VhhdZdZdZddlZddlZddlmZ ddlZddl m Z ddl m Z ddl mZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*d Z+d!Z,d"Z-e.d#k(re-yy#e$rYwxYw)$a3 --- module: opensearch short_description: Creates OpenSearch or ElasticSearch domain description: - Creates or modify a Amazon OpenSearch Service domain. version_added: 4.0.0 author: - "Sebastien Rosset (@sebastien-rosset)" options: state: description: - Creates or modifies an existing OpenSearch domain. - Deletes an OpenSearch domain. required: false type: str choices: ['present', 'absent'] default: present domain_name: description: - The name of the Amazon OpenSearch/ElasticSearch Service domain. - Domain names are unique across the domains owned by an account within an AWS region. required: true type: str engine_version: description: -> The engine version to use. For example, 'ElasticSearch_7.10' or 'OpenSearch_1.1'. -> If the currently running version is not equal to I(engine_version), a cluster upgrade is triggered. -> It may not be possible to upgrade directly from the currently running version to I(engine_version). In that case, the upgrade is performed incrementally by upgrading to the highest compatible version, then repeat the operation until the cluster is running at the target version. -> The upgrade operation fails if there is no path from current version to I(engine_version). -> See OpenSearch documentation for upgrade compatibility. required: false type: str allow_intermediate_upgrades: description: - > If true, allow OpenSearch domain to be upgraded through one or more intermediate versions. - > If false, do not allow OpenSearch domain to be upgraded through intermediate versions. The upgrade operation fails if it's not possible to ugrade to I(engine_version) directly. required: false type: bool default: true cluster_config: description: - Parameters for the cluster configuration of an OpenSearch Service domain. type: dict suboptions: instance_type: description: - Type of the instances to use for the domain. required: false type: str instance_count: description: - Number of instances for the domain. required: false type: int zone_awareness: description: - A boolean value to indicate whether zone awareness is enabled. required: false type: bool availability_zone_count: description: - > An integer value to indicate the number of availability zones for a domain when zone awareness is enabled. This should be equal to number of subnets if VPC endpoints is enabled. required: false type: int dedicated_master: description: - A boolean value to indicate whether a dedicated master node is enabled. required: false type: bool dedicated_master_instance_type: description: - The instance type for a dedicated master node. required: false type: str dedicated_master_instance_count: description: - Total number of dedicated master nodes, active and on standby, for the domain. required: false type: int warm_enabled: description: - True to enable UltraWarm storage. required: false type: bool warm_type: description: - The instance type for the OpenSearch domain's warm nodes. required: false type: str warm_count: description: - The number of UltraWarm nodes in the domain. required: false type: int cold_storage_options: description: - Specifies the ColdStorageOptions config for a Domain. type: dict suboptions: enabled: description: - True to enable cold storage. Supported on Elasticsearch 7.9 or above. required: false type: bool ebs_options: description: - Parameters to configure EBS-based storage for an OpenSearch Service domain. type: dict suboptions: ebs_enabled: description: - Specifies whether EBS-based storage is enabled. required: false type: bool volume_type: description: - Specifies the volume type for EBS-based storage. "standard"|"gp2"|"io1" required: false type: str volume_size: description: - Integer