opensearch-project · DarshitChanpura · Dec 15, 2023 · Dec 15, 2023 · Dec 15, 2023 · Dec 15, 2023
@@ -1,20 +1,24 @@
 # CDK for deploying single-node and multi-node OpenSearch cluster with OpenSearch Dashboards
 
-- [Getting Started](#getting-started)
-- [Deployment](#deployment)
-  - [Required context parameters](#required-context-parameters)
-  - [Interacting with OpenSearch cluster](#interacting-with-opensearch-cluster)
-  - [Restricting Server Access](#restricting-server-access)
-  - [Enable Remote Store Feature](#enable-remote-store-feature)
-- [Check Logs](#check-logs)
-- [Access EC2 Instances](#access-ec2-instances)
-- [Port Mapping](#port-mapping)
-- [Teardown](#teardown)
-- [Contributing](#contributing)
-- [Getting Help](#getting-help)
-- [Code of Conduct](#code-of-conduct)
-- [Security](#security)
-- [License](#license)
+- [CDK for deploying single-node and multi-node OpenSearch cluster with OpenSearch Dashboards](#cdk-for-deploying-single-node-and-multi-node-opensearch-cluster-with-opensearch-dashboards)
+  - [Getting Started](#getting-started)
+  - [Deployment](#deployment)
+    - [Required context parameters](#required-context-parameters)
+      - [Sample command to set up multi-node cluster with security enabled on x64 AL2 machine](#sample-command-to-set-up-multi-node-cluster-with-security-enabled-on-x64-al2-machine)
+    - [Interacting with OpenSearch cluster](#interacting-with-opensearch-cluster)
+      - [Sample commands](#sample-commands)
+    - [Restricting Server Access](#restricting-server-access)
+      - [Please note the load-balancer url is internet facing and can be accessed by anyone.](#please-note-the-load-balancer-url-is-internet-facing-and-can-be-accessed-by-anyone)
+    - [Enable Remote Store Feature](#enable-remote-store-feature)
+  - [Check logs](#check-logs)
+  - [Access EC2 Instances](#access-ec2-instances)
+  - [Port Mapping](#port-mapping)
+  - [Teardown](#teardown)
+  - [Contributing](#contributing)
+  - [Getting Help](#getting-help)
+  - [Code of Conduct](#code-of-conduct)
+  - [Security](#security)
+  - [License](#license)
 
 This project enables user to deploy either a single-node or a multi-node OpenSearch cluster.
 There are two stacks that get deployed:
@@ -36,7 +40,8 @@ In order to deploy both the stacks the user needs to provide a set of required a
 | Name                   | Requirement | Type    | Description                                                                                                                                                                                                                                                                                      |
 |------------------------|:------------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | distVersion            | Required    | string  | The OpenSearch distribution version (released/un-released) the user wants to deploy                                                                                                                                                                                                              |
-| securityDisabled       | Required    | boolean | Enable or disable security plugin                                                                                                                                                                                                                                                                |
+| securityDisabled       | Required    | boolean | Enable or disable security plugin                                                                                                                                                                                          |
+| adminPassword          | Optional    | string  | This value is required when security plugin is enabled and the cluster version is >= 2.12                                                                                                                                                                                         |
 | minDistribution        | Required    | boolean | Is it the minimal OpenSearch distribution with no security and plugins                                                                                                                                                                                                                           |
 | distributionUrl        | Required    | string  | OpenSearch tar distribution url                                                                                                                                                                                                                                                                  |
 | cpuArch                | Required    | string  | CPU platform for EC2, could be either `x64` or `arm64`                                                                                                                                                                                                                                           |
@@ -120,7 +125,7 @@ After CDK Stack deployment the user will be returned a load-balancer url which t
 
 To interact with dashboards use port `8443`. Type `http://<load-balancer-url>:8443` in your browser.
 
-For security enabled cluster run `curl -X GET https://<load-balancer-url> -u 'admin:admin' --insecure`
+For security enabled cluster run `curl -X GET https://<load-balancer-url> -u 'admin:<admin-password>' --insecure`
 The security enabled dashboard is accessible using `http` on port `8443`
 
 ### Restricting Server Access

@@ -50,6 +50,7 @@
   readonly cpuArch: string,
   readonly cpuType: AmazonLinuxCpuType,
   readonly securityDisabled: boolean,
+  readonly adminPassword: string,
   readonly minDistribution: boolean,
   readonly distributionUrl: string,
   readonly dashboardsUrl: string,
@@ -150,7 +151,7 @@
    }

    if (props.singleNodeCluster) {
      console.log('Single node value is true, creating single node configurations');
      singleNodeInstance = new Instance(this, 'single-node-instance', {
        vpc: props.vpc,
        instanceType: singleNodeInstanceType,
@@ -639,6 +640,7 @@
       }
     }
 
