aws_elasticsearchservice_domain Resource
Use the aws_elasticsearchservice_domain
InSpec audit resource to test properties of a single specific Elasticsearch domain.
The AWS::Elasticsearch::Domain resource creates an Amazon Elasticsearch Service (Amazon ES) domain.
For additional information, including details on parameters and properties, see the AWS documentation on Elasticsearch Domain.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
Ensure that a domain name exists.
describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do
it { should exist }
end
Parameters
domain_name
(required)The name of an Elasticsearch domain. Pass the domain name as a key-value entry in a hash.
Properties
domain_id
- The unique identifier for the specified Elasticsearch domain.
domain_name
- The name of an Elasticsearch domain.
arn
- The Amazon resource name (ARN) of an Elasticsearch domain.
created
- The domain creation status.
true
if the creation of an Elasticsearch domain is complete.false
if domain creation is still in progress. deleted
- The domain deletion status.
true
if a delete request has been received for the domain but resource cleanup is still in progress.false
if the domain has not been deleted. Once domain deletion is complete, the status of the domain is no longer returned. endpoint
- The Elasticsearch domain endpoint that you use to submit index and search requests.
endpoints
- Key-value map containing the Elasticsearch domain endpoints used to submit index and search requests.
processing
- The status of the Elasticsearch domain configuration.
true
if Amazon Elasticsearch Service is processing configuration changes.false
if the configuration is active. upgrade_processing
- The status of an Elasticsearch domain version upgrade.
true
if Amazon Elasticsearch Service is undergoing a version upgrade.false
if the configuration is active. elasticsearch_version
- The elasticsearch version.
elasticsearch_cluster_config (instance_type)
- The instance type for an Elasticsearch cluster. UltraWarm instance types are not supported for data instances.
elasticsearch_cluster_config (instance_count)
- The number of instances in the specified domain cluster.
elasticsearch_cluster_config (dedicated_master_enabled)
- A boolean value to indicate whether a dedicated master node is enabled.
elasticsearch_cluster_config (zone_awareness_enabled)
- A boolean value to indicate whether zone awareness is enabled.
elasticsearch_cluster_config (zone_awareness_config (availability_zone_count))
- An integer value to indicate the number of availability zones for a domain when zone awareness is enabled. This should be equal to number of subnets if VPC endpoints is enabled.
elasticsearch_cluster_config (dedicated_master_type)
- The instance type for a dedicated master node.
elasticsearch_cluster_config (dedicated_master_count)
- Total number of dedicated master nodes, active and on standby, for the cluster.
elasticsearch_cluster_config (warm_enabled)
- True to enable warm storage.
elasticsearch_cluster_config (warm_type)
- The instance type for the Elasticsearch cluster’s warm nodes.
elasticsearch_cluster_config (warm_count)
- The number of warm nodes in the cluster.
ebs_options (ebs_enabled)
- Specifies whether EBS-based storage is enabled.
ebs_options (volume_type)
- Specifies the volume type for EBS-based storage.
ebs_options (volume_size)
- Integer to specify the size of an EBS volume.
ebs_options (iops)
- Specifies the IOPD for a Provisioned IOPS EBS volume (SSD).
access_policies
- IAM access policy as a JSON-formatted string.
snapshot_options (automated_snapshot_start_hour)
- Specifies the time, in UTC format, when the service takes a daily automated snapshot of the specified Elasticsearch domain. Default value is 0 hours.
vpc_options (vpc_id)
- The VPC Id for the Elasticsearch domain. Exists only if the domain was created with VPCOptions.
vpc_options (subnet_ids)
- Specifies the subnets for VPC endpoint.
vpc_options (availability_zones)
- The availability zones for the Elasticsearch domain. Exists only if the domain was created with VPCOptions.
vpc_options (security_group_ids)
- Specifies the security groups for VPC endpoint.
cognito_options (enabled)
- Specifies the option to enable Cognito for Kibana authentication.
cognito_options (user_pool_id)
- Specifies the Cognito user pool ID for Kibana authentication.
