[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for OpenSearch](../index.md) > [Step-by-step guides](index.md) > Clusters > Updating properties > Updating cluster settings

# Updating OpenSearch cluster settings

After creating a cluster, you can change:

* [Service account](#change-service-account).
* `admin` [user password](#change-admin-password).
* [OpenSearch settings](#change-opensearch-config).
* [Additional cluster settings](#change-additional-settings).
* [Security groups](#change-sg-set).

You can also:

* [Update the OpenSearch version](cluster-version-update.md).
* [Update the host group configuration](host-groups.md#update-host-group).
* [Move host groups to a different availability zone](host-migration.md).


## Changing a service account {#change-service-account}


To attach a service account to a Managed Service for OpenSearch cluster, [assign](../../iam/operations/roles/grant.md) the [iam.serviceAccounts.user](../../iam/security/index.md#iam-serviceAccounts-user) role or higher to your Yandex Cloud account.


{% note warning %}

If the cluster already uses a service account to access objects from Object Storage, then changing it to a different service account may make these objects unavailable and interrupt the cluster operation. Before changing the service account settings, make sure that the cluster doesn't use the objects in question.

{% endnote %}

For more information about setting up a service account, see [Configuring access to Object Storage](s3-access.md).

{% list tabs group=instructions %}

- Management console {#console}

    To change a service account attached to a Managed Service for OpenSearch cluster:

    1. In the [management console](https://console.yandex.cloud), navigate to the folder page.
    1. Navigate to **Managed Service for&nbsp;OpenSearch**.
    1. Select the cluster and click ![image](../../_assets/console-icons/pencil.svg) **Edit** in the top panel.
    1. In the **Service account** field, select the account you need from the list or [create a new one](../../iam/operations/sa/create.md). For more information about setting up a service account, see [Configuring access to Object Storage](s3-access.md).
    1. Click **Save**.

- CLI {#cli}

    If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

    The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

    To change a service account attached to a Managed Service for OpenSearch cluster, run this command:

    ```bash
    yc managed-opensearch cluster update <cluster_name_or_ID> \
       --service-account-name <service_account_name>
    ```

    You can get the cluster name and ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    For more information about setting up a service account, see [Configuring access to Object Storage](s3-access.md).

- Terraform {#tf}

    To change a service account attached to a Managed Service for OpenSearch cluster:

    1. Open the current Terraform configuration file describing your infrastructure.

        For a complete list of configurable Managed Service for OpenSearch cluster fields, see [this Terraform provider guide](../../terraform/resources/mdb_opensearch_cluster.md).

    1. In the `service_account_id` field, specify the service account ID:

        ```hcl
        resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
            ...
            service_account_id = "<service_account_ID>"
        }
        ```

        For more information about setting up a service account, see [Configuring access to Object Storage](s3-access.md).

    1. Make sure the settings are correct.

        1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
        1. Run this command:
        
           ```bash
           terraform validate
           ```
        
           Terraform will show any errors found in your configuration files.

    1. Confirm updating the resources.

        1. Run this command to view the planned changes:
        
           ```bash
           terraform plan
           ```
        
           If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
        
        1. If everything looks correct, apply the changes:
           1. Run this command:
        
              ```bash
              terraform apply
              ```
        
           1. Confirm updating the resources.
           1. Wait for the operation to complete.

- REST API {#api}

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Call the [Cluster.Update](../api-ref/Cluster/update.md) method, e.g., via the following [cURL](https://curl.se/) request:

        {% note warning %}
        
        The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `updateMask` parameter as a single comma-separated string.
        
        {% endnote %}

        ```bash
        curl \
            --request PATCH \
            --header "Authorization: Bearer $IAM_TOKEN" \
            --header "Content-Type: application/json" \
            --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters/<cluster_ID>' \
            --data '{
                        "updateMask": "serviceAccountId",
                        "serviceAccountId": "<service_account_ID>"
                    }'
        ```

        Where:

        * `updateMask`: Comma-separated string of settings to update.

            Here, we provide only one setting.

        * `serviceAccountId`: ID of the service account used for cluster operations.

