feat: add integ-test, release to pypi

tmokmss · Mar 24, 2024 · 21aae1c · 21aae1c
1 parent 7ea162c
commit 21aae1c
Show file tree

Hide file tree

Showing 23 changed files with 4,479 additions and 206 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.mergify.yml b/.mergify.yml
diff --git a/.projen/deps.json b/.projen/deps.json
diff --git a/.projen/tasks.json b/.projen/tasks.json
diff --git a/.projenrc.ts b/.projenrc.ts
@@ -1,8 +1,8 @@
 import { awscdk } from 'projen';
 const project = new awscdk.AwsCdkConstructLibrary({
-  author: 'Masashi Tomooka',
+  author: 'tmokmss',
   authorAddress: 'tomookam@live.jp',
-  cdkVersion: '2.1.0',
+  cdkVersion: '2.1.0', // we don't guarantee it works in 2.1.0, but it should.
   defaultReleaseBranch: 'main',
   jsiiVersion: '~5.3.0',
   name: 'opensearch-rest-resources',
@@ -16,17 +16,21 @@ const project = new awscdk.AwsCdkConstructLibrary({
     ignorePatterns: ['example/**/*', 'lambda/**/*', 'test/assets/**/*', 'test/*.snapshot/**/*', '*.d.ts'],
   },
   gitignore: ['*.js', '*.d.ts', '!testq/integ.*.snapshot/**/*', 'test/cdk.out'],
-  devDeps: ['aws-cdk@^2.38.0', 'aws-cdk-lib@^2.38.0', 'constructs@^10.0.5', '@aws-cdk/integ-runner', '@aws-cdk/integ-tests-alpha'],
+  devDeps: ['aws-cdk-lib', 'aws-cdk', 'constructs', '@aws-cdk/integ-runner@^2.133.0-alpha.0', '@aws-cdk/integ-tests-alpha@^2.133.0-alpha.0'],
   peerDependencyOptions: {
     pinnedDevDependency: false,
   },
+  publishToPypi: {
+    distName: 'opensearch-rest-resources',
+    module: 'opensearch_rest_resources',
+  },
   npmProvenance: false,
 });
 