cognito_options (identity_pool_id)
- Specifies the Cognito identity pool ID for Kibana authentication.
cognito_options (role_arn)
- Specifies the role ARN that provides Elasticsearch permissions for accessing Cognito resources.
encryption_at_rest_options (enabled)
- Specifies the option to enable Encryption At Rest.
encryption_at_rest_options (kms_key_id)
- Specifies the KMS Key ID for Encryption At Rest options.
node_to_node_encryption_options (enabled)
- Specify true to enable node-to-node encryption.
advanced_options
- Additional options to specify for the Amazon ES domain.
log_publishing_options (cloud_watch_logs_log_group_arn)
- ARN of the Cloudwatch log group to which log needs to be published.
log_publishing_options (enabled)
- Specifies whether given log publishing option is enabled or not.
service_software_options (current_version)
- The current service software version that is present on the domain.
service_software_options (new_version)
- The new service software version if one is available.
service_software_options (update_available)
- Whether you are able to update your service software version. Valid values:
true
orfalse
. service_software_options (cancellable)
- Whether you are able to cancel your service software version update. Valid values:
true
orfalse
. service_software_options (update_status)
- The status of your service software update. Valid values:
ELIGIBLE
,PENDING_UPDATE
,IN_PROGRESS
,COMPLETED
, andNOT_ELIGIBLE
. service_software_options (description)
- The description of the UpdateStatus.
service_software_options (automated_update_date)
- Timestamp, in Epoch time, until which you can manually request a service software update. After this date, we automatically update your service software.
service_software_options (optional_deployment)
- Whether service software is never automatically updated after
AutomatedUpdateDate
. Valid values:true
orfalse
. domain_endpoint_options (enforce_https)
- Specify if only HTTPS endpoint should be enabled for the Elasticsearch domain.
domain_endpoint_options (tls_security_policy)
- Specify the TLS security policy that needs to be applied to the HTTPS endpoint of Elasticsearch domain. Valid values are:
Policy-Min-TLS-1-0-2019-07
andPolicy-Min-TLS-1-2-2019-07
. domain_endpoint_options (custom_endpoint_enabled)
- Specify if custom endpoint should be enabled for the Elasticsearch domain. Valid values:
true
orfalse
. domain_endpoint_options (custom_endpoint)
- Specify the fully qualified domain for your custom endpoint.
domain_endpoint_options (custom_endpoint_certificate_arn)
- Specify ACM certificate ARN for your custom endpoint.
advanced_security_options (enabled)
true
if advanced security is enabled. Valid values:true
orfalse
.advanced_security_options (internal_user_database_enabled)
true
if the internal user database is enabled. Valid values:true
orfalse
.advanced_security_options (saml_options (enabled))
true
if SAML is enabled. Valid values:true
orfalse
.advanced_security_options (saml_options (idp (metadata_content)))
- The metadata of the SAML application in XML format.
advanced_security_options (saml_options (idp (entity_id)))
- The unique entity ID of the application in SAML Identity Provider.
advanced_security_options (saml_options (subject_key))
- The key used for matching the SAML Subject attribute.
advanced_security_options (saml_options (roles_key))
- The key used for matching the SAML Roles attribute.
advanced_security_options (saml_options (session_timeout_minutes))
- The duration, in minutes, after which a user session becomes inactive.
Examples
Ensure a domain name is available.
describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do
its('domain_name') { should eq 'DOMAIN_NAME' }
end
Verify the ARN of a desired domain.
describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do
its('arn') { should eq 'ELASTICSEARCH_DOMAIN_ARN' }
end
Matchers
For a full list of available matchers, see our Universal Matchers page.The controls will pass if the describe
method returns at least one result.
exist
Use should
to test that the entity exists.
describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do
it { should exist }
end
Use should_not
to test the entity does not exist.
describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do
it { should_not exist }
end
be_available
Use should
to check if the domain name is available.
describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do
it { should be_available }
end
AWS Permissions
Your Principal will need the ElasticsearchService:Client:DescribeElasticsearchDomainResponse
action with Effect
set to Allow
.