Access policy with custom input

[oleksandrsv]

Description

Hi, upon creating new OS domain from scratch I am unable to use custom access policy.

Here is the code:

terraform {
  source = "tfr:///terraform-aws-modules/opensearch/aws?version=1.4.0"
}

inputs = {
  # create cluster or no
  create                = true
  create_security_group = false

    # Access policy
  access_policy_statements = [
    {
      effect = "Allow"

      principals = [{
        type        = "*"
        identifiers = ["*"]
      }]

      actions = ["es:*"]

      condition = [{
        test     = "IpAddress"
        variable = "aws:SourceIp"
        values   = ["127.0.0.1/32"]
      }]
    }
  ]

Here is the plan:

Terraform will perform the following actions:

  # aws_opensearch_domain_policy.this[0] will be created
  + resource "aws_opensearch_domain_policy" "this" {
      + access_policies = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "es:*"
                      + Effect    = "Allow"
                      + Principal = "*"
                      + Resource  = "arn:aws:es:eu-west-1:1234567890:domain/opensearch/*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + domain_name     = "opensearch"
      + id              = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

If your request is for a new feature, please use the Feature request template.

• ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]:

• Terraform version:
  Terraform v1.5.1
  on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v5.65.0

• Provider version(s):

• provider registry.terraform.io/hashicorp/aws v5.65.0

Reproduction Code [Required]

If I edit code this way:

  create_access_policy  = false

   access_policies = [
    {
      effect = "Allow"

      principals = [{
        type        = "*"
        identifiers = ["*"]
      }]

      actions = ["es:*"]

      condition = [{
        test     = "IpAddress"
        variable = "aws:SourceIp"
        values   = ["127.0.0.1/32"]
      }]
    }
  ]

Here is plan:

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Steps to reproduce the behavior:

Expected behavior

I expect for custom IAM policy to be added to OS domain.

Actual behavior

No IAM policy is added

Terminal Output Screenshot(s)

Additional context

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.