D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
proc
/
self
/
root
/
opt
/
saltstack
/
salt
/
lib
/
python3.10
/
site-packages
/
salt
/
states
/
Filename :
boto3_elasticsearch.py
back
Copy
""" Manage Elasticsearch Service ============================ .. versionadded:: 3001 :configuration: This module accepts explicit AWS credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: .. code-block:: text http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: .. code-block:: yaml es.keyid: GKTADJGHEIQSXMKKRBJ08H es.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: .. code-block:: yaml es.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: .. code-block:: yaml myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 :codeauthor: Herbert Buurman <herbert.buurman@ogd.nl> :depends: boto3 """ import logging import salt.utils.json from salt.utils.versions import Version log = logging.getLogger(__name__) __virtualname__ = "boto3_elasticsearch" def __virtual__(): """ Only load if boto3 and the required module functions are available. """ requirements = { "salt": [ "boto3_elasticsearch.describe_elasticsearch_domain", "boto3_elasticsearch.create_elasticsearch_domain", "boto3_elasticsearch.update_elasticsearch_domain_config", "boto3_elasticsearch.exists", "boto3_elasticsearch.get_upgrade_status", "boto3_elasticsearch.wait_for_upgrade", "boto3_elasticsearch.check_upgrade_eligibility", "boto3_elasticsearch.upgrade_elasticsearch_domain", ], } for req in requirements["salt"]: if req not in __salt__: return ( False, "A required function was not found in __salt__: {}".format(req), ) return __virtualname__ def _check_return_value(ret): """ Helper function to check if the 'result' key of the return value has been properly set. This is to detect unexpected code-paths that would otherwise return a 'success'-y value but not actually be successful. :param dict ret: The returned value of a state function. """ if ret["result"] == "oops": ret["result"] = False ret["comment"].append( "An internal error has occurred: The result value was not properly changed." ) return ret def present( name, elasticsearch_version=None, elasticsearch_cluster_config=None, ebs_options=None, access_policies=None, snapshot_options=None, vpc_options=None, cognito_options=None, encryption_at_rest_options=None, node_to_node_encryption_options=None, advanced_options=None, log_publishing_options=None, blocking=True, tags=None, region=None, keyid=None, key=None, profile=None, ): """ Ensure an Elasticsearch Domain exists. :param str name: The name of the Elasticsearch domain that you are creating. Domain names are unique across the domains owned by an account within an AWS region. Domain names must start with a letter or number and can contain the following characters: a-z (lowercase), 0-9, and - (hyphen). :param str elasticsearch_version: String of format X.Y to specify version for the Elasticsearch domain eg. "1.5" or "2.3". :param dict elasticsearch_cluster_config: Dict specifying the configuration options for an Elasticsearch domain. Keys (case sensitive) in here are: - InstanceType (str): The instance type for an Elasticsearch cluster. - InstanceCount (int): The instance type for an Elasticsearch cluster. - DedicatedMasterEnabled (bool): Indicate whether a dedicated master node is enabled. - ZoneAwarenessEnabled (bool): Indicate whether zone awareness is enabled. - ZoneAwarenessConfig (dict): Specifies the zone awareness configuration for a domain when zone awareness is enabled. Keys (case sensitive) in here are: - AvailabilityZoneCount (int): An integer value to indicate the number of availability zones for a domain when zone awareness is enabled. This should be equal to number of subnets if VPC endpoints is enabled. - DedicatedMasterType (str): The instance type for a dedicated master node. - DedicatedMasterCount (int): Total number of dedicated master nodes, active and on standby, for the cluster. :param dict ebs_options: Dict specifying the options to enable or disable and specifying the type and size of EBS storage volumes. Keys (case sensitive) in here are: - EBSEnabled (bool): Specifies