fix: fail creation when master password unavailable for FGAC mapping

Previously, if the master password couldn't be retrieved from Secrets
Manager and wasn't provided via --opensearch-password, FGAC mapping
was silently skipped. This left the domain without proper role mappings,
causing PPL permission errors.

Now:
- Creation fails with a clear error if no password is available
- --opensearch-password is required upfront when reusing an existing domain

Signed-off-by: Kyle Hounslow <kylhouns@amazon.com>

Author: kylehounslow

aws/cli-installer/src/aws.mjs

@@ -287,9 +287,9 @@ export async function mapOsiRoleInDomain(cfg) {
     try {
       masterPass = await getMasterPassword(cfg.region, cfg.pipelineName);
     } catch (e) {
-      printWarning('No master password available. Provide --opensearch-password when reusing an existing domain.');
-      printInfo('FGAC mapping skipped. You may need to manually map IAM roles in OpenSearch Security.');
-      return;
+      printError('No master password available.');
+      printInfo('Provide --opensearch-password to supply the domain master password.');
+      throw new Error('FGAC mapping requires a master password. Cannot continue.');
     }
   }
 

aws/cli-installer/src/cli.mjs

@@ -207,6 +207,9 @@ export function validateConfig(cfg) {
   if (cfg.osAction === 'reuse' && !cfg.opensearchEndpoint) {
     errors.push('--opensearch-endpoint required when reusing OpenSearch');
   }
+  if (cfg.osAction === 'reuse' && !cfg.opensearchPassword) {
+    errors.push('--opensearch-password required when reusing an existing OpenSearch domain (needed for FGAC mapping)');
+  }
   if (cfg.iamAction === 'reuse' && !cfg.iamRoleArn) {
     errors.push('--iam-role-arn required when reusing IAM role');
   }