From 4810337e4817702b77d3c37e334e99ee7c5f0656 Mon Sep 17 00:00:00 2001 From: sakurai-ryo Date: Sun, 14 Jan 2024 21:10:01 +0900 Subject: [PATCH 1/4] fix: always create logs resource policy --- ...efaultTestDeployAssert4E6713E1.assets.json | 19 ++ ...aultTestDeployAssert4E6713E1.template.json | 36 +++ .../cdk.out | 1 + .../cdkinteg-logs-resource-policy.assets.json | 19 ++ ...dkinteg-logs-resource-policy.template.json | 80 ++++++ ...h-without-logs-resource-policy.assets.json | 19 ++ ...without-logs-resource-policy.template.json | 76 +++++ .../integ.json | 13 + .../manifest.json | 180 ++++++++++++ .../tree.json | 262 ++++++++++++++++++ ...opensearch.without-logs-resource-policy.ts | 59 ++++ .../aws-opensearchservice/README.md | 30 ++ .../aws-opensearchservice/lib/domain.ts | 16 +- .../aws-opensearchservice/test/domain.test.ts | 40 +++ 14 files changed, 849 insertions(+), 1 deletion(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-logs-resource-policy.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-logs-resource-policy.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-opensearch-without-logs-resource-policy.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-opensearch-without-logs-resource-policy.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.assets.json new file mode 100644 index 0000000000000..2af610f0d4a39 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "IntegDefaultTestDeployAssert4E6713E1.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-logs-resource-policy.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-logs-resource-policy.assets.json new file mode 100644 index 0000000000000..4361ea71d26d3 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-logs-resource-policy.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "b28947aeeba66bf4f0536d9f9247536550ef76df37056fd2b87a5b1abaadefa9": { + "source": { + "path": "cdkinteg-logs-resource-policy.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "b28947aeeba66bf4f0536d9f9247536550ef76df37056fd2b87a5b1abaadefa9.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-logs-resource-policy.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-logs-resource-policy.template.json new file mode 100644 index 0000000000000..aed9c35f54f43 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-logs-resource-policy.template.json @@ -0,0 +1,80 @@ +{ + "Resources": { + "AppLogsGroupC90FBC0A": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ResourcePolicyD790E185": { + "Type": "AWS::Logs::ResourcePolicy", + "Properties": { + "PolicyDocument": { + "Fn::Join": [ + "", + [ + "{\"Statement\":[{\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"es.amazonaws.com\"},\"Resource\":\"", + { + "Fn::GetAtt": [ + "AppLogsGroupC90FBC0A", + "Arn" + ] + }, + "\"}],\"Version\":\"2012-10-17\"}" + ] + ] + }, + "PolicyName": "cdkinteglogsresourcepolicyResourcePolicyB41E8C17" + } + } + }, + "Outputs": { + "ExportsOutputFnGetAttAppLogsGroupC90FBC0AArn7BBE8767": { + "Value": { + "Fn::GetAtt": [ + "AppLogsGroupC90FBC0A", + "Arn" + ] + }, + "Export": { + "Name": "cdkinteg-logs-resource-policy:ExportsOutputFnGetAttAppLogsGroupC90FBC0AArn7BBE8767" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-opensearch-without-logs-resource-policy.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-opensearch-without-logs-resource-policy.assets.json new file mode 100644 index 0000000000000..a9bd7ad573ee2 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-opensearch-without-logs-resource-policy.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "de86b1eaf845dfa11f5301ca4a35cb0af9d1997e8a32182a6993e6206b5d0c53": { + "source": { + "path": "cdkinteg-opensearch-without-logs-resource-policy.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "de86b1eaf845dfa11f5301ca4a35cb0af9d1997e8a32182a6993e6206b5d0c53.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-opensearch-without-logs-resource-policy.