If no conditions are specified, the Domain Policy will prevent any connection

[blacksd]

From AWS Console, there's a way to set

Only use fine-grained access control
Allow open access to the domain.

That's useful for instances that are deployed within a VPC, protected by Security Group rules and fine-grained controls. Today if we take away all IAM roles to be authorized (even if not used), an empty policy is created, essentially blacklisting any connection:

https://github.com/cloudposse/terraform-aws-elasticsearch/blob/9f3dd591f024d2192544d719737effb7cda19a66/main.tf#L218-L219

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}

I was thinking of introducing a flag that matches the behavior in the AWS Console to create a basic, permissive policy like the one automatically provisioned.