How to create an OpenSearch Domain specific VPC endpoint using AWS CDK?

Question

I am currently setting up an OpenSearch Domain on a VPC and I need to create a VPC Endpoint to make it available to some lambda functions.

I have noticed that VPC Endpoints for OS Domains are created differently, instead of going to VPC service page and then "Endpoints", you go instead to OpenSearch service page and from there (on the left bar menu) you have the chance to create endpoints (see screenshot below).

I see that such VPC endpoints are specific to your cluster (you need to specify a domain when creating it). I am setting all of this from AWS CDK and while I can create normal VPC endpoints (for lambda and for sts, for example) I am unable to find out how to create this OpenSearch specific endpoints.

Below are examples of how I am able to create lambda and sts endpoints from AWS CDK:

new InterfaceVpcEndpoint(this, 'STSEndpoint', {
  vpc,
  subnets: { subnets },
  service: new InterfaceVpcEndpointService(`com.amazonaws.${stageConfig.AWSProfileRegion}.sts`),
  privateDnsEnabled: true,
  open: true,
});

new InterfaceVpcEndpoint(this, 'LambdaEndpoint', {
  vpc,
  subnets: { subnets },
  service: new InterfaceVpcEndpointService(`com.amazonaws.${stageConfig.AWSProfileRegion}.lambda`),
  privateDnsEnabled: true,
  open: true,
});

Can someone point me in the right direction? While I am able to correctly create them manually I need it to be done from CDK.

Answer 1

According to the documentation, you cannot create an Interface Endpoint for OpenSearch via CloudFormation:

• You currently can't use AWS CloudFormation to create interface VPC endpoints.
• You can only create interface VPC endpoints through the OpenSearch Service console or using the OpenSearch Service API. You can't create interface VPC endpoints for OpenSearch Service using the Amazon VPC console.

There is an OpenSearch-specific CloudFormation resource over at AWS::OpenSearchServerless::VpcEndpoint, but I believe it would not be sufficient to associate it with the domain.

Since this is available via the OpenSearch API, you can use a Custom Resource to achieve this:

let myVpc: ec2.IVpc;

const myEndpointCr = new cr.AwsCustomResource(this, "MyEndpointCR", {
  onUpdate: {
    service: "opensearchserverless",
    action: "createVpcEndpoint",
    parameters: {
      // CreateVpcEndpointRequest
      name: "myEndpoint",
      vpcId: myVpc.vpcId, // required
      subnetIds: [
        // IDs for the subnets where you want to create the endpoint
      ],
      securityGroupIds: [
        // If you want to specify your own SG, provide its ID here
        // Otherwise, it will use the default one
      ],
      // Make the token dependent on input params if you want to perform updates
      clientToken: "myClientToken",
    },
    physicalResourceId: cr.PhysicalResourceId.fromResponse(
      "createVpcEndpointDetail.id",
    ),
  },
  policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
    resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
  }),
});

This does not handle resource deletion, but should give you a starting point.

SDK reference: CreateVpcEndpointCommand