whether EBS-based storage is enabled. - VolumeType (str): Specifies the volume type for EBS-based storage. - VolumeSize (int): Integer to specify the size of an EBS volume. - Iops (int): Specifies the IOPD for a Provisioned IOPS EBS volume (SSD). :type access_policies: str or dict :param access_policies: Dict or JSON string with the IAM access policy. :param dict snapshot_options: Dict specifying the snapshot options. Keys (case senstive) in here are: - AutomatedSnapshotStartHour (int): Specifies the time, in UTC format, when the service takes a daily automated snapshot of the specified Elasticsearch domain. Default value is 0 hours. :param dict vpc_options: Dict with the options to specify the subnets and security groups for the VPC endpoint. Keys (case sensitive) in here are: - SubnetIds (list): The list of subnets for the VPC endpoint. - SecurityGroupIds (list): The list of security groups for the VPC endpoint. :param dict cognito_options: Dict with options to specify the cognito user and identity pools for Kibana authentication. Keys (case senstive) in here are: - Enabled (bool): Specifies the option to enable Cognito for Kibana authentication. - UserPoolId (str): Specifies the Cognito user pool ID for Kibana authentication. - IdentityPoolId (str): Specifies the Cognito identity pool ID for Kibana authentication. - RoleArn (str): Specifies the role ARN that provides Elasticsearch permissions for accessing Cognito resources. :param dict encryption_at_rest_options: Dict specifying the encryption at rest options. This option can only be used for the creation of a new Elasticsearch domain. Keys (case sensitive) in here are: - Enabled (bool): Specifies the option to enable Encryption At Rest. - KmsKeyId (str): Specifies the KMS Key ID for Encryption At Rest options. :param dict node_to_node_encryption_options: Dict specifying the node to node encryption options. This option can only be used for the creation of a new Elasticsearch domain. Keys (case sensitive) in here are: - Enabled (bool): Specify True to enable node-to-node encryption. :param dict advanced_options: Dict with option to allow references to indices in an HTTP request body. Must be False when configuring access to individual sub-resources. By default, the value is True. See http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide\ /es-createupdatedomains.html#es-createdomain-configure-advanced-options for more information. :param dict log_publishing_options: Dict with options for various type of logs. The keys denote the type of log file and can be one of the following: - INDEX_SLOW_LOGS - SEARCH_SLOW_LOGS - ES_APPLICATION_LOGS The value assigned to each key is a dict with the following case sensitive keys: - CloudWatchLogsLogGroupArn (str): The ARN of the Cloudwatch log group to which the log needs to be published. - Enabled (bool): Specifies whether given log publishing option is enabled or not. :param bool blocking: Whether or not the state should wait for all operations (create/update/upgrade) to be completed. Default: ``True`` :param dict tags: Dict of tags to ensure are present on the Elasticsearch domain. .. versionadded:: 3001 Example: This will create an elasticsearch domain consisting of a single t2.small instance in the eu-west-1 region (Ireland) and will wait until the instance is available before returning from the state. .. code-block:: yaml Create new domain: boto3_elasticsearch.present: - name: my_domain - elasticsearch_version: '5.1' - elasticsearch_cluster_config: InstanceType: t2.small.elasticsearch InstanceCount: 1 DedicatedMasterEnabled: False ZoneAwarenessEnabled: False - ebs_options: EBSEnabled: True VolumeType: gp2 VolumeSize: 10 - snapshot_options: AutomatedSnapshotStartHour: 3 - vpc_options: SubnetIds: - subnet-12345678 SecurityGroupIds: - sg-12345678 - node_to_node_encryption_options: Enabled: False - region: eu-west-1 - tags: foo: bar baz: qux """ ret = {"name": name, "result": "oops", "comment": [], "changes": {}} action = None current_domain = None target_conf = salt.utils.data.filter_falsey( { "DomainName": name, "ElasticsearchClusterConfig": elasticsearch_cluster_config, "EBSOptions": ebs_options, "AccessPolicies": ( salt.utils.json.dumps(access_policies) if isinstance(access_policies, dict) else access_policies ), "SnapshotOptions": snapshot_options, "VPCOptions": vpc_options, "CognitoOptions": cognito_options, "AdvancedOptions": advanced_options, "LogPublishingOptions": log_publishing_options, }, recurse_depth=3, ) res = __salt__["boto3_elasticsearch.describe_elasticsearch_domain"]( name, region=region, keyid=keyid, key=key, profile=profile ) if not res["result"]: ret["result"] = False if "ResourceNotFoundException" in res["error"]: action = "create" config_diff = {"old": None, "new": target_conf} else: ret["comment"].append(res["error"]) else: current_domain = salt.utils.data.filter_falsey(res["response"], recurse_depth=3) current_domain_version = current_domain["ElasticsearchVersion"] # Remove some values from current_domain that cannot be updated for item in [ "DomainId", "UpgradeProcessing", "Created", "Deleted", "Processing", "Endpoints", "ARN", "EncryptionAtRestOptions", "NodeToNodeEncryptionOptions", "ElasticsearchVersion", "ServiceSoftwareOptions", ]: if item in current_domain: del current_domain[item] # Further remove values from VPCOptions (if present) that are read-only for item in ["VPCId", "AvailabilityZones"]: if item in current_domain.get("VPCOptions", {}): del current_domain["VPCOptions"][item] # Some special cases if "CognitoOptions" in current_domain: if ( "CognitoOptions" not in target_conf and not current_domain["CognitoOptions"]["Enabled"] ): del current_domain["CognitoOptions"] if ( "AdvancedOptions" not in target_conf and "rest.action.multi.allow_explicit_index" in current_domain["AdvancedOptions"] ): del current_domain["AdvancedOptions"][ "rest.action.multi.allow_explicit_index" ] if not current_domain["AdvancedOptions"]: del current_domain["AdvancedOptions"] # Compare current configuration with provided configuration config_diff = salt.utils.data.recursive_diff(current_domain, target_conf) if config_diff: action = "update" # Compare ElasticsearchVersion separately, as the update procedure differs. if elasticsearch_version and current_domain_version != elasticsearch_version: action = "upgrade" if action in ["create", "update"]: if __opts__["test"]: ret["result"] = None ret["comment"].append( 'The Elasticsearch Domain "{}" would have been {}d.'.format( name, action ) ) ret["changes"] = config_diff else: boto_kwargs = salt.utils.data.filter_falsey( { "elasticsearch_version": elasticsearch_version, "elasticsearch_cluster_config": elasticsearch_cluster_config, "ebs_options": ebs_options, "vpc_options": vpc_options, "access_policies": access_policies, "snapshot_options": snapshot_options, "cognito_options": cognito_options, "encryption_at_rest_options": encryption_at_rest_options, "node_to_node_encryption_options": node_to_node_encryption_options, "advanced_options": advanced_options, "log_publishing_options": log_publishing_options, "blocking": blocking, "region": region, "keyid": keyid, "key": key, "profile": profile, } ) if action == "update": # Drop certain kwargs that do not apply to updates. for item in [ "elasticsearch_version", "encryption_at_rest_options", "node_to_node_encryption_options", ]: if item in boto_kwargs: del boto_kwargs[item] res = __salt__[ "boto3_elasticsearch.{}_elasticsearch_domain{}".format( action, "_config" if action == "update" else "" ) ](name, **boto_kwargs) if "error" in res: ret["result"] = False ret["comment"].append(res["error"]) else: ret["result"] = True ret["comment"].append( 'Elasticsearch Domain "{}" has been {}d.'