[Enhancement]: Validate OpenSearch Serverless JSON arguments

[jar-b]

Description

The OpenSearch Serverless access policy and security policy resources currently only validate length limits for their respective policy arguments. Confirming the string is valid JSON and contains no duplicate keys could produce improved error messaging for practitioners.

terraform-provider-aws/internal/service/opensearchserverless/access_policy.go

Lines 78 to 83 in c611551

	"policy": schema.StringAttribute{
	Required: true,
	Validators: []validator.String{
	stringvalidator.LengthBetween(1, 20480),
	},
	},

terraform-provider-aws/internal/service/opensearchserverless/security_policy.go

Lines 78 to 83 in c611551

	"policy": schema.StringAttribute{
	Required: true,
	Validators: []validator.String{
	stringvalidator.LengthBetween(1, 20480),
	},
	},

Affected Resource(s) and/or Data Source(s)

• aws_opensearchserverless_access_policy
• aws_opensearchserverless_security_policy

Potential Terraform Configuration

No response

References

Relates #33026

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jar-b]

Worth noting that unlike the JSON arguments in the iam package, these policy values are sent directly to the AWS API as-is rather than being normalized to suppress differences. Assuming AWS detects duplicate keys this enhancement wouldn't add new security, simply a cleaner provider-generated message when invalid values are provided.

terraform-provider-aws/internal/service/opensearchserverless/security_policy.go

Line 114 in c611551

Policy: aws.String(plan.Policy.ValueString()),

terraform-provider-aws/internal/service/opensearchserverless/security_policy.go

Lines 256 to 264 in c611551

	policyBytes, err := out.Policy.MarshalSmithyDocument()
	if err != nil {
	diags.AddError(fmt.Sprintf("refreshing state for Security Policy (%s)", rd.Name), err.Error())
	return diags
	}
	p := string(policyBytes)
	rd.Policy = flex.StringToFramework(ctx, &p)