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-opensearch-without-logs-resource-policy.template.json new file mode 100644 index 0000000000000..7e4a49203b445 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/cdkinteg-opensearch-without-logs-resource-policy.template.json @@ -0,0 +1,76 @@ +{ + "Resources": { + "Domain66AC69E0": { + "Type": "AWS::OpenSearchService::Domain", + "Properties": { + "ClusterConfig": { + "DedicatedMasterEnabled": false, + "InstanceCount": 1, + "InstanceType": "r5.large.search", + "MultiAZWithStandbyEnabled": false, + "ZoneAwarenessEnabled": false + }, + "DomainEndpointOptions": { + "EnforceHTTPS": false, + "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07" + }, + "EBSOptions": { + "EBSEnabled": true, + "VolumeSize": 10, + "VolumeType": "gp2" + }, + "EncryptionAtRestOptions": { + "Enabled": false + }, + "EngineVersion": "OpenSearch_2.11", + "LogPublishingOptions": { + "ES_APPLICATION_LOGS": { + "CloudWatchLogsLogGroupArn": { + "Fn::ImportValue": "cdkinteg-logs-resource-policy:ExportsOutputFnGetAttAppLogsGroupC90FBC0AArn7BBE8767" + }, + "Enabled": true + } + }, + "NodeToNodeEncryptionOptions": { + "Enabled": false + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/integ.json new file mode 100644 index 0000000000000..e022145cd949f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "36.0.0", + "testCases": { + "Integ/DefaultTest": { + "stacks": [ + "cdkinteg-logs-resource-policy", + "cdkinteg-opensearch-without-logs-resource-policy" + ], + "assertionStack": "Integ/DefaultTest/DeployAssert", + "assertionStackName": "IntegDefaultTestDeployAssert4E6713E1" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/manifest.json new file mode 100644 index 0000000000000..1c88454fbf4d4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/manifest.json @@ -0,0 +1,180 @@ +{ + "version": "36.0.0", + "artifacts": { + "cdkinteg-logs-resource-policy.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "cdkinteg-logs-resource-policy.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "cdkinteg-logs-resource-policy": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "cdkinteg-logs-resource-policy.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b28947aeeba66bf4f0536d9f9247536550ef76df37056fd2b87a5b1abaadefa9.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "cdkinteg-logs-resource-policy.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "cdkinteg-logs-resource-policy.assets" + ], + "metadata": { + "/cdkinteg-logs-resource-policy/AppLogsGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AppLogsGroupC90FBC0A" + } + ], + "/cdkinteg-logs-resource-policy/ResourcePolicy/ResourcePolicy": [ + { + "type": "aws:cdk:logicalId", + "data": "ResourcePolicyD790E185" + } + ], + "/cdkinteg-logs-resource-policy/Exports/Output{\"Fn::GetAtt\":[\"AppLogsGroupC90FBC0A\",\"Arn\"]}": [ + { + "type": "aws:cdk:logicalId", + "data": "ExportsOutputFnGetAttAppLogsGroupC90FBC0AArn7BBE8767" + } + ], + "/cdkinteg-logs-resource-policy/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/cdkinteg-logs-resource-policy/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "cdkinteg-logs-resource-policy" + }, + "cdkinteg-opensearch-without-logs-resource-policy.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "cdkinteg-opensearch-without-logs-resource-policy.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "cdkinteg-opensearch-without-logs-resource-policy": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "cdkinteg-opensearch-without-logs-resource-policy.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/de86b1eaf845dfa11f5301ca4a35cb0af9d1997e8a32182a6993e6206b5d0c53.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "cdkinteg-opensearch-without-logs-resource-policy.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "cdkinteg-logs-resource-policy", + "cdkinteg-opensearch-without-logs-resource-policy.assets" + ], + "metadata": { + "/cdkinteg-opensearch-without-logs-resource-policy/Domain/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Domain66AC69E0" + } + ], + "/cdkinteg-opensearch-without-logs-resource-policy/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/cdkinteg-opensearch-without-logs-resource-policy/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "cdkinteg-opensearch-without-logs-resource-policy" + }, + "IntegDefaultTestDeployAssert4E6713E1.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "IntegDefaultTestDeployAssert4E6713E1.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "IntegDefaultTestDeployAssert4E6713E1": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "IntegDefaultTestDeployAssert4E6713E1.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "IntegDefaultTestDeployAssert4E6713E1.