.format(name, action) ) ret["changes"] = config_diff elif action == "upgrade": res = upgraded( name, elasticsearch_version, region=region, keyid=keyid, key=key, profile=profile, ) ret["result"] = res["result"] ret["comment"].extend(res["comment"]) if res["changes"]: salt.utils.dictupdate.set_dict_key_value( ret, "changes:old:version", res["changes"]["old"] ) salt.utils.dictupdate.set_dict_key_value( ret, "changes:new:version", res["changes"]["new"] ) if tags is not None: res = tagged( name, tags=tags, replace=True, region=region, keyid=keyid, key=key, profile=profile, ) ret["result"] = res["result"] ret["comment"].extend(res["comment"]) if "old" in res["changes"]: salt.utils.dictupdate.update_dict_key_value( ret, "changes:old:tags", res["changes"]["old"] ) if "new" in res["changes"]: salt.utils.dictupdate.update_dict_key_value( ret, "changes:new:tags", res["changes"]["new"] ) ret = _check_return_value(ret) return ret def absent(name, blocking=True, region=None, keyid=None, key=None, profile=None): """ Ensure the Elasticsearch Domain specified does not exist. :param str name: The name of the Elasticsearch domain to be made absent. :param bool blocking: Whether or not the state should wait for the deletion to be completed. Default: ``True`` .. versionadded:: 3001 Example: .. code-block:: yaml Remove Elasticsearch Domain: boto3_elasticsearch.absent: - name: my_domain - region: eu-west-1 """ ret = {"name": name, "result": "oops", "comment": [], "changes": {}} res = __salt__["boto3_elasticsearch.exists"]( name, region=region, keyid=keyid, key=key, profile=profile ) if "error" in res: ret["result"] = False ret["comment"].append(res["error"]) elif res["result"]: if __opts__["test"]: ret["result"] = None ret["comment"].append( 'Elasticsearch domain "{}" would have been removed.'.format(name) ) ret["changes"] = {"old": name, "new": None} else: res = __salt__["boto3_elasticsearch.delete_elasticsearch_domain"]( domain_name=name, blocking=blocking, region=region, keyid=keyid, key=key, profile=profile, ) if "error" in res: ret["result"] = False ret["comment"].append( 'Error deleting Elasticsearch domain "{}": {}'.format( name, res["error"] ) ) else: ret["result"] = True ret["comment"].append( 'Elasticsearch domain "{}" has been deleted.'.format(name) ) ret["changes"] = {"old": name, "new": None} else: ret["result"] = True ret["comment"].append( 'Elasticsearch domain "{}" is already absent.'.format(name) ) ret = _check_return_value(ret) return ret def upgraded( name, elasticsearch_version, blocking=True, region=None, keyid=None, key=None, profile=None, ): """ Ensures the Elasticsearch domain specified runs on the specified version of elasticsearch. Only upgrades are possible as downgrades require a manual snapshot and an S3 bucket to store them in. Note that this operation is blocking until the upgrade is complete. :param str name: The name of the Elasticsearch domain to upgrade. :param str elasticsearch_version: String of format X.Y to specify version for the Elasticsearch domain eg. "1.5" or "2.3". .. versionadded:: 3001 Example: .. code-block:: yaml Upgrade Elasticsearch Domain: boto3_elasticsearch.upgraded: - name: my_domain - elasticsearch_version: '7.2' - region: eu-west-1 """ ret = {"name": name, "result": "oops", "comment": [], "changes": {}} current_domain = None res = __salt__["boto3_elasticsearch.describe_elasticsearch_domain"]( name, region=region, keyid=keyid, key=key, profile=profile ) if not res["result"]: ret["result"] = False if "ResourceNotFoundException" in res["error"]: ret["comment"].append( 'The Elasticsearch domain "{}" does not exist.'.format(name) ) else: ret["comment"].append(res["error"]) else: current_domain = res["response"] current_version = current_domain["ElasticsearchVersion"] if elasticsearch_version and current_version == elasticsearch_version: ret["result"] = True ret["comment"].append( 'The Elasticsearch domain "{}" is already ' "at the desired version {}" "".format(name, elasticsearch_version) ) elif Version(elasticsearch_version) < Version(current_version): ret["result"] = False ret["comment"].append( 'Elasticsearch domain "{}" cannot be downgraded ' 'to version "{}".' "".format(name, elasticsearch_version) ) if isinstance(ret["result"], bool): return ret log.debug("%s :upgraded: Check upgrade in progress", __name__) # Check if an upgrade is already in progress res = __salt__["boto3_elasticsearch.get_upgrade_status"]( name, region=region, keyid=keyid, key=key, profile=profile ) if "error" in res: ret["result"] = False ret["comment"].append( 'Error determining current upgrade status of domain "{}": {}'.format( name, res["error"] ) ) return ret if res["response"].get("StepStatus") == "IN_PROGRESS": if blocking: # An upgrade is already in progress, wait for it to complete res2 = __salt__["boto3_elasticsearch.wait_for_upgrade"]( name, region=region, keyid=keyid, key=key, profile=profile ) if "error" in res2: ret["result"] = False ret["comment"].append( 'Error waiting for upgrade of domain "{}" to complete: {}'.format( name, res2["error"] ) ) elif ( res2["response"].get("UpgradeName", "").endswith(elasticsearch_version) ): ret["result"] = True ret["comment"].append( 'Elasticsearch Domain "{}" is already at version "{}".'