add support for serverless and fix otel demo flags

ps48 · ps48 · commit abd764d289aa · 2026-04-22T22:40:09.000-07:00
Signed-off-by: ps48 &lt;pshenoy36@gmail.com&gt;
diff --git a/.env b/.env
@@ -225,5 +225,9 @@ JAEGER_HOST=jaeger
 JAEGER_UI_PORT=16686
 JAEGER_GRPC_PORT=4317
 
+# Telemetry Docs (referenced by frontend-proxy envoy template)
+TELEMETRY_DOCS_HOST=otel-collector
+TELEMETRY_DOCS_PORT=4318
+
 # Java Options (workaround for OSX JDK bug)
 _JAVA_OPTIONS=
diff --git a/aws/cdk/lib/demo-workload.ts b/aws/cdk/lib/demo-workload.ts
@@ -86,6 +86,17 @@ export class DemoWorkload extends Construct {
           'git clone --depth 1 https://github.com/opensearch-project/observability-stack.git /opt/obs-stack',
           'cd /opt/obs-stack',
           '',
+          '# Patch otel-demo frontend-proxy: upstream envoy template references',
+          '# ${TELEMETRY_DOCS_HOST}/${TELEMETRY_DOCS_PORT} but those aren\'t wired',
+          '# through compose, so envoy bootstraps with an empty socket address and',
+          '# crash-loops. Inject the vars and forward them into the service.',
+          'if ! grep -q "^TELEMETRY_DOCS_HOST=" .env; then',
+          '  printf "\\nTELEMETRY_DOCS_HOST=otel-collector\\nTELEMETRY_DOCS_PORT=4318\\n" >> .env',
+          'fi',
+          'if ! grep -q "TELEMETRY_DOCS_HOST" docker-compose.otel-demo.yml; then',
+          '  sed -i "/^      - FLAGD_UI_PORT$/a\\      - TELEMETRY_DOCS_HOST\\n      - TELEMETRY_DOCS_PORT" docker-compose.otel-demo.yml',
+          'fi',
+          '',
           'cat > docker-compose/otel-collector/config.yaml << \'COLLECTOREOF\'',
           'extensions:',
           '  sigv4auth:',
@@ -157,6 +168,11 @@ export class DemoWorkload extends Construct {
           '    logging: *logging',
           'MANAGEDEOF',
           '',
+          '# Kafka\'s healthcheck can exceed compose\'s dependency grace window on',
+          '# first boot, leaving kafka-dependent services in Created state. Retry',
+          '# once — second pass finds kafka healthy and starts the stragglers.',
+          'docker compose -f docker-compose.managed.yml up -d || true',
+          'sleep 60',
           'docker compose -f docker-compose.managed.yml up -d',
         ].join('\n'),
         { OsiEndpoint: osiEndpoint },
diff --git a/aws/cli-installer/.claude/mind.mv2 b/aws/cli-installer/.claude/mind.mv2
diff --git a/aws/cli-installer/.claude/mind.mv2.lock b/aws/cli-installer/.claude/mind.mv2.lock
diff --git a/aws/cli-installer/README.md b/aws/cli-installer/README.md
@@ -1,20 +1,26 @@
 # Observability Stack AWS CLI
 
-Deploy the [Observability Stack](https://github.com/opensearch-project/observability-stack) on AWS managed services with a single command. Creates an OpenSearch domain, OSIS ingestion pipeline, Amazon Managed Prometheus workspace, and a fully configured OpenSearch UI with dashboards — plus an EC2 instance running demo workloads that generate telemetry out of the box.
+Deploy the [Observability Stack](https://github.com/opensearch-project/observability-stack) on AWS managed services with a single command. Creates an OpenSearch domain (or serverless collection), OSIS ingestion pipeline, Amazon Managed Prometheus workspace, and a fully configured OpenSearch UI with dashboards — plus an EC2 instance running demo workloads that generate telemetry out of the box.
 
 ## Quick Start
 
+**Managed domain (default):**
 ```bash
 npx @opensearch-project/observability-stack
 ```
 
-Takes ~15 minutes. When complete, the CLI prints a dashboard URL — open it and you're in.
+**Serverless collection (AOSS):**
+```bash
+npx @opensearch-project/observability-stack --serverless
+```
+
+Takes ~15 minutes for managed, ~5 minutes for serverless. When complete, the CLI prints a dashboard URL — open it and you're in.
 
