export function buildElasticSearch()

in source/patterns/@aws-solutions-constructs/core/lib/elasticsearch-helper.ts [23:88]

• 59 lines of code
• 4 McCabe index (conditional complexity)

export function buildElasticSearch(scope: Construct, domainName: string,
  options: CfnDomainOptions, cfnDomainProps?: elasticsearch.CfnDomainProps): [elasticsearch.CfnDomain, iam.Role] {

  // Setup the IAM Role & policy for ES to configure Cognito User pool and Identity pool
  const cognitoKibanaConfigureRole = new iam.Role(scope, 'CognitoKibanaConfigureRole', {
    assumedBy: new iam.ServicePrincipal('es.amazonaws.com')
  });

  const cognitoKibanaConfigureRolePolicy = new iam.Policy(scope, 'CognitoKibanaConfigureRolePolicy', {
    statements: [
      new iam.PolicyStatement({
        actions: [
          "cognito-idp:DescribeUserPool",
          "cognito-idp:CreateUserPoolClient",
          "cognito-idp:DeleteUserPoolClient",
          "cognito-idp:DescribeUserPoolClient",
          "cognito-idp:AdminInitiateAuth",
          "cognito-idp:AdminUserGlobalSignOut",
          "cognito-idp:ListUserPoolClients",
          "cognito-identity:DescribeIdentityPool",
          "cognito-identity:UpdateIdentityPool",
          "cognito-identity:SetIdentityPoolRoles",
          "cognito-identity:GetIdentityPoolRoles",
          "es:UpdateElasticsearchDomainConfig"
        ],
        resources: [
          options.userpool.userPoolArn,
          `arn:aws:cognito-identity:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:identitypool/${options.identitypool.ref}`,
          `arn:aws:es:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:domain/${domainName}`
        ]
      }),
      new iam.PolicyStatement({
        actions: [
          "iam:PassRole"
        ],
        conditions: {
          StringLike: {'iam:PassedToService': 'cognito-identity.amazonaws.com'}
        },
        resources: [
          cognitoKibanaConfigureRole.roleArn
        ]
      })
    ]
  });
  cognitoKibanaConfigureRolePolicy.attachToRole(cognitoKibanaConfigureRole);

  let _cfnDomainProps = DefaultCfnDomainProps(domainName, cognitoKibanaConfigureRole, options);

  if (cfnDomainProps) {
    _cfnDomainProps = overrideProps(_cfnDomainProps, cfnDomainProps);
  }

  const esDomain = new elasticsearch.CfnDomain(scope, "ElasticsearchDomain", _cfnDomainProps);
  addCfnSuppressRules(esDomain, [
    {
      id: "W28",
      reason: `The ES Domain is passed dynamically as as parameter and explicitly specified to ensure that IAM policies are configured to lockdown access to this specific ES instance only`,
    },
    {
      id: "W90",
      reason: `This is not a rule for the general case, just for specific use cases/industries`,
    },
  ]);

  return [esDomain, cognitoKibanaConfigureRole];
}