Lambda >> ElasticSearch >> Kibana
This AWS Solutions Construct implements the AWS Lambda function and Amazon ElasticSearch Service with the least privileged permissions.
Architecture
Here is a minimal deployable pattern definition in Typescript:
import { LambdaToElasticSearchAndKibana } from 'lambda-elasticsearch-kibana';
import { Aws } from "@aws-cdk/core";
const lambdaProps: lambda.FunctionProps = {
code: lambda.Code.fromAsset(`${__dirname}/lambda`),
runtime: lambda.Runtime.NODEJS_14_X,
handler: 'index.handler'
};
new LambdaToElasticSearchAndKibana(this, 'test-lambda-elasticsearch-kibana', {
lambdaFunctionProps: lambdaProps,
domainName: 'test-domain',
// TODO: Ensure the Cognito domain name is globally unique
cognitoDomainName: 'globallyuniquedomain' + Aws.ACCOUNT_ID;
});
Initializer
new LambdaToElasticSearchAndKibana(scope: Construct, id: string, props: LambdaToElasticSearchAndKibanaProps);
Parameters
- scope
Construct
- id
string
- props
LambdaToElasticSearchAndKibanaProps
Pattern Construct Props
Name | Type | Description |
---|---|---|
existingLambdaObj? | lambda.Function |
Existing instance of Lambda Function object, providing both this and lambdaFunctionProps will cause an error. |
lambdaFunctionProps? | lambda.FunctionProps |
User provided props to override the default props for the Lambda function. |
esDomainProps? | elasticsearch.CfnDomainProps |
Optional user provided props to override the default props for the ElasticSearch Service |
domainName | string |
Domain name for the Cognito and the ElasticSearch Service |
cognitoDomainName? | string |
Optional Cognito Domain Name, if provided it will be used for Cognito Domain, and domainName will be used for the ElasticSearch Domain |
createCloudWatchAlarms | boolean |
Whether to create recommended CloudWatch alarms |
domainEndpointEnvironmentVariableName? | string |
Optional Name for the ElasticSearch domain endpoint environment variable set for the Lambda function. |
Pattern Properties
Name | Type | Description |
---|---|---|
lambdaFunction | lambda.Function |
Returns an instance of lambda.Function created by the construct |
userPool | cognito.UserPool |
Returns an instance of cognito.UserPool created by the construct |
userPoolClient | cognito.UserPoolClient |
Returns an instance of cognito.UserPoolClient created by the construct |
identityPool | cognito.CfnIdentityPool |
Returns an instance of cognito.CfnIdentityPool created by the construct |
elasticsearchDomain | elasticsearch.CfnDomain |
Returns an instance of elasticsearch.CfnDomain created by the construct |
elasticsearchDomain | iam.Role |
Returns an instance of iam.Role created by the construct for elasticsearch.CfnDomain |
cloudwatchAlarms? | cloudwatch.Alarm[] |
Returns a list of cloudwatch.Alarm created by the construct |
Lambda Function
This pattern requires a lambda function that can post data into the ElasticSearch. A sample function is provided here.
Default settings
Out of the box implementation of the Construct without any override will set the following defaults:
AWS Lambda Function
- Configure limited privilege access IAM role for Lambda function
- Enable reusing connections with Keep-Alive for NodeJs Lambda function
- Enable X-Ray Tracing
- Set Environment Variables
- (default) DOMAIN_ENDPOINT
- AWS_NODEJS_CONNECTION_REUSE_ENABLED (for Node 12.x and higher functions)
Amazon Cognito
- Set password policy for User Pools
- Enforce the advanced security mode for User Pools
Amazon ElasticSearch Service
- Deploy best practices CloudWatch Alarms for the ElasticSearch Domain
- Secure the Kibana dashboard access with Cognito User Pools
- Enable server-side encryption for ElasticSearch Domain using AWS managed KMS Key
- Enable node-to-node encryption for ElasticSearch Domain
- Configure the cluster for the Amazon ES domain