 // Bundle custom resource handler Lambda code
 project.projectBuild.compileTask.prependExec('yarn install --frozen-lockfile && yarn build', {
   cwd: 'lambda',
 });
-// Run integ-test
-// project.projectBuild.testTask.exec('yarn integ-runner');
+// Run integ-test. This takes about 1 hour. Good luck.
+project.projectBuild.testTask.exec('yarn integ-runner');
 project.synth();
diff --git a/LICENSE b/LICENSE
diff --git a/README.md b/README.md
@@ -56,3 +56,30 @@ const roleMapping = new OpenSearchRoleMapping(this, 'RoleMapping1', {
 });
 roleMapping.node.addDependency(role);
 ```
+
+## Limitation
+Currently this library assumes your OpenSearch domain is configured as:
+
+* [Fine-grained access control](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html) is enabled
+* Deployed within a VPC
+* Use the [`Domain`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.Domain.html) L2 construct
+* The credential for the master user (username and password) is stored in Secret Manager
+* [Domain access policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-recommendations) is permissive like below:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "es:ESHttp*",
+      "Resource": "domain-arn/*"
+    }
+  ]
+}
+```
+
+Most of the above follow the current [operational best practices](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/bp.html) of Amazon OpenSearch Service. If you want other configuration supported, please submit [an issue](https://github.com/tmokmss/opensearch-rest-resources/issues).
diff --git a/example/index.ts b/example/index.ts
@@ -1,130 +1,5 @@
-import { Stack, StackProps, App, RemovalPolicy, Duration } from 'aws-cdk-lib';
-import { EbsDeviceVolumeType, Vpc } from 'aws-cdk-lib/aws-ec2';
-import { PolicyStatement, AnyPrincipal } from 'aws-cdk-lib/aws-iam';
-import { Domain, EngineVersion } from 'aws-cdk-lib/aws-opensearchservice';
-import { Construct } from 'constructs';
-import { OpenSearchRole } from '../src/resources/role';
-import { OpenSearchRoleMapping } from '../src/resources/role-mapping';
-import { OpenSearchUser } from '../src/resources/user';
-import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
-import { join } from 'path';
-
-class OpenSearchTestStack extends Stack {
-  constructor(scope: Construct, id: string, props: StackProps = {}) {
-    super(scope, id, props);
-
-    const vpc = new Vpc(this, 'Vpc', { maxAzs: 2, natGateways: 1 });
-
-    const targetSubnets = [vpc.privateSubnets[0]];
-
-    // Following the best practices:
-    // https://docs.aws.amazon.com/opensearch-service/latest/developerguide/bp.html
-    const domain = new Domain(this, 'Domain', {
-      version: EngineVersion.OPENSEARCH_2_11,
-      capacity: {
-        // https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html
-        dataNodeInstanceType: 't3.small.search',
-        dataNodes: targetSubnets.length,
-        // masterNodeInstanceType: 't3.small.search',
-        // masterNodes: 1,
-        multiAzWithStandbyEnabled: false,
-      },
-      // zoneAwareness: {
-      //   enabled: true,
-      //   availabilityZoneCount: targetSubnets.length,
-      // },
-      ebs: {
-        volumeSize: 30,
-        volumeType: EbsDeviceVolumeType.GP3,
-        throughput: 125,
-        iops: 3000,
-      },
-      enforceHttps: true,
-      fineGrainedAccessControl: {
-        masterUserName: 'admin',
-      },
-      nodeToNodeEncryption: true,
-      encryptionAtRest: {
-        enabled: true,
-      },
-      vpc,
-      vpcSubnets: [{ subnets: targetSubnets }],
-      logging: {
-        auditLogEnabled: true,
-        slowSearchLogEnabled: true,
-        appLogEnabled: true,
-        slowIndexLogEnabled: true,
-      },
-      removalPolicy: RemovalPolicy.DESTROY,
-    });
-
-    // Recommended policy when using fine-grained access control
-    // https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-recommendations
-    domain.addAccessPolicies(
-      new PolicyStatement({
-        principals: [new AnyPrincipal()],
-        actions: ['es:ESHttp*'],
-        resources: [domain.domainArn + '/*'],
-      })
-    );
-
-    const testHandler = new NodejsFunction(this, 'TestHandler', {
-      entry: join(__dirname, 'lambda', 'index.ts'),
-      depsLockFilePath: join(__dirname, 'lambda', 'package-lock.json'),
-      bundling: {
-        commandHooks: {
-          beforeBundling: (i, _o) => [`cd ${i} && npm install`],
-          afterBundling: (_i, _o) => [],
-          beforeInstall: (_i, _o) => [],
-        },
-      },
-      vpc,
-      environment: {
-        OPENSEARCH_HOST: domain.domainEndpoint,
-      },
-      timeout: Duration.seconds(10),
-    });
-    domain.connections.allowDefaultPortFrom(testHandler);
-
-    const role = new OpenSearchRole(this, 'Role1', {
-      vpc,
-      domain,
-      roleName: 'Role1',
-      payload: {
-        clusterPermissions: ['indices:data/write/bulk'],
-        indexPermissions: [
-          {
-            indexPatterns: ['*'],
-            allowedActions: ['read', 'write', 'index', 'create_index'],
-          },
-        ],
-      },
-      removalPolicy: RemovalPolicy.RETAIN,
-    });
-
-    const roleMapping = new OpenSearchRoleMapping(this, 'RoleMapping1', {
-      vpc,
-      domain,
-      roleName: 'Role1',
-      payload: {
-        backendRoles: [testHandler.role!.roleArn],
-      },
-    });
-    roleMapping.node.addDependency(role);
-
-    new OpenSearchUser(this, 'User1', {
-      vpc,
-      domain,
-      userName: 'User1',
-      payload: {
-        password: '64loxy5K;5jr',
-        attributes: {
-          foo: 'bar',
-        },
-      },
-    });
-  }
-}
+import { App } from 'aws-cdk-lib';
+import { OpenSearchTestStack } from './stack';
 
 class TestApp extends App {
   constructor() {