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "IntegDefaultTestDeployAssert4E6713E1.assets" + ], + "metadata": { + "/Integ/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/Integ/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "Integ/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/tree.json new file mode 100644 index 0000000000000..6ce64c2435012 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.js.snapshot/tree.json @@ -0,0 +1,262 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "cdkinteg-logs-resource-policy": { + "id": "cdkinteg-logs-resource-policy", + "path": "cdkinteg-logs-resource-policy", + "children": { + "AppLogsGroup": { + "id": "AppLogsGroup", + "path": "cdkinteg-logs-resource-policy/AppLogsGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "cdkinteg-logs-resource-policy/AppLogsGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", + "aws:cdk:cloudformation:props": { + "retentionInDays": 731 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.CfnLogGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.LogGroup", + "version": "0.0.0" + } + }, + "ResourcePolicy": { + "id": "ResourcePolicy", + "path": "cdkinteg-logs-resource-policy/ResourcePolicy", + "children": { + "ResourcePolicy": { + "id": "ResourcePolicy", + "path": "cdkinteg-logs-resource-policy/ResourcePolicy/ResourcePolicy", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Logs::ResourcePolicy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Fn::Join": [ + "", + [ + "{\"Statement\":[{\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"es.amazonaws.com\"},\"Resource\":\"", + { + "Fn::GetAtt": [ + "AppLogsGroupC90FBC0A", + "Arn" + ] + }, + "\"}],\"Version\":\"2012-10-17\"}" + ] + ] + }, + "policyName": "cdkinteglogsresourcepolicyResourcePolicyB41E8C17" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.CfnResourcePolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.ResourcePolicy", + "version": "0.0.0" + } + }, + "Exports": { + "id": "Exports", + "path": "cdkinteg-logs-resource-policy/Exports", + "children": { + "Output{\"Fn::GetAtt\":[\"AppLogsGroupC90FBC0A\",\"Arn\"]}": { + "id": "Output{\"Fn::GetAtt\":[\"AppLogsGroupC90FBC0A\",\"Arn\"]}", + "path": "cdkinteg-logs-resource-policy/Exports/Output{\"Fn::GetAtt\":[\"AppLogsGroupC90FBC0A\",\"Arn\"]}", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnOutput", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "cdkinteg-logs-resource-policy/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "cdkinteg-logs-resource-policy/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "cdkinteg-opensearch-without-logs-resource-policy": { + "id": "cdkinteg-opensearch-without-logs-resource-policy", + "path": "cdkinteg-opensearch-without-logs-resource-policy", + "children": { + "Domain": { + "id": "Domain", + "path": "cdkinteg-opensearch-without-logs-resource-policy/Domain", + "children": { + "Resource": { + "id": "Resource", + "path": "cdkinteg-opensearch-without-logs-resource-policy/Domain/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::OpenSearchService::Domain", + "aws:cdk:cloudformation:props": { + "clusterConfig": { + "dedicatedMasterEnabled": false, + "instanceCount": 1, + "instanceType": "r5.large.search", + "multiAzWithStandbyEnabled": false, + "zoneAwarenessEnabled": false + }, + "domainEndpointOptions": { + "enforceHttps": false, + "tlsSecurityPolicy": "Policy-Min-TLS-1-0-2019-07" + }, + "ebsOptions": { + "ebsEnabled": true, + "volumeSize": 10, + "volumeType": "gp2" + }, + "encryptionAtRestOptions": { + "enabled": false + }, + "engineVersion": "OpenSearch_2.11", + "logPublishingOptions": { + "ES_APPLICATION_LOGS": { + "enabled": true, + "cloudWatchLogsLogGroupArn": { + "Fn::ImportValue": "cdkinteg-logs-resource-policy:ExportsOutputFnGetAttAppLogsGroupC90FBC0AArn7BBE8767" + } + } + }, + "nodeToNodeEncryptionOptions": { + "enabled": false + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_opensearchservice.CfnDomain", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_opensearchservice.Domain", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "cdkinteg-opensearch-without-logs-resource-policy/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "cdkinteg-opensearch-without-logs-resource-policy/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "Integ": { + "id": "Integ", + "path": "Integ", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "Integ/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "Integ/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "Integ/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "Integ/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "Integ/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.ts