OpenSearch Serverless migration (#689)

* Move from Managed OpenSearch to OpenSearch Serverless
* Add id field to similar items response
* Implemented propagation wait time for Data Access policy
* Ensured search service can still be run locally

Author: gfaires

aws/cloudformation-templates/base/_template.yaml

@@ -162,6 +162,7 @@ Resources:
         PinpointAppId: !Ref PinpointAppId
         GitHubUser: !Ref GitHubUser
         GitHubBranch: !Ref GitHubBranch
+        ProductsCollectionArn: !GetAtt OpenSearch.Outputs.CollectionArn
 
   # Tables
   Tables:
@@ -203,8 +204,8 @@ Resources:
     Condition: CreateOpenSearchServiceLinkedRole
     Type: AWS::IAM::ServiceLinkedRole
     Properties:
-      AWSServiceName: opensearchservice.amazonaws.com
-      Description: "Role for OpenSearch to access resources in VPC"
+      AWSServiceName: observability.aoss.amazonaws.com
+      Description: "Role for OpenSearch to put metrics in CloudWatch"
 
   OpenSearchRoleWaitHandle:
     Condition: CreateOpenSearchServiceLinkedRole
@@ -232,7 +233,7 @@ Resources:
       TemplateURL: !Sub https://s3.amazonaws.com/${ResourceBucket}/${ResourceBucketRelativePath}cloudformation-templates/base/opensearch.yaml
       Parameters:
         VpcId: !GetAtt VPC.Outputs.VpcId
-        Subnet1: !GetAtt VPC.Outputs.Subnet1
+        PrivateSubnets: !GetAtt VPC.Outputs.Subnets
 
   # SSM Parameters
   SSMParameters:
@@ -357,13 +358,13 @@ Outputs:
     Description: Service Discovery Namespace.
     Value: !GetAtt ServiceDiscovery.Outputs.ServiceDiscoveryNamespace
 
-  OpenSearchDomainEndpoint:
-    Description: OpenSearch Domain
-    Value: !GetAtt OpenSearch.Outputs.DomainEndpoint
+  OpenSearchCollectionEndpoint:
+    Description: OpenSearch Collection Endpoint
+    Value: !GetAtt OpenSearch.Outputs.CollectionEndpoint
 
-  OpenSearchDomainArn:
-    Description: OpenSearch Domain
-    Value: !GetAtt OpenSearch.Outputs.DomainArn
+  OpenSearchCollectionArn:
+    Description: OpenSearch Collection Arn
+    Value: !GetAtt OpenSearch.Outputs.CollectionArn
 
   OpenSearchSecurityGroupId:
     Description: OpenSearch Security Group Id

aws/cloudformation-templates/base/notebook.yaml

@@ -44,6 +44,9 @@ Parameters:
 
   PinpointAppId:
     Type: String
+  
+  ProductsCollectionArn:
+    Type: String
 
 Conditions:
   UseDefaultGitHubUser: !Equals
@@ -146,10 +149,14 @@ Resources:
                 Effect: "Allow"
                 Action:
                   - servicediscovery:DiscoverInstances
-                  - es:ListDomainNames
-                  - es:DescribeDomain
-                  - es:ListTags
+                  - aoss:ListCollections
                 Resource: "*"
+              -
+                Effect: "Allow"
+                Action: 
+                  - aoss:APIAccessAll
+                  - aoss:BatchGetCollection
+                Resource: !Ref ProductsCollectionArn
         -
           PolicyName: "1-Personalize"
           PolicyDocument:
@@ -370,6 +377,32 @@ Resources:
                   - logs:CreateLogGroup
                 Resource: '*'
 
+  DataAccessPolicy:
+    Type: AWS::OpenSearchServerless::AccessPolicy
+    Properties:
+      Name: retaildemostore-notebook
+      Type: data
+      Description: Access policy to allow SageMaker Notebook access to the retail demo store collections
+      Policy:
+        !Sub |
+          [{
+              "Description": "Access for SageMaker notebook",
+              "Rules": [
+                {
+                    "ResourceType": "index",
+                    "Resource": [
+                     "index/retaildemostore-products/*"
+                    ],
+                    "Permission": [
+                        "aoss:*"
+                    ]
+                }
+              ],
+              "Principal": [
+                "${ExecutionRole.Arn}"
+              ]
+          }]
+
 Outputs:
   NotebookInstanceId:
     Value: !Ref NotebookInstance

aws/cloudformation-templates/base/opensearch.yaml

@@ -6,54 +6,14 @@ Description: >
 
 Parameters:
 