+
     // Starting OpenSearch based on whether the distribution type is min or bundle
     if (props.minDistribution) { // using (stackProps.minDistribution) condition is not working when false value is being sent
       cfnInitConfig.push(InitCommand.shellCommand('set -ex;cd opensearch; sudo -u ec2-user nohup ./bin/opensearch >> install.log 2>&1 &',
@@ -647,7 +649,9 @@
           ignoreErrors: false,
         }));
     } else {
-      cfnInitConfig.push(InitCommand.shellCommand('set -ex;cd opensearch; sudo -u ec2-user nohup ./opensearch-tar-install.sh >> install.log 2>&1 &',
+      // set initial admin password needed by demo configuration for clusters 2.12 and above
+      cfnInitConfig.push(InitCommand.shellCommand(`set -ex;cd opensearch; sudo -u ec2-user nohup env OPENSEARCH_INITIAL_ADMIN_PASSWORD=${props.adminPassword}`
+        + `./opensearch-tar-install.sh >> install.log 2>&1 &`,
         {
           cwd: '/home/ec2-user',
           ignoreErrors: false,

@@ -86,6 +86,12 @@ export class OsClusterEntrypoint {
       }
       const security = securityDisabled === 'true';
 
+      // adminPassword is required if security is enabled and demo config is to be run for versions 2.12 and above
+      const adminPassword: String = security ? `${scope.node.tryGetContext('adminPassword')}` : "";    
+      if (!security && Number.parseFloat(distVersion) >= 2.12 && (adminPassword === null || adminPassword === "")) {
+        throw new Error('adminPassword parameter is required to be set when security is enabled');
+      }
+
       const minDistribution = `${scope.node.tryGetContext('minDistribution')}`;
       if (minDistribution !== 'true' && minDistribution !== 'false') {
         throw new Error('minDistribution parameter is required to be set as - true or false');
@@ -250,6 +256,7 @@ export class OsClusterEntrypoint {
       const infraStack = new InfraStack(scope, infraStackName, {
         vpc: this.vpc,
         securityDisabled: security,
+        adminPassword: adminPassword,
         opensearchVersion: distVersion,
         clientNodeCount: clientCount,
         cpuArch,

@@ -524,3 +524,66 @@ test('Throw error on incorrect JSON', () => {
     expect(error.message).toEqual('Encountered following error while parsing customConfigFiles json parameter: SyntaxError: Unexpected token o in JSON at position 25');
   }
 });
+
+test('Throw error when security is enabled and adminPassword is not defined and dist version is greater than or equal to 2.12', () => {
+  const app = new App({
+    context: {
+      securityDisabled: false,
+      minDistribution: false,
+      distributionUrl: 'www.example.com',
+      cpuArch: 'x64',
+      singleNodeCluster: false,
+      dashboardsUrl: 'www.example.com',
+      distVersion: '3.0.0',
+      serverAccessType: 'ipv4',
+      restrictServerAccessTo: 'all',
+      managerNodeCount: 0,
+      dataNodeCount: 3,
+      dataNodeStorage: 200,
+      customRoleArn: 'arn:aws:iam::12345678:role/customRoleName',
+    },
+  });
+
+  try {
+    const testStack = new OsClusterEntrypoint(app, {
+      env: { account: 'test-account', region: 'us-east-1' },
+    });
+
+    // eslint-disable-next-line no-undef
+    fail('Expected an error to be thrown');
+  } catch (error) {
+    expect(error).toBeInstanceOf(Error);
+    // eslint-disable-next-line max-len
+    expect(error.message).toEqual('adminPassword parameter is required to be set when security is enabled');
+  }
+});
+
+test('Should not throw error when security is enabled and adminPassword is not defined and dist version is less than 2.12', () => {
+  const app = new App({
+    context: {
+      securityDisabled: false,
+      minDistribution: false,
+      distributionUrl: 'www.example.com',
+      cpuArch: 'x64',
+      singleNodeCluster: false,
+      dashboardsUrl: 'www.example.com',
+      distVersion: '1.0.0',
+      serverAccessType: 'ipv4',
+      restrictServerAccessTo: 'all',
+      managerNodeCount: 0,
+      dataNodeCount: 3,
+      dataNodeStorage: 200,
+      customRoleArn: 'arn:aws:iam::12345678:role/customRoleName',
+    },
+  });
+
+  // WHEN
+  const testStack = new OsClusterEntrypoint(app, {
+    env: { account: 'test-account', region: 'us-east-1' },
+  });
+
+  // THEN
+  expect(testStack.stacks).toHaveLength(2);
+
+});
+