        You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
       
       ```bash
       cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
       ```
       
       Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
    1. Call the [ClusterService.Update](../api-ref/grpc/Cluster/update.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

        {% note warning %}
        
        The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `update_mask` parameter as an array of `paths[]` strings.
        
        {% cut "Format for listing settings" %}
        
        ```yaml
        "update_mask": {
            "paths": [
                "<setting_1>",
                "<setting_2>",
                ...
                "<setting_N>"
            ]
        }
        ```
        
        {% endcut %}
        
        {% endnote %}

        ```bash
        grpcurl \
            -format json \
            -import-path ~/cloudapi/ \
            -import-path ~/cloudapi/third_party/googleapis/ \
            -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
            -rpc-header "Authorization: Bearer $IAM_TOKEN" \
            -d '{
                    "cluster_id": "<cluster_ID>",
                    "update_mask": {
                        "paths": [
                            "service_account_id"
                        ]
                    },
                    "service_account_id": "<service_account_ID>"
                }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.opensearch.v1.ClusterService.Update
        ```

        Where:

        * `update_mask`: List of settings you want to update as an array of strings (`paths[]`).

            Here, we provide only one setting.

        * `service_account_id`: ID of the service account used for cluster operations.

        You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/grpc/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}


## Changing the admin password {#change-admin-password}

{% list tabs group=instructions %}

- Management console {#console}

    1. In the [management console](https://console.yandex.cloud), navigate to the folder page.
    1. Navigate to **Managed Service for&nbsp;OpenSearch**.
    1. Select the cluster and click ![image](../../_assets/console-icons/pencil.svg) **Edit** in the top panel.
    1. In the **Admin password** field, enter a new password.

        The password must include three groups of characters out of these four:
        
        * Lowercase Latin letters
        * Uppercase Latin letters
        * Numbers
        * Special characters
        
        The password must be from 10 to 72 characters long.

    1. Click **Save**.

- CLI {#cli}

    If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

    The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

    To change the `admin` password for a cluster, enter a new password using one of these methods:

    * Entering a password as plain text (less secure method).

        ```bash
        yc managed-opensearch cluster update <cluster_name_or_ID> \
           --admin-password <new_password>
        ```

        The password must include three groups of characters out of these four:
        
        * Lowercase Latin letters
        * Uppercase Latin letters
        * Numbers
        * Special characters
        
        The password must be from 10 to 72 characters long.

    * Generating a password automatically. The generated password will be output to the console.

        ```bash
        yc managed-opensearch cluster update <cluster_name_or_ID> \
           --generate-admin-password
        ```

    You can get the cluster name and ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

- Terraform {#tf}

    1. Open the current Terraform configuration file describing your infrastructure.

        For a complete list of configurable Managed Service for OpenSearch cluster fields, see [this Terraform provider guide](../../terraform/resources/mdb_opensearch_cluster.md).

    1. In the `config` section, change the `admin_password` field value:

        ```hcl
        resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
            ...
            config {
                admin_password = "<new_admin_user_password>"
            }
        }
        ```

        The password must include three groups of characters out of these four:
        
        * Lowercase Latin letters
        * Uppercase Latin letters
        * Numbers
        * Special characters
        
        The password must be from 10 to 72 characters long.

    1. Make sure the settings are correct.

        1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
        1. Run this command:
        
           ```bash
           terraform validate
           ```
        
           Terraform will show any errors found in your configuration files.

    1. Confirm updating the resources.

        1. Run this command to view the planned changes:
        
           ```bash
           terraform plan
           ```
        
           If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
        
        1. If everything looks correct, apply the changes:
           1. Run this command:
        
              ```bash
              terraform apply
              ```
        
           1. Confirm updating the resources.
           1. Wait for the operation to complete.

- REST API {#api}

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Call the [Cluster.Update](../api-ref/Cluster/update.md) method, e.g., via the following [cURL](https://curl.se/) request:

        {% note warning %}
        
        The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `updateMask` parameter as a single comma-separated string.
        
        {% endnote %}

        ```bash
        curl \
            --request PATCH \
            --header "Authorization: Bearer $IAM_TOKEN" \
            --header "Content-Type: application/json" \
            --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters/<cluster_ID>' \
            --data '{
                        "updateMask": "configSpec.adminPassword",
                        "configSpec": {
                            "adminPassword": "<new_password>"
                        }
                    }'
        ```

        Where:

        * `updateMask`: Comma-separated string of settings to update.

