aws-opensearchservice: specify multiple subnets allowed in CDK, but fails in deployment

[jdotw]

What is the problem?

The vpcSubjects property is defined as ec2.SubnetSelection[]. This indicates that an array of (i.e multiple) subnets can be defined under the domain. However, specifying more than one subnet in that array results in a deployment failure "You must specify exactly one subnet"

Reproduction Steps

const prodDomain = new opensearch.Domain(this, "Domain", {
  version: opensearch.EngineVersion.OPENSEARCH_1_0,
  capacity: {
    masterNodes: 2,
    masterNodeInstanceType: "t3.small.search",
    dataNodes: 1,
    dataNodeInstanceType: "t3.small.search",
  },
  ebs: {
    volumeSize: 20,
  },
  logging: {
    slowSearchLogEnabled: true,
    appLogEnabled: true,
    slowIndexLogEnabled: true,
  },
  enforceHttps: true,
  nodeToNodeEncryption: true,
  encryptionAtRest: {
    enabled: true,
  },
  fineGrainedAccessControl: {
    masterUserName: "master-user",
  },
  vpc: vpc.vpc,
  vpcSubnets: [
    {
      subnetType: ec2.SubnetType.PUBLIC,
    },
    {
      subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
    },
  ],
});

What did you expect to happen?

Successful deployment with domain in both public and private subnets.

What actually happened?

OpenSearchStack: creating CloudFormation changeset... 12:28:25 pm | CREATE_FAILED | AWS::OpenSearchService::Domain | Domain66AC69E0 Resource handler returned message: "Invalid request provided: You must specify exactly one subn et. (Service: OpenSearch, Status Code: 400, Request ID: 6b1452fe-fd0c-4a0c-bec7-75a3e3c7afed, E xtended Request ID: null)" (RequestToken: 7f367a71-1ff4-a912-8f22-d9f8c3fbfc30, HandlerErrorCod e: InvalidRequest)

CDK CLI Version

2.8.0 (build 8a5eb49)

Framework Version

No response

Node.js Version

v16.13.2

OS

macOS Monterey 12.1

Language

Typescript

Language Version

No response

Other information

No response

[jdotw]

Actually, even if you only supply a single subnet in the vpcSubnets array you get the same error ¯_(ツ)_/¯

[peterwoodworth]

Hey @jdotw,

You're only specifying the subnet types for your Vpc Subnets, so your Domain will have the total number of public and private subnets that your vpc has. So, even if you only specify one of these types, there could be multiple subnets that meet that criteria. Here are our docs on how SubnetSelection works

Additionally, you can have multiple subnets for a Domain! Specifically, you want the same number of subnets as AZs

[github-actions[bot]]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[starodubtsevconsulting]

this is how to make it work, assuming you want to be run your opensearch on isolated subnets:
vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_ISOLATED }]

        it is 2023 cdk 2.x, maybe it did not work before with prev vv.