new file mode 100644 index 0000000000000..7b9e887a318ff --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.without-logs-resource-policy.ts @@ -0,0 +1,59 @@ +import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib'; +import { Construct } from 'constructs'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import * as logs from 'aws-cdk-lib/aws-logs'; +import * as opensearch from 'aws-cdk-lib/aws-opensearchservice'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +// Assume that the CloudWatch Logs resource policy is created by another stack +class LogsResourcePolicy extends Stack { + public readonly logGroup: logs.LogGroup; + + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + this.logGroup = new logs.LogGroup(this, 'AppLogsGroup', { + removalPolicy: RemovalPolicy.DESTROY, + }); + + const resourcePolicy = new logs.ResourcePolicy(this, 'ResourcePolicy'); + resourcePolicy.document.addStatements(new iam.PolicyStatement({ + actions: ['logs:CreateLogStream', 'logs:PutLogEvents'], + principals: [new iam.ServicePrincipal('es.amazonaws.com')], + resources: [this.logGroup.logGroupArn], + })); + } +} + +interface TestStackProps extends StackProps { + logGroup: logs.LogGroup; +} + +class TestStack extends Stack { + constructor(scope: Construct, id: string, props: TestStackProps) { + super(scope, id, props); + + const domainProps: opensearch.DomainProps = { + version: opensearch.EngineVersion.OPENSEARCH_2_11, + removalPolicy: RemovalPolicy.DESTROY, + logging: { + appLogEnabled: true, + appLogGroup: props.logGroup, + }, + suppressLogsResourcePolicy: true, + capacity: { + multiAzWithStandbyEnabled: false, + }, + }; + + new opensearch.Domain(this, 'Domain', domainProps); + } +} + +const app = new App(); +const logGroupStack = new LogsResourcePolicy(app, 'cdkinteg-logs-resource-policy'); +const testStack = new TestStack(app, 'cdkinteg-opensearch-without-logs-resource-policy', { + logGroup: logGroupStack.logGroup, +}); + +new IntegTest(app, 'Integ', { testCases: [logGroupStack, testStack] }); diff --git a/packages/aws-cdk-lib/aws-opensearchservice/README.md b/packages/aws-cdk-lib/aws-opensearchservice/README.md index 9078815c579e8..dbbda2cad745e 100644 --- a/packages/aws-cdk-lib/aws-opensearchservice/README.md +++ b/packages/aws-cdk-lib/aws-opensearchservice/README.md @@ -349,6 +349,36 @@ const domain = new Domain(this, 'Domain', { }); ``` +## Suppress CloudWatch Logs resource policy + +When logging is enabled for the domain, the CloudWatch Logs resource policy is created by default. +This resource policy is necessary for logging, but since only a maximum of 10 resource policies can be created per region, +the maximum number of resource policies may be a problem when enabling logging for several domains. +By setting the `suppressLogsResourcePolicy` option to true, you can suppress the creation of a CloudWatch Logs resource policy. + +```ts +const domain = new Domain(this, 'Domain', { + version: EngineVersion.OPENSEARCH_1_0, + enforceHttps: true, + nodeToNodeEncryption: true, + encryptionAtRest: { + enabled: true, + }, + fineGrainedAccessControl: { + masterUserName: 'master-user', + }, + logging: { + auditLogEnabled: true, + slowSearchLogEnabled: true, + appLogEnabled: true, + slowIndexLogEnabled: true, + }, + suppressLogsResourcePolicy: true, +}); +``` + +> Visit [Monitoring OpenSearch logs with Amazon CloudWatch Logs](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html) for more details. + ## UltraWarm UltraWarm nodes can be enabled to provide a cost-effective way to store large amounts of read-only data. diff --git a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts index 81e94e80bb9b2..6008bedc711f9 100644 --- a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts +++ b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts @@ -668,6 +668,20 @@ export interface DomainProps { * @default - IpAddressType.IPV4 */ readonly ipAddressType?: IpAddressType; + + /** + * Specify whether to create a CloudWatch Logs resource policy or not. + * + * When logging is enabled for the domain, a CloudWatch Logs resource policy is created by default. + * However, there is a limit of 10 resource policies per region. + * If you enable logging for several domains, it may hit the resource limit and cause an error. + * By setting this property to true, creating a