.format( name, elasticsearch_version ) ) else: # We are not going to wait for it to complete, so bail. ret["result"] = True ret["comment"].append( 'An upgrade of Elasticsearch domain "{}" ' "is already underway: {}" "".format(name, res["response"].get("UpgradeName")) ) if isinstance(ret["result"], bool): return ret log.debug("%s :upgraded: Check upgrade eligibility", __name__) # Check if the domain is eligible for an upgrade res = __salt__["boto3_elasticsearch.check_upgrade_eligibility"]( name, elasticsearch_version, region=region, keyid=keyid, key=key, profile=profile, ) if "error" in res: ret["result"] = False ret["comment"].append( 'Error checking upgrade eligibility for domain "{}": {}'.format( name, res["error"] ) ) elif not res["response"]: ret["result"] = False ret["comment"].append( 'The Elasticsearch Domain "{}" is not eligible to ' "be upgraded to version {}." "".format(name, elasticsearch_version) ) else: log.debug("%s :upgraded: Start the upgrade", __name__) # Start the upgrade if __opts__["test"]: ret["result"] = None ret["comment"].append( 'The Elasticsearch version for domain "{}" would have been upgraded.' ) ret["changes"] = { "old": current_domain["ElasticsearchVersion"], "new": elasticsearch_version, } else: res = __salt__["boto3_elasticsearch.upgrade_elasticsearch_domain"]( name, elasticsearch_version, blocking=blocking, region=region, keyid=keyid, key=key, profile=profile, ) if "error" in res: ret["result"] = False ret["comment"].append( 'Error upgrading Elasticsearch domain "{}": {}'.format( name, res["error"] ) ) else: ret["result"] = True ret["comment"].append( 'The Elasticsearch domain "{}" has been ' "upgraded to version {}." "".format(name, elasticsearch_version) ) ret["changes"] = { "old": current_domain["ElasticsearchVersion"], "new": elasticsearch_version, } ret = _check_return_value(ret) return ret def latest(name, minor_only=True, region=None, keyid=None, key=None, profile=None): """ Ensures the Elasticsearch domain specifies runs on the latest compatible version of elasticsearch, upgrading it if it is not. Note that this operation is blocking until the upgrade is complete. :param str name: The name of the Elasticsearch domain to upgrade. :param bool minor_only: Only upgrade to the latest minor version. .. versionadded:: 3001 Example: The following example will ensure the elasticsearch domain ``my_domain`` is upgraded to the latest minor version. So if it is currently 5.1 it will be upgraded to 5.6. .. code-block:: yaml Upgrade Elasticsearch Domain: boto3_elasticsearch.latest: - name: my_domain - minor_only: True - region: eu-west-1 """ ret = {"name": name, "result": "oops", "comment": [], "changes": {}} # Get current version res = __salt__["boto3_elasticsearch.describe_elasticsearch_domain"]( domain_name=name, region=region, keyid=keyid, key=key, profile=profile ) if "error" in res: ret["result"] = False ret["comment"].append( 'Error getting information of Elasticsearch domain "{}": {}'.format( name, res["error"] ) ) else: current_version = res["response"]["ElasticsearchVersion"] # Get latest compatible version latest_version = None res = __salt__["boto3_elasticsearch.get_compatible_elasticsearch_versions"]( domain_name=name, region=region, keyid=keyid, key=key, profile=profile ) if "error" in res: ret["result"] = False ret["comment"].append( "Error getting compatible Elasticsearch versions " 'for Elasticsearch domain "{}": {}' "".format(name, res["error"]) ) if isinstance(ret["result"], bool): return ret try: latest_version = res["response"][0]["TargetVersions"].pop(-1) except IndexError: pass if not current_version: ret["result"] = True ret["comment"].append( 'The Elasticsearch domain "{}" can not be upgraded.'