Make bastion host optional (defaults to disabled)

Signed-off-by: Mikayla Thompson <thomika@amazon.com>

deployment/cdk/opensearch-service-migration/README.md

@@ -180,7 +180,10 @@ The pipeline configuration file can be viewed (and updated) via AWS Secrets Mana
 ## Accessing the Migration Analytics Domain
 
 The analytics domain receives metrics and events from the Capture Proxy and Replayer (if configured) and allows a user to visualize the progress and success of their migration.
-The domain & dashboard are only accessible from within the VPC, but a BastionHost is set up within the VPC that allows a user to use Session Manager to make the dashboard avaiable locally via port forwarding.
+
+The domain & dashboard are only accessible from within the VPC, but a BastionHost is optionally set up within the VPC that allows a user to use Session Manager to make the dashboard avaiable locally via port forwarding.
+
+For the Bastion Host to be available, add `"migrationAnalyticsBastionEnabled": true` to cdk.context.json and redeploy at least the MigrationAnalytics stack.
 
 Run the `accessAnalyticsDashboard` script, and then open https://localhost:8157/_dashboards to view your dashboard.
 ```shell

deployment/cdk/opensearch-service-migration/default-values.json

@@ -11,5 +11,6 @@
   "captureProxyESServiceEnabled": true,
   "trafficReplayerServiceEnabled": true,
   "migrationAnalyticsServiceEnabled": true,
+  "migrationAnalyticsBastionEnabled": false,
   "dpPipelineTemplatePath": "./dp_pipeline_template.yaml"
 }

deployment/cdk/opensearch-service-migration/lib/service-stacks/migration-analytics-stack.ts

@@ -3,7 +3,6 @@ import {
   BastionHostLinux,
   BlockDeviceVolume,
   MachineImage,
-  Port,
   SecurityGroup,
   IVpc,
 } from "aws-cdk-lib/aws-ec2";
@@ -15,6 +14,7 @@ import {StringParameter} from "aws-cdk-lib/aws-ssm";
 
 export interface MigrationAnalyticsProps extends StackPropsExt {
     readonly vpc: IVpc,
+    readonly bastionHostEnabled?: boolean
 }
 
 // The MigrationAnalyticsStack consists of the OpenTelemetry Collector ECS container & an
@@ -26,20 +26,22 @@ export class MigrationAnalyticsStack extends MigrationServiceCore {
 
         const migrationAnalyticsSecurityGroup = SecurityGroup.fromSecurityGroupId(this, "migrationAnalyticsSGId", StringParameter.valueForStringParameter(this, `/migration/${props.stage}/${props.defaultDeployId}/analyticsDomainSGId`))
 
-        // Bastion host to access Opensearch Dashboards
-        new BastionHostLinux(this, "AnalyticsDashboardBastionHost", {
-          vpc: props.vpc,
-          securityGroup: migrationAnalyticsSecurityGroup,
-          machineImage: MachineImage.latestAmazonLinux2023(),
-          blockDevices: [
-            {
-              deviceName: "/dev/xvda",
-              volume: BlockDeviceVolume.ebs(10, {
-                encrypted: true,
-              }),
-            },
-          ],
-        });
+        if (props.bastionHostEnabled) {
+          // Bastion host to access Opensearch Analytics Dashboard
+          new BastionHostLinux(this, "AnalyticsDashboardBastionHost", {
+            vpc: props.vpc,
+            securityGroup: migrationAnalyticsSecurityGroup,
+            machineImage: MachineImage.latestAmazonLinux2023(),
+            blockDevices: [
+              {
+                deviceName: "/dev/xvda",
+                volume: BlockDeviceVolume.ebs(10, {
+                  encrypted: true,
+                }),
+              },
+            ],
+          });
+        }
 
         // Port Mappings for collector and health check
         const otelCollectorPort: PortMapping = {
@@ -84,8 +86,6 @@ export class MigrationAnalyticsStack extends MigrationServiceCore {
             },
             ...props
         });
-
-
     }
 
 }

deployment/cdk/opensearch-service-migration/lib/stack-composer.ts

@@ -154,6 +154,7 @@ export class StackComposer {
         const sourceClusterEndpoint = this.getContextForType('sourceClusterEndpoint', 'string', defaultValues, contextJSON)
 
         const migrationAnalyticsServiceEnabled = this.getContextForType('migrationAnalyticsServiceEnabled', 'boolean', defaultValues, contextJSON)
+        const migrationAnalyticsBastionHostEnabled = this.getContextForType('migrationAnalyticsBastionEnabled', 'boolean', defaultValues, contextJSON)
         const analyticsDomainEngineVersion = this.getContextForType('analyticsDomainEngineVersion', 'string', defaultValues, contextJSON)
         const analyticsDomainDataNodeType = this.getContextForType('analyticsDomainDataNodeType', 'string', defaultValues, contextJSON)
         const analyticsDomainDataNodeCount = this.getContextForType('analyticsDomainDataNodeCount', 'number', defaultValues, contextJSON)
@@ -337,6 +338,8 @@ export class StackComposer {
             })
             migrationAnalyticsStack = new MigrationAnalyticsStack(scope, "migration-analytics", {
                 stackName: `OSMigrations-${stage}-${region}-MigrationAnalytics`,
+                description: "This stack contains the OpenTelemetry Collector and Bastion Host",
+                bastionHostEnabled: migrationAnalyticsBastionHostEnabled,
                 vpc:networkStack.vpc,
                 stage: stage,
                 defaultDeployId: defaultDeployId,

deployment/cdk/opensearch-service-migration/options.md

@@ -15,6 +15,7 @@ These tables list all CDK context configuration values a user can specify for th
 | kafkaBrokerServiceEnabled              | boolean | false                                                                | Enable deploying the given service, via a new CloudFormation stack. **This stack is experimental and should only be used for development**                                                                                                                                                       |
 | kafkaZookeeperServiceEnabled           | boolean | false                                                                | Enable deploying the given service, via a new CloudFormation stack  **This stack is experimental and should only be used for development**                                                                                                                                                       |
 | migrationAnalyticsServiceEnabled       | boolean | true                                                                 | Enable deploying the given service, via a new CloudFormation stack.                                     |
+| migrationAnalyticsBastionEnabled       | boolean | true                                                                 | Enables a BastionHost to be placed within the VPC to allow port forwarding to access the Analytics Dashboard                                     |
 | trafficReplayerEnableClusterFGACAuth   | boolean | true                                                                 | Use the configured FGAC manager user for the OpenSearch Domain for auth of replayed requests. **Note**: This is only applicable if this CDK has setup an OpenSearch Domain <br/> and a FGAC user was setup either by the `fineGrainedManagerUserSecretManagerKeyARN` or `enableDemoAdmin` option |
 | trafficReplayerGroupId                 | string  | "logging-group-default"                                              | The Kafka consumer group ID the Replayer will use, if not specified a default ID will be used                                                                                                                                                                                                    |
 | trafficReplayerExtraArgs               | string  | "--sigv4-auth-header-service-region es,us-east-1 --speedup-factor 5" | Extra arguments to provide to the Replayer command. This includes auth header options and other parameters supported by the [Traffic Replayer](../../../TrafficCapture/trafficReplayer/src/main/java/org/opensearch/migrations/replay/TrafficReplayer.java).                                     |