resource policy is suppressed, allowing you to avoid this issue. + * + * @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html + * + * @default - false + */ + readonly suppressLogsResourcePolicy?: boolean; } /** @@ -1730,7 +1744,7 @@ export class Domain extends DomainBase implements IDomain, ec2.IConnectable { }; let logGroupResourcePolicy: LogGroupResourcePolicy | null = null; - if (logGroups.length > 0) { + if (logGroups.length > 0 && !props.suppressLogsResourcePolicy) { const logPolicyStatement = new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: ['logs:PutLogEvents', 'logs:CreateLogStream'], diff --git a/packages/aws-cdk-lib/aws-opensearchservice/test/domain.test.ts b/packages/aws-cdk-lib/aws-opensearchservice/test/domain.test.ts index aab03cc079d1d..7c941c784a572 100644 --- a/packages/aws-cdk-lib/aws-opensearchservice/test/domain.test.ts +++ b/packages/aws-cdk-lib/aws-opensearchservice/test/domain.test.ts @@ -434,6 +434,7 @@ each([testedOpenSearchVersions]).describe('log groups', (engineVersion) => { }, }); + Template.fromStack(stack).resourceCountIs('Custom::CloudwatchLogResourcePolicy', 1); Template.fromStack(stack).hasResourceProperties('AWS::OpenSearchService::Domain', { LogPublishingOptions: { SEARCH_SLOW_LOGS: { @@ -460,6 +461,7 @@ each([testedOpenSearchVersions]).describe('log groups', (engineVersion) => { }, }); + Template.fromStack(stack).resourceCountIs('Custom::CloudwatchLogResourcePolicy', 1); Template.fromStack(stack).hasResourceProperties('AWS::OpenSearchService::Domain', { LogPublishingOptions: { INDEX_SLOW_LOGS: { @@ -486,6 +488,7 @@ each([testedOpenSearchVersions]).describe('log groups', (engineVersion) => { }, }); + Template.fromStack(stack).resourceCountIs('Custom::CloudwatchLogResourcePolicy', 1); Template.fromStack(stack).hasResourceProperties('AWS::OpenSearchService::Domain', { LogPublishingOptions: { ES_APPLICATION_LOGS: { @@ -520,6 +523,7 @@ each([testedOpenSearchVersions]).describe('log groups', (engineVersion) => { enforceHttps: true, }); + Template.fromStack(stack).resourceCountIs('Custom::CloudwatchLogResourcePolicy', 1); Template.fromStack(stack).hasResourceProperties('AWS::OpenSearchService::Domain', { LogPublishingOptions: { AUDIT_LOGS: { @@ -555,6 +559,8 @@ each([testedOpenSearchVersions]).describe('log groups', (engineVersion) => { slowIndexLogEnabled: true, }, }); + + Template.fromStack(stack).resourceCountIs('Custom::CloudwatchLogResourcePolicy', 2); Template.fromStack(stack).hasResourceProperties('AWS::OpenSearchService::Domain', { LogPublishingOptions: { ES_APPLICATION_LOGS: { @@ -693,6 +699,7 @@ each([testedOpenSearchVersions]).describe('log groups', (engineVersion) => { }, }); + Template.fromStack(stack).resourceCountIs('Custom::CloudwatchLogResourcePolicy', 1); Template.fromStack(stack).hasResourceProperties('AWS::OpenSearchService::Domain', { LogPublishingOptions: { SEARCH_SLOW_LOGS: { @@ -722,6 +729,7 @@ each([testedOpenSearchVersions]).describe('log groups', (engineVersion) => { }, }); + Template.fromStack(stack).resourceCountIs('Custom::CloudwatchLogResourcePolicy', 1); Template.fromStack(stack).hasResourceProperties('AWS::OpenSearchService::Domain', { LogPublishingOptions: { INDEX_SLOW_LOGS: { @@ -751,6 +759,7 @@ each([testedOpenSearchVersions]).describe('log groups', (engineVersion) => { }, }); + Template.fromStack(stack).resourceCountIs('Custom::CloudwatchLogResourcePolicy', 1); Template.fromStack(stack).hasResourceProperties('AWS::OpenSearchService::Domain', { LogPublishingOptions: { ES_APPLICATION_LOGS: { @@ -788,6 +797,7 @@ each([testedOpenSearchVersions]).describe('log groups', (engineVersion) => { }, }); + Template.fromStack(stack).resourceCountIs('Custom::CloudwatchLogResourcePolicy', 1); Template.fromStack(stack).hasResourceProperties('AWS::OpenSearchService::Domain', { LogPublishingOptions: { AUDIT_LOGS: { @@ -806,6 +816,36 @@ each([testedOpenSearchVersions]).describe('log groups', (engineVersion) => { }); }); + test('can suppress creation of a CloudWatch Logs resource policy', () => { + new Domain(stack, 'Domain1', { + version: engineVersion, + logging: { + appLogEnabled: true, + appLogGroup: new logs.LogGroup(stack, 'AppLogs', { + retention: logs.RetentionDays.THREE_MONTHS, + }), + }, + suppressLogsResourcePolicy: true, + }); + + Template.fromStack(stack).resourceCountIs('Custom::CloudwatchLogResourcePolicy', 0); + Template.fromStack(stack).hasResourceProperties('AWS::OpenSearchService::Domain', { + LogPublishingOptions: { + ES_APPLICATION_LOGS: { + CloudWatchLogsLogGroupArn: { + 'Fn::GetAtt': [ + 'AppLogsC5DF83A6', + 'Arn', + ], + }, + Enabled: true, + }, + AUDIT_LOGS: Match.absent(), + SEARCH_SLOW_LOGS: Match.absent(), + INDEX_SLOW_LOGS: Match.absent(), + }, + }); + }); }); each(testedOpenSearchVersions).describe('grants', (engineVersion) => { From 812727a107a78304692b0f37dbf92f2d3e34c8d6 Mon Sep 17 00:00:00 2001 From: sakurai-ryo Date: Mon, 15 Jan 2024 00:33:15 +0900 Subject: [PATCH 2/4] fix comments --- packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts index 6008bedc711f9..c4341228e5fbf 100644 --- a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts +++ b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts @@ -673,9 +673,9 @@ export interface DomainProps { * Specify whether to create a CloudWatch Logs resource policy or not. * * When logging is enabled for the domain, a CloudWatch Logs resource policy is created by default. - * However, there is a limit of 10 resource policies per region. - * If you enable logging for several domains, it may hit the resource limit and cause an error. - * By setting this property to true, creating a resource policy is suppressed, allowing you to avoid this issue. + * However, CloudWatch Logs supports only 10 resource policies per region. + * If you enable logging for several domains, it may hit the quota and cause an error. + * By setting this property to true, creating a resource policy is suppressed, allowing you to avoid this problem. * * @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html * From 8bd8ec67e51fa175db84074fc1c5aca989c67c70 Mon Sep 17 00:00:00 2001 From: sakurai-ryo Date: Mon, 15 Jan 2024 00:34:31 +0900 Subject: [PATCH 3/4] readme --- packages/aws-cdk-lib/aws-opensearchservice/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-opensearchservice/README.md b/packages/aws-cdk-lib/aws-opensearchservice/README.md index dbbda2cad745e..245eec108b87d 100644 --- a/packages/aws-cdk-lib/aws-opensearchservice/README.md +++ b/packages/aws-cdk-lib/aws-opensearchservice/README.md @@ -349,7 +349,7 @@ const domain = new Domain(this, 'Domain', { }); ``` -## Suppress CloudWatch Logs resource policy +## Suppress creating CloudWatch Logs resource policy When logging is enabled for the domain, the CloudWatch Logs resource policy is created by default. This resource policy is necessary for logging, but since only a maximum of 10 resource policies can be created per region, From 310ca42a21d247f46cc427749205fdd4053523d8 Mon Sep 17 00:00:00 2001 From: sakurai-ryo Date: Thu, 18 Jan 2024 12:52:11 +0900 Subject: [PATCH 4/4] improve doc --- packages/aws-cdk-lib/aws-opensearchservice/README.md | 3 +++ packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts | 2 ++ 2 files changed, 5 insertions(+) diff --git a/packages/aws-cdk-lib/aws-opensearchservice/README.md b/packages/aws-cdk-lib/aws-opensearchservice/README.md index 245eec108b87d..f4450a3934987 100644 --- a/packages/aws-cdk-lib/aws-opensearchservice/README.md +++ b/packages/aws-cdk-lib/aws-opensearchservice/README.md @@ -356,6 +356,9 @@ This resource policy is necessary for logging, but since only a maximum of 10 re the maximum number of resource policies may be a problem when enabling logging for several domains. By setting the `suppressLogsResourcePolicy` option to true, you can suppress the creation of a CloudWatch Logs resource policy. +If you set the `suppressLogsResourcePolicy` option to true, you must create a resource policy before deployment. +Also, to avoid reaching this limit, consider reusing a broader policy that includes multiple log groups. + ```ts const domain = new Domain(this, 'Domain', { version: EngineVersion.OPENSEARCH_1_0, diff --git a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts index c4341228e5fbf..53ea311bb3819 100644 --- a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts +++ b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts @@ -677,6 +677,8 @@ export interface DomainProps { * If you enable logging for several domains, it may hit the quota and cause an error. * By setting this property to true, creating a resource policy is suppressed, allowing you to avoid this problem. * + * If you set this option to true, you must create a resource policy before deployment. + * * @see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html * * @default - false