-  Subnet1:
+  PrivateSubnets:
     Type: String
 
   VpcId:
     Type: String
 
 Resources:
 
-
-  OpenSearchDomain:
-    Type: AWS::OpenSearchService::Domain
-    Properties:
-      EngineVersion: OpenSearch_2.3
-      ClusterConfig:
-        InstanceCount: 1
-        InstanceType: t3.small.search
-        ZoneAwarenessEnabled: false
-      DomainEndpointOptions:
-        EnforceHTTPS: true
-      NodeToNodeEncryptionOptions:
-        Enabled: true
-      EBSOptions:
-        EBSEnabled: true
-        Iops: 0
-        VolumeSize: 10
-        VolumeType: gp2
-      AccessPolicies:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Principal:
-              AWS: '*'
-            Action: 'es:*'
-            Resource: '*'
-      AdvancedOptions:
-        rest.action.multi.allow_explicit_index: 'true'
-      EncryptionAtRestOptions:
-        Enabled: true
-      VPCOptions:
-        SubnetIds:
-          - !Ref Subnet1
-        SecurityGroupIds:
-          - !GetAtt SecurityGroup.GroupId
-      Tags:
-        -
-          Key: "Name"
-          Value: "retaildemostore"
-
   SecurityGroup:
     Type: AWS::EC2::SecurityGroup
     Properties:
@@ -64,13 +24,77 @@ Resources:
           IpProtocol: tcp
           ToPort: 443
           CidrIp: 0.0.0.0/0
+    
+  AOSSVpcEndpoint:
+    Type: AWS::OpenSearchServerless::VpcEndpoint
+    Properties:
+      Name: aoss-retaildemostore-vpcendpoint
+      VpcId: !Ref VpcId
+      SubnetIds: !Split [",", !Ref PrivateSubnets ]
+      SecurityGroupIds:
+        - !Ref SecurityGroup
+
+  EncryptionPolicy:
+    Type: AWS::OpenSearchServerless::SecurityPolicy
+    Properties:
+      Name: retaildemostore-security-policy
+      Type: encryption
+      Description: Encryption policy for the retail demo store collections
+      Policy:
+        !Sub |
+          {
+            "Rules": [
+              {
+                "ResourceType": "collection",
+                "Resource": [
+                  "collection/retaildemostore*"
+                ]
+              }
+            ],
+            "AWSOwnedKey": true
+          }
+
+  NetworkPolicy:
+    Type: AWS::OpenSearchServerless::SecurityPolicy
+    Properties:
+      Name: retaildemostore-network-policy
+      Type: network
+      Description: Network policy for the retail demo store collections
+      Policy:
+        !Sub |
+          [{
+            "Rules": [
+              {
+                "ResourceType": "collection",
+                "Resource": [
+                  "collection/retaildemostore*"
+                ]
+              }
+            ],
+            "AllowFromPublic": false,
+            "SourceVPCEs": [
+              "${AOSSVpcEndpoint}"
+            ]
+           }]       
+
+  Collection:
+    Type: AWS::OpenSearchServerless::Collection
+    DependsOn: EncryptionPolicy
+    Properties:
+      Name: retaildemostore-products
+      Type: SEARCH
+      StandbyReplicas: DISABLED
+      Description: Collection to hold product data
+      Tags:
+        - Key: "Name"
+          Value: "retaildemostore"
 
 Outputs:
-  DomainArn:
-    Value: !GetAtt OpenSearchDomain.DomainArn
+  CollectionArn:
+    Value: !GetAtt Collection.Arn
 
-  DomainEndpoint:
-    Value: !GetAtt OpenSearchDomain.DomainEndpoint
+  CollectionEndpoint:
+    Value: !GetAtt Collection.CollectionEndpoint
 
   SecurityGroupId:
-    Value: !Ref SecurityGroup
+    Value: !Ref SecurityGroup

aws/cloudformation-templates/deployment-support.yaml

@@ -50,10 +50,7 @@ Parameters:
       - 'No'
     Default: 'No'
 
-  Subnet1:
-    Type: String
-
-  Subnet2:
+  Subnets:
     Type: String
 
   LambdaVpcSecurityGroup:
@@ -62,10 +59,10 @@ Parameters:
   OpenSearchSecurityGroupId:
     Type: String
 
