Opensearch L3 construct

[vgkowski]

Currently, we don't have any easy way to setup an Opensearch domain with fine grained access control as it requires to run some configuration requests on the cluster API after the cluster is created. The common approach is to use a custom resource to do the API request on the cluster endpoint like in the AWS native refarch streaming module

I propose to build an L3 Construct that provide methods to do common cluster configuration with fine grained access control including:

• create cluster with IAM master role
• update the domain configuration and enable internal database users
• create internal users mapped with opensearch roles
• create IAM role/user mappings with opensearch roles
• create opensearch roles
• creating index mappings
• creating rolling index strategy

The design would be similar to the EmrEksCluster which provides 2 methods for adding virtual clusters and managed endpoint

aws-analytics-reference-architecture/core/src/emr-eks-platform/emr-eks-cluster.ts

Line 445 in 542c919

public addEmrVirtualCluster(scope: Construct, options: EmrVirtualClusterOptions): CfnVirtualCluster {

aws-analytics-reference-architecture/core/src/emr-eks-platform/emr-eks-cluster.ts

Line 506 in 542c919

public addManagedEndpoint(scope: Construct, id: string, options: EmrManagedEndpointOptions) {

Methods need to rely on custom resources and follow Cfn resources lifecycle (create, update, delete). The lambda custom resource is using the master role to perform the other tasks.
The custom resource should rely on the PreBundledFunction and PreBundledLayer to be sure everything is packaged in the construct and available at synth/deploy time.