(opensearch): opensearch creates customer resource even though resource policies are now supported

pavanmr94 commented 1 year ago

Describe the bug

CloudWatch log groups support setting resource policies since 2019, so its really time to remove the custom resources that set resource policies here: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts#L1502

Expected Behavior

no custom resource, direct setting of resource policy with

log.addToResourcePolicy(
  new PolicyStatement({
    actions: ['logs:PutLogEvents', 'logs:CreateLogStream'],
    resources: [log.logGroupArn],
    principals: [new ServicePrincipal('es.amazonaws.com')],
})

Current Behavior

Creates customer resource

Reproduction Steps

create any slow logs

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.70.0

Framework Version

No response

Node.js Version

18

OS

AL2

Language

Typescript

Language Version

No response

Other information

No response

peterwoodworth commented 1 year ago

Thanks for calling this out, this sounds like a feature request to me since the core behavior still sounds like it works 🙂

pavanmr94 commented 1 year ago

Thanks for calling this out, this sounds like a feature request to me since the core behavior still sounds like it works 🙂

Yeah, I was kinda split on feature vs bug since this is is an unexpected behavior. When I created a cluster recently, I saw random lambads in the diff, and this throws off our CFN diff comparer each time we deploy.

keenangraham commented 1 year ago

Maybe as part of this the Domain construct could support sharing an existing resource policy instead of always trying to create a new one? Otherwise it's pretty easy to hit the ten Cloudwatch Logs resource policy limit per region e.g.: https://github.com/aws/aws-cdk/issues/23637

aws / aws-cdk