-  OpenSearchDomainArn:
+  OpenSearchCollectionArn:
     Type: String
 
-  OpenSearchDomainEndpoint:
+  OpenSearchCollectionEndpoint:
     Type: String
 
   ParameterIVSVideoChannelMap:
@@ -172,9 +169,7 @@ Resources:
       VpcConfig:
         SecurityGroupIds:
           - !Ref LambdaVpcSecurityGroup
-        SubnetIds:
-          - !Ref Subnet1
-          - !Ref Subnet2
+        SubnetIds: !Split [",", !Ref Subnets ]
       Environment:
         Variables:
           ProductsServiceUrl: !Ref ProductsServiceExternalUrl
@@ -240,9 +235,7 @@ Resources:
       VpcConfig:
         SecurityGroupIds:
           - !Ref LambdaVpcSecurityGroup
-        SubnetIds:
-          - !Ref Subnet1
-          - !Ref Subnet2
+        SubnetIds: !Split [",", !Ref Subnets ]
       Environment:
         Variables:
           bucket: !Ref StackBucketName
@@ -489,63 +482,70 @@ Resources:
       VpcConfig:
         SecurityGroupIds:
           - !Ref OpenSearchSecurityGroupId
-        SubnetIds:
-          - !Ref Subnet1
-          - !Ref Subnet2
+        SubnetIds: !Split [",", !Ref Subnets ]
 
   OpenSearchPreIndexLambdaExecutionRole:
     Condition: DeployPreIndexOpenSearch
-    Type: 'AWS::IAM::Role'
+    Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:
         Version: 2012-10-17
         Statement:
           - Effect: Allow
             Principal:
-              Service:
-                - lambda.amazonaws.com
-            Action:
-              - 'sts:AssumeRole'
-      Path: /service-role/
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
+              Service: lambda.amazonaws.com
+            Action: sts:AssumeRole
+      Path: /
       Policies:
-        - PolicyName: root
+        - PolicyName: OpenSearchServerless
           PolicyDocument:
             Version: 2012-10-17
             Statement:
               - Effect: Allow
-                Action:
-                  - logs:CreateLogGroup
-                  - ec2:CreateNetworkInterface
-                  - ec2:DeleteNetworkInterface
-                  - ec2:DescribeNetworkInterfaces
-                Resource: '*'
-              - Effect: Allow
-                Action:
-                  - logs:CreateLogStream
-                  - logs:PutLogEvents
-                Resource:
-                  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*OpenSearch*:log-stream:*'
-                  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*OpenSearch*'
-              - Effect: Allow
-                Action:
-                  - es:ESHttpDelete
-                  - es:ESHttpGet
-                  - es:ESHttpPost
-                  - es:ESHttpPut
-                Resource: !Ref OpenSearchDomainArn
+                Action: aoss:APIAccessAll
+                Resource: !Ref OpenSearchCollectionArn
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole    
 
   # Custom resource to launch opensearch preindex function
   CustomLaunchOpenSearchPreIndexLambdaFunction:
     Condition: DeployPreIndexOpenSearch
     Type: Custom::CustomLambdaOpenSearch
     Properties:
       ServiceToken: !GetAtt OpenSearchPreIndexLambdaFunction.Arn
-      OpenSearchDomainEndpoint: !Ref OpenSearchDomainEndpoint
+      OpenSearchCollectionEndpoint: !Ref OpenSearchCollectionEndpoint
       Bucket: !Ref ResourceBucket
       File: !Sub '${ResourceBucketRelativePath}data/products.yaml'
 
+  DataAccessPolicy:
+    Type: AWS::OpenSearchServerless::AccessPolicy
+    Condition: DeployPreIndexOpenSearch
+    DependsOn: OpenSearchPreIndexLambdaExecutionRole
+    Properties:
+      Name: retaildemostore-index-lambda
+      Type: data
+      Description: !Sub Access policy to allow pre-index lambda access to retail demo store collections
+      Policy:
+        !Sub |
+          [{
+              "Description": "Access for Pre-index lambda",
+              "Rules": [
+                {
+                    "ResourceType": "index",
+                    "Resource": [
+                      "index/retaildemostore-products/*"
+                    ],
+                    "Permission": [
+                        "aoss:*"
+                    ]
+                }
+              ],
+              "Principal": [
+                "${OpenSearchPreIndexLambdaExecutionRole.Arn}"
+              ]
+          }]
+
   ####################### Pre-Create Pinpoint Workshop #######################
 
   PinpointPreCreateLambdaFunction: