# Sample config for the OpenSearch module - SAML variant.
# Demonstrates an OpenSearch domain with SAML SSO authentication
# enabled, using a minimal cluster configuration to validate the
# SAML integration path separately from the primary config.

domain:
  # See CONFIGURATION.md for role reference options (name, arn, id).
  # IAM role granted admin access to OpenSearch Dashboard.
  # Role by name (auto-expanded to ARN at deploy time)
  dataAdminRole:
    name: test-admin-role

  # Functional name for the OpenSearch domain
  opensearchDomainName: osdomain-saml

  # VPC ID for OpenSearch domain deployment
  # Often created by your VPC/networking stack.
  # Example SSM: ssm:/path/to/vpc/id
  vpcId: vpc-a1b2c3d4

  # Subnet configurations for domain node placement
  # Often created by your VPC/networking stack.
  # Example SSM: ssm:/path/to/subnet/id
  subnets:
    - subnetId: subnet-1a2b3c4d
      availabilityZone: '{{region}}a'

  # Security group ingress rules
  securityGroupIngress:
    # (Optional) Security group IDs allowed to access the domain
    sg:
      - sg-u5x6y7z8

  # Cluster capacity configuration
  capacity:
    # Number of data nodes (default: 1)
    dataNodes: 1
    # Data node instance type (default: r5.large.search)
    dataNodeInstanceType: r6g.large.search

  # EBS storage configuration
  ebs:
    # (Optional) Whether EBS volumes are attached to data nodes
    # (default: true)
    enabled: true
    # (Optional) EBS volume size in GiB (default: 10)
    volumeSize: 20
    # (Optional) EBS volume type
    # (enum: gp2, gp3, io1, io2, sc1, st1, standard) (default: gp2)
    volumeType: gp2

  # Hour of day (0-23 UTC) for automated snapshot creation
  automatedSnapshotStartHour: 23

  # OpenSearch engine version in x.y format
  opensearchEngineVersion: '2.3'

  # Allow automatic version upgrades
  enableVersionUpgrade: true

  # Access policy definitions as IAM policy statement JSON objects
  accessPolicies:
    - SID: testing
      Effect: Allow
      Principal:
        AWS:
          - 'arn:{{partition}}:iam::{{account}}:root'
      Resource: 'arn:{{partition}}:es:{{region}}:{{account}}:domain/test-domain/*'
      Action: es:*

  # (Optional) SAML authentication configuration for SSO
  # integration with corporate identity providers
  samlAuthentication:
    # The unique entity ID of the SAML identity provider
    idpEntityId: 'https://portal.sso.{{region}}.amazonaws.com/saml/assertion/ABC123'
    # The SAML metadata XML content from the identity provider
    idpMetadataXml: |
      <?xml version="1.0"?>
      <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="test-idp">
        <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        </IDPSSODescriptor>
      </EntityDescriptor>