Provision an Elasticsearch Cluster

This example creates an one instance Amazon Elasticsearch cluster named eksworkshop-logging. This cluster will be created in the same region as the EKS Kubernetes cluster.

The Elasticsearch cluster will have Fine-Grained Access Control enabled.

Fine-grained access control offers two forms of authentication and authorization:

  • A built-in user database, which makes it easy to configure usernames and passwords inside of Elasticsearch.
  • AWS Identity and Access Management (IAM) integration, which lets you map IAM principals to permissions.

We will create a public access domain with fine-grained access control enabled, an access policy that doesn’t use IAM principals, and a master user in the internal user database.

First let’s create some variables

# name of our elasticsearch cluster
export ES_DOMAIN_NAME="eksworkshop-logging"

# Elasticsearch version
export ES_VERSION="7.4"

# kibana admin user
export ES_DOMAIN_USER="eksworkshop"

# kibana admin password
export ES_DOMAIN_PASSWORD="$(openssl rand -base64 12)_Ek1$"

We are ready to create the Elasticsearch cluster

# Download and update the template using the variables created previously
curl -sS \
  | envsubst > ~/environment/logging/es_domain.json

# Create the cluster
aws es create-elasticsearch-domain \
  --cli-input-json  file://~/environment/logging/es_domain.json

It takes a little while for the cluster to be in an active state. The AWS Console should show the following status when the cluster is ready.

Elasticsearch Dashboard

You could also check this via AWS CLI

if [ $(aws es describe-elasticsearch-domain --domain-name ${ES_DOMAIN_NAME} --query 'DomainStatus.Processing') == "false" ]
    tput setaf 2; echo "The Elasticsearch cluster is ready"
    tput setaf 1;echo "The Elasticsearch cluster is NOT ready"

It is important to wait for the cluster to be available before moving to the next section.