            Here, we provide only one setting.

        * `configSpec.adminPassword`: New `admin` password.

            The password must include three groups of characters out of these four:
            
            * Lowercase Latin letters
            * Uppercase Latin letters
            * Numbers
            * Special characters
            
            The password must be from 10 to 72 characters long.

        You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
       
       ```bash
       cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
       ```
       
       Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
    1. Call the [ClusterService.Update](../api-ref/grpc/Cluster/update.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

        {% note warning %}
        
        The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `update_mask` parameter as an array of `paths[]` strings.
        
        {% cut "Format for listing settings" %}
        
        ```yaml
        "update_mask": {
            "paths": [
                "<setting_1>",
                "<setting_2>",
                ...
                "<setting_N>"
            ]
        }
        ```
        
        {% endcut %}
        
        {% endnote %}

        ```bash
        grpcurl \
            -format json \
            -import-path ~/cloudapi/ \
            -import-path ~/cloudapi/third_party/googleapis/ \
            -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
            -rpc-header "Authorization: Bearer $IAM_TOKEN" \
            -d '{
                    "cluster_id": "<cluster_ID>",
                    "update_mask": {
                        "paths": [
                            "config_spec.admin_password"
                        ]
                    },
                    "config_spec": {
                        "admin_password": "<new_password>"
                    }
                }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.opensearch.v1.ClusterService.Update
        ```

        Where:

        * `update_mask`: List of settings you want to update as an array of strings (`paths[]`).

            Here, we provide only one setting.

        * `config_spec.admin_password`: New `admin` password.

            The password must include three groups of characters out of these four:
            
            * Lowercase Latin letters
            * Uppercase Latin letters
            * Numbers
            * Special characters
            
            The password must be from 10 to 72 characters long.

        You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/grpc/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Updating OpenSearch settings {#change-opensearch-config}

{% list tabs group=instructions %}

- CLI {#cli}

    If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

    The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

    Run the following command with the list of settings to update:

    ```bash
    yc managed-opensearch cluster update <cluster_name_or_ID> \
       --max-clause-count <number_of_Boolean_clauses> \
       --fielddata-cache-size <JVM_heap_size> \
       --reindex-remote-whitelist <host_address>:<port>
    ```

    You can get the cluster name and ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    The settings in the command include:

    * `--max-clause-count`: Maximum allowed number of boolean clauses per query. For more information, see [this OpenSearch guide](https://opensearch.org/docs/latest/query-dsl/compound/bool/).
    * `--fielddata-cache-size`: JVM heap size allocated for the `fielddata` data structure. You can specify either an absolute value or percentage, e.g., `512mb` or `50%`. For more information, see [this OpenSearch guide](https://opensearch.org/docs/latest/install-and-configure/configuring-opensearch/index-settings/#cluster-level-index-settings).
    * `--reindex-remote-whitelist`: List of remote hosts whose indexes contain documents to copy for reindexing. Specify the parameter value in `<host_address>:<port>` format. If you need to specify more than one host, list values separated by commas. For more information, see [this OpenSearch guide](https://opensearch.org/docs/latest/im-plugin/reindex-data/#reindex-from-a-remote-cluster).

- REST API {#api}

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Call the [Cluster.Update](../api-ref/Cluster/update.md) method, e.g., via the following [cURL](https://curl.se/) request:

        {% note warning %}
        
        The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `updateMask` parameter as a single comma-separated string.
        
        {% endnote %}

        ```bash
        curl \
            --request PATCH \
            --header "Authorization: Bearer $IAM_TOKEN" \
            --header "Content-Type: application/json" \
            --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters/<cluster_ID>' \
            --data '{
                        "updateMask": "configSpec.opensearchSpec.opensearchConfig_2.maxClauseCount,configSpec.opensearchSpec.opensearchConfig_2.fielddataCacheSize,configSpec.opensearchSpec.opensearchConfig_2.reindexRemoteWhitelist",
                        "configSpec": {
                            "opensearchSpec": {
                                "opensearchConfig_2": {
                                    "maxClauseCount": "<number_of_Boolean_clauses>",
                                    "fielddataCacheSize": "<JVM_heap_size>",
                                    "reindexRemoteWhitelist": "<host_address>:9200"
                                }
                            }
                        }
                    }'
        ```

        Where:

        * `updateMask`: Comma-separated string of settings to update.
        * `configSpec.opensearchSpec.opensearchConfig_2`: OpenSearch settings:

            * `maxClauseCount`: New maximum allowed number of boolean clauses. For more information, see [this OpenSearch guide](https://opensearch.org/docs/latest/query-dsl/compound/bool/).

            * `fielddataCacheSize`: New JVM heap size allocated for the `fielddata` data structure. You can specify either an absolute value or percentage, e.g., `512mb` or `50%`. For more information, see [this OpenSearch guide](https://opensearch.org/docs/latest/install-and-configure/configuring-opensearch/).

            * `reindexRemoteWhitelist`: New list of remote hosts whose indexes contain documents to copy for reindexing. Specify the [host FQDN](connect/fqdn.md) and port 9200, separated by a colon. To specify multiple hosts, list them separated by commas after the port. For more information, see [this OpenSearch guide](https://opensearch.org/docs/latest/im-plugin/reindex-data/#reindex-from-a-remote-cluster).

        You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
       
       ```bash
       cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
       ```
       
       Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
    1. Call the [ClusterService.Update](../api-ref/grpc/Cluster/update.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

        {% note warning %}
        
        The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `update_mask` parameter as an array of `paths[]` strings.
        
        {% cut "Format for listing settings" %}
        
        ```yaml
        "update_mask": {
            "paths": [
                "<setting_1>",
                "<setting_2>",
                ...
                "<setting_N>"
            ]
        }
        ```
        
        {% endcut %}
        
        {% endnote %}

        ```bash
        grpcurl \
            -format json \
            -import-path ~/cloudapi/ \
            -import-path ~/cloudapi/third_party/googleapis/ \
            -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
            -rpc-header "Authorization: Bearer $IAM_TOKEN" \
            -d '{
                    "cluster_id": "<cluster_ID>",
                    "update_mask": {
                        "paths": [
                            "config_spec.opensearch_spec.opensearch_config_2.max_clause_count",
                            "config_spec.opensearch_spec.opensearch_config_2.fielddata_cache_size",
                            "config_spec.opensearch_spec.opensearch_config_2.reindex_remote_whitelist"
                        ]
                    },
                    "config_spec": {
                        "opensearch_spec": {
                            "opensearch_config_2": {
                                "max_clause_count": "<number_of_Boolean_clauses>",
                                "fielddata_cache_size": "<JVM_heap_size>",
                                "reindex_remote_whitelist": "<host_address>:9200"
                            }
                        }
                    }
                }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.opensearch.v1.ClusterService.Update
        ```

        Where:

        * `update_mask`: List of settings you want to update as an array of strings (`paths[]`).

            Here, we provide only one setting.

        * `config_spec.opensearch_spec.opensearch_config_2`: OpenSearch settings:

            * `max_clause_count`: New maximum allowed number of boolean clauses. For more information, see [this OpenSearch guide](https://opensearch.org/docs/latest/query-dsl/compound/bool/).

            * `fielddata_cache_size`: New JVM heap size allocated for the `fielddata` data structure. You can specify either an absolute value or percentage, e.g., `512mb` or `50%`. For more information, see [this OpenSearch guide](https://opensearch.org/docs/latest/install-and-configure/configuring-opensearch/).

            * `reindex_remote_whitelist`: New list of remote hosts whose indexes contain documents to copy for reindexing. Specify the [host FQDN](connect/fqdn.md) and port 9200, separated by a colon. To specify multiple hosts, list them separated by commas after the port. For more information, see [this OpenSearch guide](https://opensearch.org/docs/latest/im-plugin/reindex-data/#reindex-from-a-remote-cluster).

