feat(opensearch): add logic to only log specific field when less verbosity is needed for opensearch access policy custom resource (#34701)

### Issue # (if applicable)

Closes #29093 

### Reason for this change
Opensearch access policy defined via `OpenSearchAccessPolicy` (custom-resource) return failures in case of large policy documents, even if the policy change is successful

Issue comes for the CFN limit of 4k on the response size

### Description of changes
Added an optional parameter `verboseOutput` in `OpenSearchAccessPolicyProps` to allow users of the custom resource to optionally toggle on/off the verbose option : On turning it `false` only `["DomainConfig.AccessPolicies.Status.State", "DomainConfig.AccessPolicies.Status.UpdateVersion"]` are shown

***NOTE : Default behavior of verbose output is retained***


### Describe any new or updated permissions being added

NONE


### Description of how you validated changes
- Adding unit tests for the changes

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: kumvprat

packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.custom-kms-key.js.snapshot/OpenSearchCustomKmsIntegDefaultTestDeployAssertA1F4FD6B.assets.json

@@ -21,6 +21,14 @@ export interface OpenSearchAccessPolicyProps {
    * The access policy statements for the OpenSearch cluster
    */
   readonly accessPolicies: iam.PolicyStatement[];
+
+  /**
+   * Flag to control verbosity of OpenSearch policy custom resource result
+   * If verbose output is actively disabled it will only output specific fields
+   * This is can be used to limit the response body of the custom resource, in cases it exceeds the CFN 4k limit
+   * @default true
+   */
+  readonly verboseOutput?: boolean;
 }
 
 /**
@@ -47,7 +55,8 @@ export class OpenSearchAccessPolicy extends cr.AwsCustomResource {
           }),
         },
         // this is needed to limit the response body, otherwise it exceeds the CFN 4k limit
-        outputPaths: ['DomainConfig.AccessPolicies'],
+        // If verbose output is actively disabled it will only output specific fields
+        outputPaths: (props.verboseOutput === undefined || props.verboseOutput) ? ['DomainConfig.AccessPolicies'] : ['DomainConfig.AccessPolicies.Status.State', 'DomainConfig.AccessPolicies.Status.UpdateVersion'],
         physicalResourceId: cr.PhysicalResourceId.of(`${props.domainName}AccessPolicy`),
       },
       policy: cr.AwsCustomResourcePolicy.fromStatements([new iam.PolicyStatement({ actions: ['es:UpdateDomainConfig'], resources: [props.domainArn] })]),

packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.custom-kms-key.js.snapshot/OpenSearchCustomKmsIntegDefaultTestDeployAssertA1F4FD6B.template.json

@@ -118,3 +118,116 @@ test('support access policy added inline and later', () => {
     }),
   });
 });
+
+test('handling of verbose output via flag explicitly set', () => {
+  const domainArn = 'test:arn';
+
+  new OpenSearchAccessPolicy(stack, 'OpenSearchAccessPolicy', {
+    domainName: 'TestDomain',
+    domainArn: 'test:arn',
+    accessPolicies: [
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['es:ESHttp*'],
+        principals: [new iam.AnyPrincipal()],
+        resources: ['test:arn'],
+      }),
+    ],
+    verboseOutput: true,
+  });
+
+  Template.fromStack(stack).hasResourceProperties('Custom::OpenSearchAccessPolicy', {
+    ServiceToken: {
+      'Fn::GetAtt': [
+        'AWS679f53fac002430cb0da5b7982bd22872D164C4C',
+        'Arn',
+      ],
+    },
+    Create: JSON.stringify({
+      action: 'updateDomainConfig',
+      service: 'OpenSearch',
+      parameters: {
+        DomainName: 'TestDomain',
+        AccessPolicies: '{"Statement":[{"Action":"es:ESHttp*","Effect":"Allow","Principal":{"AWS":"*"},"Resource":"test:arn"}],"Version":"2012-10-17"}',
+      },
+      outputPaths: ['DomainConfig.AccessPolicies'],
+      physicalResourceId: { id: 'TestDomainAccessPolicy' },
+    }),
+    Update: JSON.stringify({
+      action: 'updateDomainConfig',
+      service: 'OpenSearch',
+      parameters: {
+        DomainName: 'TestDomain',
+        AccessPolicies: '{"Statement":[{"Action":"es:ESHttp*","Effect":"Allow","Principal":{"AWS":"*"},"Resource":"test:arn"}],"Version":"2012-10-17"}',
+      },
+      outputPaths: ['DomainConfig.AccessPolicies'],
+      physicalResourceId: { id: 'TestDomainAccessPolicy' },
+    }),
+  });
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [{
+        Action: 'es:UpdateDomainConfig',
+        Effect: 'Allow',
+        Resource: domainArn,
+      }],
+    },
+  });
+});
+
+test('handling of less verbose output', () => {
+  const domainArn = 'test:arn';
+
+  new OpenSearchAccessPolicy(stack, 'OpenSearchAccessPolicy', {
+    domainName: 'TestDomain',
+    domainArn: 'test:arn',
+    accessPolicies: [
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['es:ESHttp*'],
+        principals: [new iam.AnyPrincipal()],
+        resources: ['test:arn'],
+      }),
+    ],
+    verboseOutput: false,
+  });
+
+  Template.fromStack(stack).hasResourceProperties('Custom::OpenSearchAccessPolicy', {
+    ServiceToken: {
+      'Fn::GetAtt': [
+        'AWS679f53fac002430cb0da5b7982bd22872D164C4C',
+        'Arn',
+      ],
+    },
+    Create: JSON.stringify({
+      action: 'updateDomainConfig',
+      service: 'OpenSearch',
+      parameters: {
+        DomainName: 'TestDomain',
+        AccessPolicies: '{"Statement":[{"Action":"es:ESHttp*","Effect":"Allow","Principal":{"AWS":"*"},"Resource":"test:arn"}],"Version":"2012-10-17"}',
+      },
+      outputPaths: ['DomainConfig.AccessPolicies.Status.State', 'DomainConfig.AccessPolicies.Status.UpdateVersion'],
+      physicalResourceId: { id: 'TestDomainAccessPolicy' },
+    }),
+    Update: JSON.stringify({
+      action: 'updateDomainConfig',
+      service: 'OpenSearch',
+      parameters: {
+        DomainName: 'TestDomain',
+        AccessPolicies: '{"Statement":[{"Action":"es:ESHttp*","Effect":"Allow","Principal":{"AWS":"*"},"Resource":"test:arn"}],"Version":"2012-10-17"}',
+      },
+      outputPaths: ['DomainConfig.AccessPolicies.Status.State', 'DomainConfig.AccessPolicies.Status.UpdateVersion'],
+      physicalResourceId: { id: 'TestDomainAccessPolicy' },
+    }),
+  });
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [{
+        Action: 'es:UpdateDomainConfig',
+        Effect: 'Allow',
+        Resource: domainArn,
+      }],
+    },
+  });
+});
+