How to automate Opensearch Dashboard Security and Alerting Tasks
I have created the Opensearch Dashboard with Cognito Authentication and Fine Grained access control using CDK and able to login to the Dashboard and create Roles, map roles, create monitors, destinations etc in the Dashboard UI. But i would like to create these as part of the CDK stack itself using Custom Resource via Lambda but i'm not able to find opensearch dashboard client to perform this operations from Nodejs lambda. Any pointers on this would be really helpful.
- 最新
- 投票最多
- 评论最多
There is no Opensearch Dashboard SDK available at this time but I'm able to achieve this as part of the CDK Stack using Custom Resource Lambda, Opensearch Dashboard APIs, AWS NodeHttpClient with Sigv4. There is an open requests for adding this capability in the Javascript client though. https://github.com/opensearch-project/opensearch-js/issues/264
Steps I did:
- Add a role for lambda used by custom resource
- update internal roles for Opensearch domain to accept the IAM role as a backend_role for "all_access" internal role, with a request made by lambda, similar to this
curl -X PUT "https://vpc-xxxxxxxxx-xxxxxxxx.eu-west-1.es.amazonaws.com/_plugins/_security/api/rolesmapping/all_access" -H "Content-Type: application/json" -H "kbn-xsrf: true" -u "master_username:master_password" -d '{
"backend_roles": ["arn:aws:iam::xxxxxxxx:role/ROLE-NAME"],
"hosts": [],
"users": ["master_username"]
}'
- do normal signed requests from the same lambda to API to create various things, e.g. POST https://vpc-xxxxxxxxx-xxxxxxxx.eu-west-1.es.amazonaws.com/_dashboards/api/saved_objects/index-pattern e.g.
const generateRequest = (request: HttpRequestType) => {
// Promise wrapper for https request
return new Promise((resolve, reject) => {
const options = {
hostname: request.hostname,
port: request.port,
protocol: request.protocol,
path: request.path,
method: request.method,
headers: request.headers,
};
const req = https.request(options, (res) => {
let responseBody = "";
res.on("data", (d) => {
responseBody += d;
});
res.on("end", () => {
resolve(responseBody);
});
});
req.on("error", (error) => {
reject(error);
});
// Write data to request body
req.write(request.body);
req.end();
});
};
const credentials = await defaultProvider()();
const signer = new SignatureV4({
credentials,
region: process.env.AWS_REGION,
service: "es",
sha256: Sha256,
});
const indexPatternRequest = new HttpRequest({
body: JSON.stringify({
attributes: {
title: IndexPattern,
},
}),
port: 443,
protocol: "https:",
hostname: DomainDashboardUrl,
path: "/_dashboards/api/saved_objects/index-pattern",
method: "POST",
headers: {
"Content-Type": "application/json",
"osd-xsrf": "true", // Required by OpenSearch Dashboards for all save operations
Host: DomainDashboardUrl,
},
});
const signedRequest = await signer.sign(indexPatternRequest);
const sendRequest = generateRequest(signedRequest);
const response = await sendRequest;
Hi, there is a CDK construct library to manage OpenSearch resources such as role or role mapping.
https://github.com/tmokmss/opensearch-rest-resources
You can create OpenSearch resources with the following code:
import { OpenSearchRole, OpenSearchRoleMapping } from 'opensearch-rest-resources'; const role = new OpenSearchRole(this, 'Role1', { vpc, domain, roleName: 'Role1', payload: { clusterPermissions: ['indices:data/write/bulk'], indexPermissions: [ { indexPatterns: ['*'], allowedActions: ['read', 'write', 'index', 'create_index'], }, ], } }); const roleMapping = new OpenSearchRoleMapping(this, 'RoleMapping1', { vpc, domain, roleName: 'Role1', payload: { backendRoles: [role.roleArn], }, removalPolicy: RemovalPolicy.RETAIN, });
相关内容
AWS 官方已更新 1 年前
