Prevent CDK from creating a new OpenSearch domain


I modified some parameters of our OpenSearch domain and did a new CDK deploy. Turns out that CDK decided to create a new cluster and redirect both the lambda that performs search and Fargate task that indexes to this new cluster. So now I have a cluster with 100k documents that is not connected to anything and a search cluster that doesn't have any index or documents.

I assume I should be able to do a back up of the old cluster and apply that backup to the new cluster. This will fix my current situation since this is our development cluster. However, if this was our production cluster, we would have downtime. Ideally, there should be a way of rolling back the Cloud Formation stack or importing the old domain into the stack, but none of those options seem to be available.

I don't know why CKD decided to create a new domain. It could be because the existing domain was updated and CDK specified an earlier version or it could be related to the security policy changes I added. I assume it's the latter since reverting them resulted in the creation of a third cluster.

Is there a way to prevent CDK from creating new search domains like this?

asked 2 years ago287 views
1 Answer


I see that when you modified some parameters of your OpenSearch domain and did a new CDK deploy, a new domain was created. Can you let me know which specific parameters were modified as I see that some parameters do require a resource replacement which may lead to the creation of a new domain.

Also to investigate this further we require information that is non-public information. Please open a support case with AWS Support using the following link:

answered 2 years ago
  • 0

    I added fine_grained_access_control=opensearch.AdvancedSecurityOptions(...) while I had previously not specified that parameter.

    Running cdk diff show that this will cause the domain to be recreated. I can add that now and verify that this is the case.

    I have take a snapshot of the old domain and restored that to the new one now so there is no point in looking into my account.

    I would think that for most users, having cdk stop and ask for confirmation before recreating a search domain would be good.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions