Closed
Description
Describe the bug
If you add enough access policies the response data from lambda is problematic.
The code is even aware of this limitation. However, clearly this is not sufficient.
We should be able to add policies that succeed in being updated on the domain by simply suppressing this data output.
"Status": "SUCCESS",
"Reason": "OK",
"PhysicalResourceId": "blahAccessPolicy",
"StackId": "arn:aws:cloudformation:us-west-2:blah:stack/blah-us-west-2/blah",
"RequestId": "blah",
"LogicalResourceId": "blahPolicy",
"NoEcho": false,
"Data": {
"DomainConfig.AccessPolicies.Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"blah.blah.blah.blah.blah.blah\",\"us-west-2.blah.blah.blah.blah.blah\"]},\"Action\":\"es:ESHttp*\",\"Resource\":[\"arn:aws:es:us-west-2:blah:domain/blah/\",\"arn:aws:es:us-west-2:blah:domain/blah/*\"],\"Condition\":{\"ArnEquals\":{\"aws:PrincipalArn\":\"arn:aws:iam::*:role/blah\"}}} <TRUNCATED FOR BREVITY>",
"DomainConfig.AccessPolicies.Status.PendingDeletion": false,
"DomainConfig.AccessPolicies.Status.State": "Processing",
"DomainConfig.AccessPolicies.Status.UpdateVersion": 45
}
Expected Behavior
Ability to add access policies up to opensearch limit, not cloudformation limits imposed by this custom resource.
Current Behavior
Failed cloudformation deployments.
UPDATE_FAILED | Response object is too long.
Reproduction Steps
Add enough access policies to an opensearch domain and try to deploy it via cdk.
Possible Solution
- Ability to add a NoEcho to custom resource
- Ability to disable output
DomainConfig.AccessPolicies.Options
Additional Information/Context
No response
CDK CLI Version
2.126.0 (build fb74c41)
Framework Version
No response
Node.js Version
18
OS
AL2
Language
TypeScript
Language Version
No response
Other information
No response