        You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/grpc/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Configuring advanced cluster settings {#change-additional-settings}

{% list tabs group=instructions %}

- Management console {#console}

    1. In the [management console](https://console.yandex.cloud), navigate to the folder page.
    1. Navigate to **Managed Service for&nbsp;OpenSearch**.
    1. Select the cluster and click ![image](../../_assets/console-icons/pencil.svg) **Edit** in the top panel.
    1. Change additional cluster settings:

        * **Maintenance**: [Maintenance window](../concepts/maintenance.md) settings:

            * To enable maintenance at any time, select **At any time** (default).
            * To specify the preferred maintenance start time, select **By schedule** and specify the day of the week and the UTC time interval. For example, you can choose a time when the cluster is least loaded.
            
            Both active and stopped clusters are subject to maintenance. Maintenance operations include DBMS updates, patches, etc.


        * **Deletion protection**: Manages cluster protection against accidental deletion.

            Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.

    1. Click **Save**.

- CLI {#cli}

    If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

    The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

    Run the following command with the list of settings to update:

    ```bash
    yc managed-opensearch cluster update <cluster_name_or_ID> \
       --maintenance schedule=<maintenance_type>,`
                    `weekday=<day_of_week>,`
                    `hour=<hour> \
       --delete-protection \
       --data-transfer-access=<allow_access_from_Data_Transfer> \
       --serverless-access=<allow_access_from_Serverless_Containers>
    ```

    You can get the cluster name and ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    The settings in the command include:

    * `--maintenance`: [Maintenance window](../concepts/maintenance.md) settings, including for stopped clusters:

        * To allow maintenance at any time, set `--maintenance schedule=anytime`.
        * To specify the preferred maintenance start time, set `--maintenance schedule=weekly,weekday=<day_of_week>,hour=<hour_in_UTC>`. In this case, maintenance will take place every week on a specified day at a specified time.

            The valid `weekday` values include `mon`, `tue`, `wed`, `thu`, `fry`, `sat`, `sun`. In the `hour` parameter, specify the maintenance completion time. For example, if you set `14`, maintenance will take place from 13:00 until 14:00 UTC.

    * `--deletion-protection`: Cluster protection from accidental deletion, `true` or `false`.

        Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.


    * `--serverless-access`: Access from [Yandex Serverless Containers](../../serverless-containers/index.md), `true` or `false`.

- Terraform {#tf}

    1. Open the current Terraform configuration file describing your infrastructure.

        For a complete list of configurable Managed Service for OpenSearch cluster fields, see [this Terraform provider guide](../../terraform/resources/mdb_opensearch_cluster.md).

    1. To change the [maintenance](../concepts/maintenance.md) time, including for stopped clusters, specify the following settings in the `maintenance_window` parameter:

        ```hcl
        resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
            ...
            maintenance_window {
                type = "<maintenance_frequency>"
                hour = <hour>
                day  = "<day_of_week>"
            }
        }
        ```

        Specify the following in the parameters:

        * `type`: `ANYTIME` to allow maintenance at any time, or `WEEKLY` to perform maintenance every week.
        * `hour`: Maintenance completion hour, UTC. For example, if you set `14`, maintenance will take place from 13:00 until 14:00 UTC.
        * `day`: Day of week for maintenance. The valid values include `MON`, `TUE`, `WED`, `THU`, `FRI`, `SAT`, `SUN`.

    1. To activate cluster protection against accidental deletion by a user of your cloud, add the `deletion_protection` field set to `true` to the cluster description:

        ```hcl
        resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
            ...
            deletion_protection = <protect_cluster_from_deletion>
        }
        ```

        Where `deletion_protection` is the protection against accidental cluster deletion.

        Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.

    1. Make sure the settings are correct.

        1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
        1. Run this command:
        
           ```bash
           terraform validate
           ```
        
           Terraform will show any errors found in your configuration files.

    1. Confirm updating the resources.

        1. Run this command to view the planned changes:
        
           ```bash
           terraform plan
           ```
        
           If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
        
        1. If everything looks correct, apply the changes:
           1. Run this command:
        
              ```bash
              terraform apply
              ```
        
           1. Confirm updating the resources.
           1. Wait for the operation to complete.

- REST API {#api}

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Call the [Cluster.Update](../api-ref/Cluster/update.md) method, e.g., via the following [cURL](https://curl.se/) request:

        {% note warning %}
        
        The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `updateMask` parameter as a single comma-separated string.
        
        {% endnote %}

        
        ```bash
        curl \
            --request PATCH \
            --header "Authorization: Bearer $IAM_TOKEN" \
            --header "Content-Type: application/json" \
            --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters/<cluster_ID>' \
            --data '{
                        "updateMask": "configSpec.access,deletionProtection,maintenanceWindow",
                        "configSpec": {
                            "access": {
                                "dataTransfer": <allow_access_from_Data_Transfer>,
                                "serverless": <allow_access_from_Serverless_Containers>
                            }
                        },
                        "deletionProtection": <protect_cluster_from_deletion>,
                        "maintenanceWindow": {
                            "weeklyMaintenanceWindow": {
                                "day": "<day_of_week>",
                                "hour": "<hour>"
                            }
                        }
                    }'
        ```


        Where:

        * `updateMask`: Comma-separated string of settings to update.

        
        * `access`: Cluster settings for access to the following Yandex Cloud services:

            * `dataTransfer`: [Yandex Data Transfer](../../data-transfer/index.md)
            * `serverless`: [Yandex Serverless Containers](../../serverless-containers/index.md)

            The possible setting values are `true` or `false`.


        * `deletionProtection`: Cluster deletion protection, `true` or `false`.

            Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.

        * `maintenanceWindow.weeklyMaintenanceWindow`: Maintenance window schedule:

            * `day`: Day of the week, in `DDD` format, for scheduled maintenance.
            * `hour`: Hour, in `HH` format, for scheduled maintenance. The possible values range from `1` to `24`. Use the UTC time zone.

        You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
       
       ```bash
       cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
       ```
       
       Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
    1. Call the [ClusterService.Update](../api-ref/grpc/Cluster/update.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

        {% note warning %}
        
        The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `update_mask` parameter as an array of `paths[]` strings.
        
        {% cut "Format for listing settings" %}
        
        ```yaml
        "update_mask": {
            "paths": [
                "<setting_1>",
                "<setting_2>",
                ...
                "<setting_N>"
            ]
        }
        ```
        
        {% endcut %}
        
        {% endnote %}

        
        ```bash
        grpcurl \
            -format json \
            -import-path ~/cloudapi/ \
            -import-path ~/cloudapi/third_party/googleapis/ \
            -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
            -rpc-header "Authorization: Bearer $IAM_TOKEN" \
            -d '{
                    "cluster_id": "<cluster_ID>",
                    "update_mask": {
                        "paths": [
                            "config_spec.access",
                            "deletion_protection",
                            "maintenance_window"
                        ]
                    },
                    "config_spec": {
                        "access": {
                            "data_transfer": <allow_access_from_Data_Transfer>,
                            "serverless": <allow_access_from_Serverless_Containers>
                        }
                    },
                    "deletion_protection": <protect_cluster_from_deletion>,
                    "maintenance_window": {
                        "weekly_maintenance_window": {
                            "day": "<day_of_week>",
                            "hour": "<hour>"
                        }
                    }
                }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.opensearch.v1.ClusterService.Update
        ```


        Where:

        * `update_mask`: List of settings you want to update as an array of strings (`paths[]`).

            Here, we provide only one setting.

        
        * `access`: Cluster settings for access to the following Yandex Cloud services:

            * `data_transfer`: [Yandex Data Transfer](../../data-transfer/index.md)
            * `serverless`: [Yandex Serverless Containers](../../serverless-containers/index.md)

            The possible values are `true` or `false`.


        * `deletion_protection`: Cluster deletion protection, `true` or `false`.

            Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.

        * `maintenance_window.weekly_maintenance_window`: Maintenance window schedule:

            * `day`: Day of the week, in `DDD` format, for scheduled maintenance.
            * `hour`: Hour, in `HH` format, for scheduled maintenance. The possible values range from `1` to `24`. Use the UTC time zone.

        You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/grpc/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}


## Updating security groups {#change-sg-set}

After you assign other [security groups](../concepts/network.md#security-groups), you may need to [additionally set them up](connect/fqdn.md#security-groups) to connect to the cluster.