 ## What Gets Created
 
 | Resource | Description |
 |---|---|
-| OpenSearch domain | Stores logs, traces, and service map data |
+| OpenSearch domain **or** serverless collection | Stores logs, traces, and service map data |
 | OSIS pipeline | Ingests OTLP data (logs, traces, metrics) via SigV4 |
 | Amazon Managed Prometheus | Stores time-series metrics |
 | Connected Data Source (Prometheus) | Connects AMP to OpenSearch for metric queries |
@@ -26,13 +32,20 @@ All resources are tagged with `observability-stack:pipeline-name` for identifica
 
 ## Usage
 
-**Create everything from scratch:**
+**Create a managed domain deployment from scratch:**
 ```bash
 node bin/cli-installer.mjs --managed \
   --pipeline-name obs-stack-<your-alias> \
   --region us-east-1
 ```
 
+**Create a serverless (AOSS) deployment from scratch:**
+```bash
+node bin/cli-installer.mjs --serverless \
+  --pipeline-name obs-stack-<your-alias> \
+  --region us-east-1
+```
+
 **Reuse existing OpenSearch domain / AMP workspace:**
 ```bash
 node bin/cli-installer.mjs --managed \
@@ -50,6 +63,13 @@ node bin/cli-installer.mjs --managed \
   --skip-demo
 ```
 
+**Launch demo workload against an existing pipeline:**
+```bash
+node bin/launch-demo.mjs \
+  --pipeline-name obs-stack-<your-alias> \
+  --region us-east-1
+```
+
 **Interactive mode** (TUI wizard):
 ```bash
 node bin/cli-installer.mjs
@@ -73,7 +93,6 @@ Deletes: EC2 instance, OpenSearch Application, Connected Data Source, OSIS pipel
 
 ## Known Limitations
 
-- **AOS (managed domains) only** — AOSS (serverless) has blocking bugs and is not supported yet.
 - **Index pattern fields need manual refresh** — After data starts flowing, go to Management → Index Patterns → select pattern → click 🔄 to pick up new fields.
 - **Demo data takes 10-15 minutes** — The EC2 instance needs time to bootstrap Docker, pull images, and start sending telemetry.
 - **Idempotent but not updateable** — Running twice safely no-ops, but won't update existing resources with new config.
@@ -84,7 +103,9 @@ Deletes: EC2 instance, OpenSearch Application, Connected Data Source, OSIS pipel
 
 ```
 aws/cli-installer/
-├── bin/cli-installer.mjs          # Entry point
+├── bin/
+│   ├── cli-installer.mjs         # Entry point (full pipeline)
+│   └── launch-demo.mjs           # Standalone EC2 demo launcher against an existing pipeline
 ├── src/
 │   ├── main.mjs                # CLI orchestration + executePipeline flow
 │   ├── cli.mjs                 # Argument parsing + config
diff --git a/aws/cli-installer/bin/launch-demo.mjs b/aws/cli-installer/bin/launch-demo.mjs
@@ -0,0 +1,45 @@
+#!/usr/bin/env node
+/**
+ * Launch only the EC2 demo workload against an existing OSI pipeline.
+ * Usage: AWS_PROFILE=<p> node bin/launch-demo.mjs --pipeline-name <name> --region <r>
+ */
+import { Command } from 'commander';
+import { OSISClient, GetPipelineCommand } from '@aws-sdk/client-osis';
+import { STSClient, GetCallerIdentityCommand } from '@aws-sdk/client-sts';
+import { launchDemoInstance } from '../src/ec2-demo.mjs';
+import { printError, printInfo, printSuccess } from '../src/ui.mjs';
+
+const program = new Command()
+  .requiredOption('--pipeline-name <name>', 'Existing OSI pipeline name')
+  .requiredOption('--region <region>', 'AWS region');
+program.parse(process.argv);
+const opts = program.opts();
+
+try {
+  const sts = new STSClient({ region: opts.region });
+  const { Account } = await sts.send(new GetCallerIdentityCommand({}));
+  printInfo(`Account: ${Account}`);
+
+  const osis = new OSISClient({ region: opts.region });
+  const { Pipeline } = await osis.send(new GetPipelineCommand({ PipelineName: opts.pipelineName }));
+  const urls = Pipeline?.IngestEndpointUrls || [];
+  if (!urls.length) {
+    printError(`Pipeline ${opts.pipelineName} has no ingest endpoints`);
+    process.exit(1);
+  }
+  printInfo(`Ingest endpoint: https://${urls[0]}`);
+
+  const cfg = {
+    pipelineName: opts.pipelineName,
+    region: opts.region,
+    accountId: Account,
+    ingestEndpoints: urls,
+  };
+
+  const instanceId = await launchDemoInstance(cfg);
+  printSuccess(`Done. Instance ${instanceId}`);
+  printInfo(`Connect: aws ssm start-session --target ${instanceId} --region ${opts.region}`);
+} catch (e) {
+  printError(e.message);
+  process.exit(1);
+}
diff --git a/aws/cli-installer/src/ec2-demo.mjs b/aws/cli-installer/src/ec2-demo.mjs
@@ -7,7 +7,8 @@ import {
   EC2Client, RunInstancesCommand, DescribeInstancesCommand, TerminateInstancesCommand,
   CreateSecurityGroupCommand, AuthorizeSecurityGroupEgressCommand, DeleteSecurityGroupCommand,
   DescribeSecurityGroupsCommand, RevokeSecurityGroupEgressCommand,
-  DescribeSubnetsCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated,
+  DescribeSubnetsCommand, DescribeInstanceTypeOfferingsCommand,
+  waitUntilInstanceRunning, waitUntilInstanceTerminated,
 } from '@aws-sdk/client-ec2';
 import {
   IAMClient, CreateRoleCommand, PutRolePolicyCommand, CreateInstanceProfileCommand,
@@ -21,7 +22,7 @@ import {
 import { printStep, printSuccess, printWarning, printInfo, createSpinner } from './ui.mjs';
 
 const TAG_KEY = 'observability-stack:pipeline-name';
-const INSTANCE_TYPE = 't3.2xlarge';
+const INSTANCE_TYPE = 't3.xlarge';
 
 function tags(pipelineName, extra = {}) {
   return [
@@ -42,12 +43,22 @@ async function getLatestAL2023Ami(ssm) {
   return Parameter.Value;
 }
 
