(opensearch): Response object is too long from cloudformation when adding enough access policies despite the update succeeding.

[wordlesstruth]

Describe the bug

If you add enough access policies the response data from lambda is problematic.

The code is even aware of this limitation. However, clearly this is not sufficient.

We should be able to add policies that succeed in being updated on the domain by simply suppressing this data output.

    "Status": "SUCCESS",
    "Reason": "OK",
    "PhysicalResourceId": "blahAccessPolicy",
    "StackId": "arn:aws:cloudformation:us-west-2:blah:stack/blah-us-west-2/blah",
    "RequestId": "blah",
    "LogicalResourceId": "blahPolicy",
    "NoEcho": false,
    "Data": {
        "DomainConfig.AccessPolicies.Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"blah.blah.blah.blah.blah.blah\",\"us-west-2.blah.blah.blah.blah.blah\"]},\"Action\":\"es:ESHttp*\",\"Resource\":[\"arn:aws:es:us-west-2:blah:domain/blah/\",\"arn:aws:es:us-west-2:blah:domain/blah/*\"],\"Condition\":{\"ArnEquals\":{\"aws:PrincipalArn\":\"arn:aws:iam::*:role/blah\"}}} <TRUNCATED FOR BREVITY>",
        "DomainConfig.AccessPolicies.Status.PendingDeletion": false,
        "DomainConfig.AccessPolicies.Status.State": "Processing",
        "DomainConfig.AccessPolicies.Status.UpdateVersion": 45
    }

Expected Behavior

Ability to add access policies up to opensearch limit, not cloudformation limits imposed by this custom resource.

Current Behavior

Failed cloudformation deployments.

UPDATE_FAILED | Response object is too long.

Reproduction Steps

Add enough access policies to an opensearch domain and try to deploy it via cdk.

Possible Solution

• Ability to add a NoEcho to custom resource
• Ability to disable output DomainConfig.AccessPolicies.Options

Additional Information/Context

No response

CDK CLI Version

2.126.0 (build fb74c41)

Framework Version

No response

Node.js Version

18

OS

AL2

Language

TypeScript

Language Version

No response

Other information

No response

[wordlesstruth]

I think I was able to workaround this by cloning this code and doing this myself: outputPaths: ['DomainConfig.AccessPolicies.Status'], note the deeper key of Status

[pahud]

Yes we can always workdaround this by outputPaths.

The code is aware of that but the payload is from custom resource and I believe CDK actually can't see and validate that in synth time.

[wordlesstruth]

Right, but I had to clone-and-own my own version to make this work - I'm wondering if it would be sufficient to merge in a change where you do go deeper one Key in the outputPaths ['DomainConfig.AccessPolicies.Status'] rather than ['DomainConfig.AccessPolicies'], or if anybody for some reason needs that Options key.. just give us the option to do something ourselves here.