1
❯ cdk --version
1.122.0 (build ae09c16)

My definition looks like this:

new DomainProps
            {
                Version = ElasticsearchVersion.V7_10,
                DomainName = domainName,
                Vpc = Context.Network.VPC,
                VpcSubnets = new SubnetSelection[]
                {
                    new SubnetSelection() { Subnets = subnets.ToArray() }
                },
                ZoneAwareness = new ZoneAwarenessConfig { Enabled = true, AvailabilityZoneCount = subnets.Count },
                RemovalPolicy = RemovalPolicy.DESTROY,
                EnableVersionUpgrade = true,
                EnforceHttps = true,
                EncryptionAtRest = new EncryptionAtRestOptions
                {
                    Enabled = true,
                },                
                Capacity = new CapacityConfig
                {
                    DataNodeInstanceType = "t3.medium.elasticsearch",
                    DataNodes = 2                    
                },
                AccessPolicies = new PolicyStatement[]
                {
                    new PolicyStatement(new PolicyStatementProps
                    {
                        Effect = Effect.ALLOW,
                        Principals = new IPrincipal[] { new AnyPrincipal() },
                        Actions = new string[] { "es:*" },
                        Resources = new string[] { $"arn:aws:es:${context.Scope.Region}:${context.Scope.Account}:domain/{domainName}/*" }
                    })
                },
                SecurityGroups = new ISecurityGroup[]
                {
                    Context.Network.AddSecurityGroup(new SecurityGroupInfo
                    {
                        Name = "ESAccess",
                        Props = new SecurityGroupProps
                        {
                            SecurityGroupName = $"{Context.SegmentName} ElasticSearch Access",
                            Description = "Allow https access to ES from within the network",
                            AllowAllOutbound = true
                        },
                        IngressRules = new IngressRule[]
                        {
                            new IngressRule { From = 443, Description = "Allow HTTPS Access" }
                        }
                    })
                }
            }

And when I run it gives: Received response status [FAILED] from custom resource. Message returned: Unauthorized Operation: Elasticsearch must be authorised to describeSubnets

But when I remove the AccessPolicies property entirely it completes normally. Of course then my client gets "User: anonymous is not authorized to perform: es:ESHttpGet" which makes sense because no access policy is set.

What have I got to do to appease this beast?

Brandon Prudent
  • 313
  • 3
  • 8
  • I saw the same problem on 2021-09-14. I have rerun the `cdk deploy` and has worked without making any changes. It must've been a problem with IAMs although AWS have not reported any issues. – Alastair McCormack Sep 15 '21 at 11:02

1 Answers1

0

I've also encountered the same issue. It seems that there's a bug in Service Linked Role (SLR). Upon testing it today 2021-09-16 there are no more issues. You can also refer to this GitHub issue

Mik Linson
  • 11
  • 4