Custom App Client does not seem to work

[vavdoshka]

Thanks for this sample, what I found during the testing is that custom app client ${var.aos_domain_name}-opensearch does not seem to be used by Opensearch, Opensearch still relies on the the auto-created client app.

This is because in oath flow a server needs to store client ID and client secret to use these in redirect queries, and that what happens behind the scenes when Opensearch creates the Client APP. It takes the generated Client ID and Secret and stores them in the cluster somewhere, I have no clue where actually. Simple test is to remove the auto-created app client, then the whole authentication is broken, and the domain as well cause there is no way to set ClientID and Secret through console or API.

I've elaborated a bit in this comment https://github.com/hashicorp/terraform-provider-aws/issues/5557#issuecomment-1193120014

[anilmujagic]

Hi @vavdoshka ,

As you have correctly noticed, this behaviour is related to the issue in the Terraform AWS provider. That is noted in the comment left in the code. Once the issue is solved, it will be possible to remove the workaround.

If I understood correctly, everything works until you delete the auto-created app client?

[vavdoshka]

I've elaborated on the issue here

there is actually no way to automate the full flow because OpenSearch relies on Application Client ID and Secret, which it gets from the application client it creates itself.

[anilmujagic]

I've elaborated on the issue here

there is actually no way to automate the full flow because OpenSearch relies on Application Client ID and Secret, which it gets from the application client it creates itself.

If you follow the instructions in the README you will have the deployment done in an automated way, without a manual intervention.

[vavdoshka]

This is precisely what I did, and that was very helpful.

But as soon as one removes the autogenerated application client, the authentication does not work anymore, which makes the point that the custom application client: https://github.com/aws-samples/opensearch-in-vpc/blob/849d9aebd6f56aaae4f8c1865e53f613633abc59/opensearch-in-vpc-module/opensearch.tf#L72-L87 is just useless; nothing is using it. When one removes it, nothing basically will change; the app authentication will work intact.

[max-cbre]

Am trying this but am getting this error any clue? thanks in advance!

module.opensearch_example.aws_elasticsearch_domain.aos (local-exec): Error parsing parameter '--callback-urls': Unable to retrieve https://XXXXXXXX.REGION.XX.amazonaws.com/_plugin/kibana/app/kibana: received non 200 status code of 302