-async function getDefaultVpcSubnet(ec2) {
+async function getDefaultVpcSubnet(ec2, instanceType) {
   const { Subnets } = await ec2.send(new DescribeSubnetsCommand({
     Filters: [{ Name: 'default-for-az', Values: ['true'] }],
   }));
   if (!Subnets?.length) throw new Error('No default VPC subnet found. Ensure a default VPC exists in this region.');
-  return Subnets[0];
+
+  const { InstanceTypeOfferings } = await ec2.send(new DescribeInstanceTypeOfferingsCommand({
+    LocationType: 'availability-zone',
+    Filters: [{ Name: 'instance-type', Values: [instanceType] }],
+  }));
+  const supportedAzs = new Set((InstanceTypeOfferings || []).map(o => o.Location));
+  const match = Subnets.find(s => supportedAzs.has(s.AvailabilityZone));
+  if (!match) {
+    throw new Error(`No default VPC subnet is in an AZ that supports ${instanceType}. Supported AZs: ${[...supportedAzs].join(', ') || '(none)'}`);
+  }
+  return match;
 }
 
 function buildUserData(cfg) {
@@ -123,6 +134,17 @@ cat > docker-compose/otel-collector/config.yaml << 'COLLECTOREOF'
 ${collectorConfig}
 COLLECTOREOF
 
+# Patch otel-demo frontend-proxy: the upstream envoy template references
+# \${TELEMETRY_DOCS_HOST}/\${TELEMETRY_DOCS_PORT} but those aren't wired through
+# docker-compose, so envoy bootstraps with an empty socket address and crash-loops.
+# Inject the vars into .env and forward them into the frontend-proxy service.
+if ! grep -q '^TELEMETRY_DOCS_HOST=' .env; then
+  printf '\nTELEMETRY_DOCS_HOST=otel-collector\nTELEMETRY_DOCS_PORT=4318\n' >> .env
+fi
+if ! grep -q 'TELEMETRY_DOCS_HOST' docker-compose.otel-demo.yml; then
+  sed -i '/^      - FLAGD_UI_PORT$/a\\      - TELEMETRY_DOCS_HOST\\n      - TELEMETRY_DOCS_PORT' docker-compose.otel-demo.yml
+fi
+
 # Write a standalone compose file for managed mode (no local backends)
 cat > /opt/obs-stack/docker-compose.managed.yml << 'MANAGEDEOF'
 # Managed mode: only collector + workload services, no local backends
@@ -163,6 +185,11 @@ services:
     logging: *logging
 MANAGEDEOF
 
+# Kafka's healthcheck can exceed compose's dependency grace window on first boot,
+# leaving kafka-dependent services in 'Created' state. Retry once — second pass
+# finds kafka healthy and starts the stragglers.
+docker compose -f docker-compose.managed.yml up -d || true
+sleep 60
 docker compose -f docker-compose.managed.yml up -d
 `).toString('base64');
 }
@@ -253,7 +280,7 @@ export async function launchDemoInstance(cfg) {
   const ssm = new SSMClient({ region: cfg.region });
 
   const spinner = createSpinner('Looking up AMI and subnet...');
-  const [ami, subnet] = await Promise.all([getLatestAL2023Ami(ssm), getDefaultVpcSubnet(ec2)]);
+  const [ami, subnet] = await Promise.all([getLatestAL2023Ami(ssm), getDefaultVpcSubnet(ec2, INSTANCE_TYPE)]);
   spinner.stop(`AMI: ${ami}`);
 
   const sgSpinner = createSpinner('Creating security group...');
diff --git a/docker-compose.otel-demo.yml b/docker-compose.otel-demo.yml
@@ -333,6 +333,8 @@ services:
       - FLAGD_PORT
       - FLAGD_UI_HOST
       - FLAGD_UI_PORT
+      - TELEMETRY_DOCS_HOST
+      - TELEMETRY_DOCS_PORT
     depends_on:
       frontend:
         condition: service_started
diff --git a/docs/starlight-docs/src/content/docs/deploy/aws.mdx b/docs/starlight-docs/src/content/docs/deploy/aws.mdx
@@ -96,7 +96,7 @@ The IAM principal sending data needs `osis:Ingest` permission on the pipeline AR
 
 **CLI installer:**
 ```bash
-node bin/cli-installer.mjs --destroy --pipeline-name obs-stack --region us-west-2
+node bin/cli-installer.mjs destroy --pipeline-name obs-stack --region us-west-2
 ```
 
 The destroy command automatically detects and cleans up both managed domains and serverless collections associated with the pipeline name.