.format(name) ) elif not latest_version: ret["result"] = True ret["comment"].append( 'The Elasticsearch domain "{}" is already at ' 'the lastest version "{}".' "".format(name, current_version) ) else: a_current_version = current_version.split(".") a_latest_version = latest_version.split(".") if not (minor_only and a_current_version[0] != a_latest_version[0]): if __opts__["test"]: ret["result"] = None ret["comment"].append( 'Elasticsearch domain "{}" would have been updated ' 'to version "{}".'.format(name, latest_version) ) ret["changes"] = {"old": current_version, "new": latest_version} else: ret = upgraded( name, latest_version, region=region, keyid=keyid, key=key, profile=profile, ) else: ret["result"] = True ret["comment"].append( 'Elasticsearch domain "{}" is already at its ' "latest minor version {}." "".format(name, current_version) ) ret = _check_return_value(ret) if ret["result"] and ret["changes"] and not minor_only: # Try and see if we can upgrade again res = latest( name, minor_only=minor_only, region=region, keyid=keyid, key=key, profile=profile, ) if res["result"] and res["changes"]: ret["changes"]["new"] = res["changes"]["new"] ret["comment"].extend(res["comment"]) return ret def tagged( name, tags=None, replace=False, region=None, keyid=None, key=None, profile=None ): """ Ensures the Elasticsearch domain has the tags provided. Adds tags to the domain unless ``replace`` is set to ``True``, in which case all existing tags will be replaced with the tags provided in ``tags``. (This will remove all tags if ``replace`` is ``True`` and ``tags`` is empty). :param str name: The Elasticsearch domain to work with. :param dict tags: The tags to add to/replace on the Elasticsearch domain. :param bool replace: Whether or not to replace (``True``) all existing tags on the Elasticsearch domain, or add (``False``) tags to the ES domain. .. versionadded:: 3001 """ ret = {"name": name, "result": "oops", "comment": [], "changes": {}} current_tags = {} # Check if the domain exists res = __salt__["boto3_elasticsearch.exists"]( name, region=region, keyid=keyid, key=key, profile=profile ) if res["result"]: res = __salt__["boto3_elasticsearch.list_tags"]( name, region=region, keyid=keyid, key=key, profile=profile ) if "error" in res: ret["result"] = False ret["comment"].append( 'Error fetching tags of Elasticsearch domain "{}": {}'.format( name, res["error"] ) ) else: current_tags = res["response"] or {} else: ret["result"] = False ret["comment"].append('Elasticsearch domain "{}" does not exist.'.format(name)) if isinstance(ret["result"], bool): return ret diff_tags = salt.utils.dictdiffer.deep_diff(current_tags, tags) if not diff_tags: ret["result"] = True ret["comment"].append( 'Elasticsearch domain "{}" already has the specified tags.'.format(name) ) else: if replace: ret["changes"] = diff_tags else: ret["changes"] = {"old": current_tags, "new": current_tags.update(tags)} if __opts__["test"]: ret["result"] = None ret["comment"].append( 'Tags on Elasticsearch domain "{}" would have been {}ed.'.format( name, "replac" if replace else "add" ) ) else: if replace: res = __salt__["boto3_elasticsearch.remove_tags"]( tag_keys=current_tags.keys(), domain_name=name, region=region, keyid=keyid, key=key, profile=profile, ) if "error" in res: ret["result"] = False ret["comment"].append( "Error removing current tags from Elasticsearch " 'domain "{}": {}'.format(name, res["error"]) ) ret["changes"] = {} if isinstance(ret["result"], bool): return ret res = __salt__["boto3_elasticsearch.add_tags"]( domain_name=name, tags=tags, region=region, keyid=keyid, key=key, profile=profile, ) if "error" in res: ret["result"] = False ret["comment"].append( 'Error tagging Elasticsearch domain "{}": {}'.format( name, res["error"] ) ) ret["changes"] = {} else: ret["result"] = True ret["comment"].append( 'Tags on Elasticsearch domain "{}" have been {}ed.'.format( name, "replac" if replace else "add" ) ) ret = _check_return_value(ret) return ret