{% list tabs group=instructions %}

- Management console {#console}

    1. In the [management console](https://console.yandex.cloud), navigate to the folder page.
    1. Navigate to **Managed Service for&nbsp;OpenSearch**.
    1. Select the cluster and click ![image](../../_assets/console-icons/pencil.svg) **Edit** in the top panel.
    1. Under **Network settings**, select the security groups for cluster network traffic.
    1. Click **Save**.

- CLI {#cli}

    If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

    The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

    To edit the list of security groups for a cluster, specify the security groups you need in the command:

    ```bash
    yc managed-opensearch cluster update <cluster_name_or_ID> \
       --security-group-ids <list_of_security_group_IDs>
    ```

    If you need to specify multiple groups, list them separated by commas.

    You can get the cluster name and ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

- Terraform {#tf}

    1. Open the current Terraform configuration file describing your infrastructure.

        For a complete list of configurable Managed Service for OpenSearch cluster fields, see [this Terraform provider guide](../../terraform/resources/mdb_opensearch_cluster.md).

    1. In the `security_group_ids` field, list the security group IDs separated by commas:

        ```hcl
        resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
            ...
            security_group_ids = [ "<security_groups>" ]
        }
        ```

    1. Make sure the settings are correct.

        1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
        1. Run this command:
        
           ```bash
           terraform validate
           ```
        
           Terraform will show any errors found in your configuration files.

    1. Confirm updating the resources.

        1. Run this command to view the planned changes:
        
           ```bash
           terraform plan
           ```
        
           If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
        
        1. If everything looks correct, apply the changes:
           1. Run this command:
        
              ```bash
              terraform apply
              ```
        
           1. Confirm updating the resources.
           1. Wait for the operation to complete.

- REST API {#api}

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Call the [Cluster.Update](../api-ref/Cluster/update.md) method, e.g., via the following [cURL](https://curl.se/) request:

        {% note warning %}
        
        The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `updateMask` parameter as a single comma-separated string.
        
        {% endnote %}

        ```bash
        curl \
            --request PATCH \
            --header "Authorization: Bearer $IAM_TOKEN" \
            --header "Content-Type: application/json" \
            --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters/<cluster_ID>' \
            --data '{
                        "updateMask": "securityGroupIds",
                        "securityGroupIds": [
                            "<security_group_1_ID>",
                            "<security_group_2_ID>",
                            ...
                            "<security_group_N_ID>"
                        ]
                    }'
        ```

        Where:

        * `updateMask`: Comma-separated string of settings to update.

            Here, we provide only one setting.

        * `securityGroupIds`: Security group IDs.

        You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

    1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

        ```bash
        export IAM_TOKEN="<IAM_token>"
        ```

    1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
       
       ```bash
       cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
       ```
       
       Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
    1. Call the [ClusterService.Update](../api-ref/grpc/Cluster/update.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

        {% note warning %}
        
        The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the `update_mask` parameter as an array of `paths[]` strings.
        
        {% cut "Format for listing settings" %}
        
        ```yaml
        "update_mask": {
            "paths": [
                "<setting_1>",
                "<setting_2>",
                ...
                "<setting_N>"
            ]
        }
        ```
        
        {% endcut %}
        
        {% endnote %}

        ```bash
        grpcurl \
            -format json \
            -import-path ~/cloudapi/ \
            -import-path ~/cloudapi/third_party/googleapis/ \
            -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
            -rpc-header "Authorization: Bearer $IAM_TOKEN" \
            -d '{
                    "cluster_id": "<cluster_ID>",
                    "update_mask": {
                        "paths": [
                            "security_group_ids"
                        ]
                    },
                    "security_group_ids": [
                        "<security_group_1_ID>",
                        "<security_group_2_ID>",
                        ...
                        "<security_group_N_ID>"
                    ]
                }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.opensearch.v1.ClusterService.Update
        ```

        Where:

        * `update_mask`: List of settings you want to update as an array of strings (`paths[]`).

            Here, we provide only one setting.

        * `security_group_ids`: Security group IDs.

        You can get the cluster ID with the [list of clusters in the folder](cluster-list.md#list-clusters).

    1. Check the [server response](../api-ref/grpc/Cluster/update.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}