If no conditions are specified, the Domain Policy will prevent any connection

From AWS Console, there's a way to set

Only use fine-grained access control
Allow open access to the domain.

That's useful for instances that are deployed within a VPC, protected by Security Group rules and fine-grained controls. Today if we take away all IAM roles to be authorized (even if not used), an empty policy is created, essentially blacklisting any connection:

terraform-aws-elasticsearch/main.tf

Lines 218 to 219 in 9f3dd59

    
           data "aws_iam_policy_document" "default" { 
        
             count = module.this.enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}

I was thinking of introducing a flag that matches the behavior in the AWS Console to create a basic, permissive policy like the one automatically provisioned.

	data "aws_iam_policy_document" "default" {
	count = module.this.enabled && (length(var.iam_authorizing_role_arns) > 0 \|\| length(var.iam_role_arns) > 0) ? 1 : 0