to specify the size of an EBS volume. required: false type: int iops: description: - The IOPD for a Provisioned IOPS EBS volume (SSD). required: false type: int vpc_options: description: - Options to specify the subnets and security groups for a VPC endpoint. type: dict suboptions: subnets: description: - Specifies the subnet ids for VPC endpoint. required: false type: list elements: str security_groups: description: - Specifies the security group ids for VPC endpoint. required: false type: list elements: str snapshot_options: description: - Option to set time, in UTC format, of the daily automated snapshot. type: dict suboptions: automated_snapshot_start_hour: description: - > Integer value from 0 to 23 specifying when the service takes a daily automated snapshot of the specified Elasticsearch domain. required: false type: int access_policies: description: - IAM access policy as a JSON-formatted string. required: false type: dict encryption_at_rest_options: description: - Parameters to enable encryption at rest. type: dict suboptions: enabled: description: - Should data be encrypted while at rest. required: false type: bool kms_key_id: description: - If encryption at rest enabled, this identifies the encryption key to use. - The value should be a KMS key ARN. It can also be the KMS key id. required: false type: str node_to_node_encryption_options: description: - Node-to-node encryption options. type: dict suboptions: enabled: description: - True to enable node-to-node encryption. required: false type: bool cognito_options: description: - Parameters to configure OpenSearch Service to use Amazon Cognito authentication for OpenSearch Dashboards. type: dict suboptions: enabled: description: - The option to enable Cognito for OpenSearch Dashboards authentication. required: false type: bool user_pool_id: description: - The Cognito user pool ID for OpenSearch Dashboards authentication. required: false type: str identity_pool_id: description: - The Cognito identity pool ID for OpenSearch Dashboards authentication. required: false type: str role_arn: description: - The role ARN that provides OpenSearch permissions for accessing Cognito resources. required: false type: str domain_endpoint_options: description: - Options to specify configuration that will be applied to the domain endpoint. type: dict suboptions: enforce_https: description: - Whether only HTTPS endpoint should be enabled for the domain. type: bool tls_security_policy: description: - Specify the TLS security policy to apply to the HTTPS endpoint of the domain. type: str custom_endpoint_enabled: description: - Whether to enable a custom endpoint for the domain. type: bool custom_endpoint: description: - The fully qualified domain for your custom endpoint. type: str custom_endpoint_certificate_arn: description: - The ACM certificate ARN for your custom endpoint. type: str advanced_security_options: description: - Specifies advanced security options. type: dict suboptions: enabled: description: - True if advanced security is enabled. - You must enable node-to-node encryption to use advanced security options. type: bool internal_user_database_enabled: description: - True if the internal user database is enabled. type: bool master_user_options: description: - Credentials for the master user, username and password, ARN, or both. type: dict suboptions: master_user_arn: description: - ARN for the master user (if IAM is enabled). type: str master_user_name: description: - The username of the master user, which is stored in the Amazon OpenSearch Service domain internal database. type: str master_user_password: description: - The password of the master user, which is stored in the Amazon OpenSearch Service domain internal database. type: str saml_options: description: - The SAML application configuration for the domain. type: dict suboptions: enabled: description: - True if SAML is enabled. - To use SAML authentication, you must enable fine-grained access control. - You can only enable SAML authentication for OpenSearch Dashboards on existing domains, not during the creation of new ones. - Domains only support one Dashboards authentication method at a time. If you have Amazon Cognito authentication for OpenSearch Dashboards enabled, you must disable it before you can enable SAML. type: bool idp: description: - The SAML Identity Provider's information. type: dict suboptions: metadata_content: description: - The metadata of the SAML application in XML format. type: str entity_id: description: - The unique entity ID of the application in SAML identity provider. type: str master_user_name: description: - The SAML master username, which is stored in the Amazon OpenSearch Service domain internal database. type: str master_backend_role: description: - The backend role that the SAML master user is mapped to. type: str subject_key: description: - Element of the SAML assertion to use for username. Default is NameID. type: str roles_key: description: - Element of the SAML assertion to use for backend roles. Default is roles. type: str session_timeout_minutes: description: - The duration, in minutes, after which a user session becomes inactive. Acceptable values are between 1 and 1440, and the default value is 60. type: int auto_tune_options: description: - Specifies Auto-Tune options. type: dict suboptions: desired_state: description: - The Auto-Tune desired state. Valid values are ENABLED and DISABLED. type: str choices: ['ENABLED', 'DISABLED'] maintenance_schedules: description: - A list of maintenance schedules. type: list elements: dict suboptions: start_at: description: - The timestamp at which the Auto-Tune maintenance schedule starts. type: str duration: description: - Specifies maintenance schedule duration, duration value and duration unit. type: dict suboptions: value: description: - Integer to specify the value of a maintenance schedule duration. type: int unit: description: - The unit of a maintenance schedule duration. Valid value is HOURS. choices: ['HOURS'] type: str cron_expression_for_recurrence: description: - A cron expression for a recurring maintenance schedule. type: str wait: description: - Whether or not to wait for completion of OpenSearch creation, modification or deletion. type: bool default: false wait_timeout: description: - how long before wait gives up, in seconds. default: 300 type: int extends_documentation_fragment: - amazon.aws.common.modules - amazon.aws.region.modules - amazon.aws.tags - amazon.aws.boto3 z # aL - name: Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters community.aws.opensearch: domain_name: "dev-cluster" engine_version: Elasticsearch_1.1 cluster_config: instance_type: "t2.small.search" instance_count: 2 zone_awareness: false dedicated_master: false ebs_options: ebs_enabled: true volume_type: "gp2" volume_size: 10 access_policies: "{{ lookup('file', 'policy.json') | from_json }}" - name: Create OpenSearch domain with dedicated masters community.aws.opensearch: domain_name: "my-domain" engine_version: OpenSearch_1.1 cluster_config: instance_type: "t2.small.search" instance_count: 12 dedicated_master: true zone_awareness: true availability_zone_count: 2 dedicated_master_instance_type: "t2.small.search" dedicated_master_instance_count: 3 warm_enabled: true warm_type: "ultrawarm1.medium.search" warm_count: 1 cold_storage_options: enabled: false ebs_options: ebs_enabled: true volume_type: "io1" volume_size: 10 iops: 1000 vpc_options: subnets: - "subnet-e537d64a" - "subnet-e537d64b" security_groups: - "sg-dd2f13cb" - "sg-dd2f13cc" snapshot_options: automated_snapshot_start_hour: 13 access_policies: "{{ lookup('file', 'policy.json') | from_json }}" encryption_at_rest_options: enabled: false node_to_node_encryption_options: enabled: false auto_tune_options: enabled: true maintenance_schedules: - start_at: "2025-01-12" duration: value: 1 unit: "HOURS" cron_expression_for_recurrence: "cron(0 12 * * ? *)" - start_at: "2032-01-12" duration: value: 2 unit: "HOURS" cron_expression_for_recurrence: "cron(0 12 * * ? *)" tags: Environment: Development Application: Search wait: true - name: Increase size of EBS volumes for existing cluster community.aws.opensearch: domain_name: "my-domain" ebs_options: volume_size: 5 wait: true - name: Increase instance count for existing cluster community.aws.opensearch: domain_name: "my-domain" cluster_config: instance_count: 40 wait: true N)deepcopy) string_types)is_boto3_error_code)compare_policies)AWSRetry)boto3_tag_list_to_ansible_dict)AnsibleCommunityAWSModule)compare_domain_versions) ensure_tags)get_domain_config)get_domain_status)get_target_increment_version)normalize_opensearch) parse_version)wait_for_domain_statusc |jjd}d}t|||}|jr|j dd |j |d}|r|jjd s t|S t|||d t|S#t d$rtdcYStjjtjjf$r}|j|d Yd}~d}~wwxYw#t d$rt|cYStjjtjjf$r}|j|d Yd}~yd}~wwxYw)N domain_nameFTz.Would have deleted domain if not in check modechangedmsg) DomainNameResourceNotFoundException)rztrying to delete domainrwaitdomain_deletedzawaiting domain deletion)paramsgetr check_mode exit_json delete_domainrdictbotocore exceptions ClientError BotoCoreError fail_json_awsr)clientmodulerrdomaines l/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/aws/plugins/modules/opensearch.pyensure_domain_absentr,se--##M2KG vv{ ;F +[\ ? 4 **62G$$ <vv{> ? : ;%G$$'')) < Q :;; >Fc |jjd}|}d}|jrd}|}||k7rt||||}||}||k7r6|jjds|j d|d|d||||d } |jst |||d  |j di| |jr|jdd|d |d|}||k7r|jjdrt |||d yy#tjjtjjf$r&} |j| d |d |d |Yd} ~ d} ~ wwxYw)NrFTallow_intermediate_upgradeszCannot upgrade from z to version z$. The highest compatible version is r)r TargetVersionPerformCheckOnlydomain_availablezCouldn't upgrade domain z from  to z Would have upgraded domain from z if not in check moderr) rrrr fail_jsonrupgrade_domainr"r#r%r$r&r) r'r(source_versiontarget_engine_versionr next_versionperform_check_onlycurrent_versionv parametersr*s r+r5r5!s--##M2K)L !$O 2 2 (F[ \ 91L 0 0==$$%BC  .~.>lK`JabFGSFTU! &) 2   #66;@R S  !F ! ! /J /      66GtL>Yno  'W 2 2Z}} vv{ *   , - 9.:.>.>?O.PN? +   , - 95A5E5EFV5WN1 2 0 1 9:F+\-=-=>W-X945   . / ;7C7G7GHZ7[N3 4 2 3 @AM8D8H8HIi8j45 ABN9E9I9IJk9l56   N + 7,8,<,<^,LN= ) - ( ,8-9-=-=k-Jz* -9.:.>.>|.L{+(,,-CD4_EGZ[^__  (->-B-B9-M   !@  A/6 ,DY1Y "/ 2 6 67KT R  (->-B-B9-M-Y,00;4N/ 0(-B?-SWe-e78Mo8^7__cdrcstu Ncd}|d}|jjd}||S|jd|jd|d<|dsddi|d<no|jd|jd|d<|jd|jd|d <|jd |jd |d <|$|d|k7r|jd |dd |d}|S)NF EBSOptions ebs_options ebs_enabled EBSEnabled volume_type VolumeType volume_size VolumeSizeiopsIopszEBSOptions changed from r2Trrr[)r(r\r]r^r ebs_configebs_optss r+set_ebs_optionsrqsG&|4J}}  /H||M".#+<< #> < l # %/ l+ << & 2'/||M'BJ| $ << & 2'/||M'BJ| $ <<  +!)f!5Jv (-B<-PT^-^45J<5X4YY]^h]ijk NrbcJd}|d}|jjd}|y|jd|jd|d<|dsddi|d<n%|jd|jd|d<|$|d|k7r|jd|dd |d }|S) NFEncryptionAtRestOptionsencryption_at_rest_optionsrWrY kms_key_idKmsKeyIdz%EncryptionAtRestOptions changed from r2Trn)r(r\r]r^rencryption_at_rest_configencryption_at_rest_optss r+set_encryption_at_rest_optionsrysG 56O P$mm//0LM&""9-9/F/J/J9/U!), $Y / u< 78 # & &| 4 @4K4O4OP\4] %j 1 ) !"; <@Y Y34IJc4d3ef)* ,  Nrbcd}|d}|jjd}||S|jd|jd|d<|$|d|k7r|jd|dd|d}|S) NFNodeToNodeEncryptionOptionsnode_to_node_encryption_optionsrWrYz)NodeToNodeEncryptionOptions changed from r2Trn)r(r\r]r^rnode_to_node_encryption_confignode_to_node_encryption_optss r+#set_node_to_node_encryption_optionsrsG%:;X%Y"#)==#4#45V#W #+#'' 2>4P4T4TU^4_&y1 ) !"