-
Notifications
You must be signed in to change notification settings - Fork 27
IAM and Security Groups for Existing Clusters
This page outlines scenarios for using the migration tools with existing clusters, including any necessary configuration changes to ensure proper communication between them.
For an OpenSearch Domain, two main configurations are typically required to ensure proper functioning of the migration solution:
-
Security Group Configuration:
The Domain should have a security group that allows communication from the applicable Migration services (Traffic Replayer, Migration Console, Reindex-from-Snapshot). The CDK will automatically create anosClusterAccessSGsecurity group, which is applied to the Migration services. The user should then add this security group to their existing Domain to allow access. -
Access Policy Configuration:
The Domain’s access policy should either:- Be an open access policy that allows all access, or
- Be configured to allow at least the IAM task roles for the applicable Migration services (Traffic Replayer, Migration Console, Reindex-from-Snapshot) to access the Domain.
For an OpenSearch Serverless Collection, you will need to configure both Network and Data Access policies:
-
Network Policy Configuration:
The Collection should have a network policy that uses theVPCaccess type. This requires creating a VPC endpoint on the VPC used for the solution. The VPC endpoint should be configured for the private subnets of the VPC and should attach theosClusterAccessSGsecurity group. -
Data Access Policy Configuration:
The data access policy should grant permission to perform all index operations ↗ (aoss:*) for all indexes in the Collection. The IAM task roles of the applicable Migration services (Traffic Replayer, Migration Console, Reindex-from-Snapshot) should be used as the principals for this data access policy.
Although the CDK does not automatically set up the Capture Proxy on source cluster nodes (except in the demo solution), the Capture Proxy instances must communicate with the resources deployed by the CDK (e.g., Kafka). This section outlines the necessary steps.
Before setting up Capture Proxy instances on the source cluster, ensure the following configurations are in place:
-
Security Group Configuration:
The coordinator nodes should add thetrafficStreamSourceSGsecurity group to allow sending captured traffic to Kafka. -
IAM Policy Configuration:
The IAM role used by the coordinator nodes should have permissions to publish captured traffic to Kafka. You can add the following template policy through the AWS Console (IAM Role → Add permissions → Create inline policy → JSON view):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "kafka-cluster:Connect",
"Resource": "arn:aws:kafka:<REGION>:<ACCOUNT-ID>:cluster/migration-msk-cluster-<STAGE>/*",
"Effect": "Allow"
},
{
"Action": [
"kafka-cluster:CreateTopic",
"kafka-cluster:DescribeTopic",
"kafka-cluster:WriteData"
],
"Resource": "arn:aws:kafka:<REGION>:<ACCOUNT-ID>:topic/migration-msk-cluster-<STAGE>/*",
"Effect": "Allow"
}
]
}Encountering a compatibility issue or missing feature?
- Search existing issues to see if it’s already reported. If it is, feel free to upvote and comment.
- Can’t find it? Create a new issue to let us know.
- Migration Assistant Overview
- Is the Solution Right for You?
- Existing Data Migration - Quick Start Guide
- A. Snapshot Creation Verification
- B. Client Traffic Switchover Verification
- C. Traffic Capture Verification
- D. System Reset Before Migration