Error creating AWS ElasticSearch Domain (now as AWS OpenSearch service) by CloudFormation

Question

I am trying to create an AWS ElasticSearch Domain (now as AWS OpenSearch service) by cloudformation template but getting error "Resource handler returned message: "null" (RequestToken: 90149a2b-10a1-2609-20e0-9e839731fc2f, HandlerErrorCode: InternalFailure)".

CloudFormation template:

AWSTemplateFormatVersion: "2010-09-09" Description: "" Resources: LogsLogGroup: Type: "AWS::Logs::LogGroup" Properties: LogGroupName: "/aws/aes/domains/domainName/application-logs"

LogsLogGroup2:
    Type: "AWS::Logs::LogGroup"
    Properties:
        LogGroupName: "/aws/aes/domains/domainName/index-logs"

LogsLogGroup3:
    Type: "AWS::Logs::LogGroup"
    Properties:
        LogGroupName: "/aws/aes/domains/domainName/search-logs"

OpenSearchServiceDomain:
    Type: "AWS::OpenSearchService::Domain"
    DependsOn:
      - LogsLogGroup
      - LogsLogGroup2
      - LogsLogGroup3
    Properties:
        DomainName: "domainName"
        ClusterConfig: 
            DedicatedMasterCount: 3
            DedicatedMasterEnabled: true
            DedicatedMasterType: "c4.large.search"
            InstanceCount: 2
            InstanceType: "c4.large.search"
            ZoneAwarenessEnabled: true
            ZoneAwarenessConfig: 
                AvailabilityZoneCount: 2
            WarmEnabled: false
        AccessPolicies:
            Version: '2012-10-17'
            Statement:
                -
                    Effect: 'Allow'
                    Principal:
                        AWS: '*'
                    Action: 'es:*'
                    Resource: 'arn:aws:es:us-east-1:xxxxxxxxx:domain/domainName/*'
        VPCOptions: 
            SecurityGroupIds: 
              - !ImportValue "sg-xxxxxxxxx"
            SubnetIds: 
              - !ImportValue "subnet-xxxxxxxxx"
              - !ImportValue "subnet-xxxxxxxxx"
              - !ImportValue "subnet-xxxxxxxxx"
        EncryptionAtRestOptions: 
            Enabled: true
        NodeToNodeEncryptionOptions: 
            Enabled: true
        AdvancedOptions: 
            "rest.action.multi.allow_explicit_index": "true"
        EBSOptions: 
            EBSEnabled: true
            VolumeType: "gp2"
            VolumeSize: 200
        LogPublishingOptions: 
            ES_APPLICATION_LOGS: 
                CloudWatchLogsLogGroupArn: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/aes/domains/domainName/application-logs"
                Enabled: true
            INDEX_SLOW_LOGS: 
                CloudWatchLogsLogGroupArn: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/aes/domains/domainName/index-logs"
                Enabled: true
            SEARCH_SLOW_LOGS: 
                CloudWatchLogsLogGroupArn: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/aes/domains/domainName/search-logs"
                Enabled: true
        DomainEndpointOptions: 
            EnforceHTTPS: true
            TLSSecurityPolicy: "Policy-Min-TLS-1-0-2019-07"
        AdvancedSecurityOptions: 
            Enabled: true
            InternalUserDatabaseEnabled: true
            MasterUserOptions: 
                MasterUserName: "user"
                MasterUserPassword: "password"

Answer 1

We had the same vague error. Adding AmazonOpenSearchServiceFullAccess policy to the deploy user got beyond it.

Answer 2

Just an FYI - you don't need AccessPolicies if you're creating an VPC based Domain OR you don't need Security Groups/Subnets if you're creating an Internet based Domain.

AccessPolicies are only required for an Internet based Domains

VPCOptions are only required for VPC based Domains