? @Db b78MNk8l7mn./ 1  Nrbcd}d}d|vr|d}|jjd}||S|jd}|J|i}||d<t|tr,|j dDcgc]}|j }}||d<|jd} | J|i}||d<t| tr,| j dDcgc]}|j } }| |d<|d} d} d|vrd|dvrt |ddd kDrd } d|vrd|dvrt |ddd kDrd } | | k7r|jd d }|S| dur |St|ddt|dk7r"|jd |ddd |dd }t|ddt|dk7r"|jd|ddd |dd }|Scc}wcc}w)NF VPCOptions vpc_optionssubnets, SubnetIdssecurity_groupsSecurityGroupIdsrTz+VPCOptions changed between Internet and VPCzSubnetIds changed from r2zSecurityGroup changed from ) rr isinstancersplitstriplenr[set) r(r\r]r^r vpc_configvpc_opts vpc_subnetsxvpc_security_groupscurrent_cluster_is_vpcdesired_cluster_is_vpcs r+set_vpc_optionsrsGJ,,*<8 }}  /H,,y)K  J2< !, / k< 0.9.?.?.DE1779EKE"- ;",,'89&  J2< !, / )< 86I6O6OPS6T"U1779"U "U)< %&(!&!& 1 14\BB),7 DEI%) " 1 14\BB),7 DEI%) " !%; ;   K LG$ N#$u ,  N(6{CDJWbLcHdd!!-.CL.QR].^-_`";/02(67IJKsS]^pSqOrr!!12G 2UVh2i1jk"#5679 NcF#Vs ,G Gcd}|d}|jjd}||S|jd|jd|d<||d|k7r|jdd}|S)NFSnapshotOptionssnapshot_optionsautomated_snapshot_start_hourAutomatedSnapshotStartHourzSnapshotOptions changedTrn)r(r\r]r^rsnapshot_config snapshot_optss r+set_snapshot_optionsr*sG+,=>OMM%%&89M89E8E8I8IJi8j45(-BCT-UYh-h34 Nrbcd}|d}|jjd}||S|jd|jd|d<|dsddi|d<no|jd|jd|d<|jd|jd|d <|jd |jd |d <|$|d|k7r|jd |dd |d}|S)NFCognitoOptionscognito_optionsrWrYcognito_user_pool_id UserPoolIdcognito_identity_pool_idIdentityPoolIdcognito_role_arnRoleArnzCognitoOptions changed from r2Trn)r(r\r]r^rcognito_config cognito_optss r+set_cognito_optionsr8s4G*+;NO ##$:;GVfVjVj*W()<=>RS+..~>  }}Y'3EN]]S\E](7 B }}U+H#<< 23?X`XdXdewXx,];EBCTU<< ,8QYQ]Q]^iQj,];EB:N}}/0?]]&&':;N""#:;I/*6+9+=+=o+N('94 J4 /0  35/0 LANuuZ(H#h(9(9:'00rdrsr{rrrrrengine_versionzCInvalid engine_version. Must be Elasticsearch_X.Y or OpenSearch_X.YrVTzEngineVersion changedz0Would have updated domain if not in check mode: rzCouldn't update domain rrz>state is present but the following is missing: access_policiesz0Would have created a domain if not in check mode DomainStatusARN)r  aws_retryTagListzCouldn't get tags for domain tags purge_tagsrr1rr3)$rrr rrr4rarqryrrrrrrrrr[r5rrrZupdate_domain_configr"r#r%r$r& create_domainr list_tagsr rr r!r)r'r(rr]r\ domain_arnr;rr^r*responser) existing_tags desired_tagsr s r+ensure_domain_presentrs--##M2K mm'' 6)-$)&+   %  u$  u(  )!  u  u$  $U"  J G&R+ ? }})*6 &--++,<= > 9   b c171B1BCS1To.GJ !&*?AVXbccG v'<>SU_``G -f6KMbdnooG 26;PRgisttG v'<>SU_``G #F,ACXZdeeG "6+@BWYcddG ,V5JLacmnnG *63HJ_akllG $V-BDY[effG  )>@UWabbG(  15J?5[ [G   5 6 %o6%o6        J:,W! " % %ot < U+++D.CD ==  . / 7   ] ^      T/a  b Q+v++D.CDHn-FJO6v7G7GJbf7G7ghq7rs ==(L|,J {66:}lT^__G }} ):):vv{} |jd?tj@}|jddk(r t|}n t|}|jdCi|y#t j jt j jf$r}|j|dABYd}~d}~wwxYw)DNstatepresentabsent)choicesdefaultrT)requiredrr.Fbool)rtyperrr!)rrr?int)r)rW)rroptions) r@rBrDrFrIrKrMrOrQrSrUr)rre)rfrhrjrlrlistr)relementsr)rrr)rno_log)rW user_pool_ididentity_pool_idrole_arnrt)rWrur|r)rrrrrr)r#)rrr)rr)rWrrrrrr)rWrrrrrr)rHOURS)rr)rrr)rr"rr )rrr  resource_tags)raliasesr )rrr wait_timeouti,) argument_specsupports_check_mode opensearch)retry_decoratorz+Failed to connect to AWS opensearch servicerr3)AnsibleAWSModuler!r'rjittered_backoffr"r#r$r%r&rr,rr)r(r'r*ret_dicts r+mainr2s [  84iH[ d+[  6[ )-e&RV(W [ !%f= [  "&&#'U#C#'V#D,0%e,L%)5v%F37648e4D!%u6!B"E2#U?)-# $ $$(%f$E!* [ :"26E2R;[ H $e& A $e 4 $e% @u59  I[ \ fuuM$(fuu$U][ l! %f=!%u!5%)5%9!5?  m[ @(, f-#U3(A[ P-1 f--Q[ ^%)"&F"3(,,0f,=$(F48F  %_[ t'+ f-37V3D(,# $ $,0F-1V15T1B!)"&# $ $$(f$5 $%+(,(,59V.2f)"!.2V04(,E(:&*%&848e4D!" $'u[ ~#"& :/F"G*.#!' $ $%)V%)%+(,(,*.E*:)-wi)@)"&<@6 ! +[ n6O+<=o[ p6q[ r651s[ t5#6u[ x!{^F@S|X=V=V=XY}}W)'7(8F x     + +X-@-@-N-N OSQ$QRRSs%Q667S -SS __main__)/ DOCUMENTATIONRETURNEXAMPLESrrcopyrr" ImportErroransible.module_utils.sixransible_collections.community.aws.plugins.module_utils.modulesr r/Aansible_collections.community.aws.plugins.module_utils.opensearchr r r r rrrrr,r5rarqryrrrrrrrrrr2__name__r3rbr+rAsB H T l  2\WPfxeY__jb[d B:/d.CQLk!\ zFI  sB))B10B1