentityPool
Roles:
"authenticated": !GetAtt AuthenticatedRole.Arn
"unauthenticated": !GetAtt UnAuthenticatedRole.Arn
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: !Ref DomainName
ElasticsearchVersion: "7.1"
ElasticsearchClusterConfig:
InstanceCount: "1"
InstanceType: "t2.small.elasticsearch"
# ZoneAwarenessEnabled: "true"
# DedicatedMasterEnabled: "true"
# DedicatedMasterType: "t2.small.elasticsearch"
# DedicatedMasterCount: "1"
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 10
VolumeType: "standard"
SnapshotOptions:
AutomatedSnapshotStartHour: "0"
CognitoOptions:
Enabled: true
IdentityPoolId: !Ref CognitoIdentityPool
RoleArn: !GetAtt CognitoAccessForAmazonES.Arn
UserPoolId: !Ref CognitoUserPool
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS: !GetAtt AuthenticatedRole.Arn
Action:
- "es:ESHttp*"
Resource: !Sub "arn:aws:es:us-east-1:846973539254:domain/${DomainName}/*"
# Condition:
# IpAddress:
# aws:SourceIp:
# - "37.228.254.150"
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
Tags:
- Key: "dev"
Value: "cloud"
Outputs:
DomainArn:
Value: !GetAtt ElasticsearchDomain.DomainArn
DomainEndpoint:
Value: !GetAtt ElasticsearchDomain.DomainEndpoint
KibanaEndpoint:
Value: !Join [ "/", [!GetAtt ElasticsearchDomain.DomainEndpoint, "_plugin/kibana/"] ]