terraform-aws-modules/terraform-aws-opensearch

Missing dependency between domain and access policy resources

Closed this issue · 5 comments

ohmer commented

While troubleshooting a domain permission error, I found out the missing dependency was the root cause.

terraform-aws-opensearch/main.tf

Line 266 in f479250

domain_name = var.domain_name

Problem is exhibited when creating a cluster from scratch with the variables set as following:

create_access_policy = true

access_policy_statements = {
  iam = {
    principals = [
      {
        type        = "AWS"
        identifiers = ["*"]
      }
    ]
    actions = ["es:ESHttp*"]
  }
}

My best guess is aws_opensearch_domain_policy.this[0] is changed while aws_opensearch_domain.this[0] is still being changed.

bryantbiggs commented

what exactly is the issue or the error that you are receiving?

oleksiikhoriev commented

Terraform code:

...
  enable_access_policy = true
  # Access policy
  access_policy_statements = [
    {
      effect = "Allow"

      principals = [{
        type        = "*"
        identifiers = ["*"]
      }]

      actions = ["es:*"]

      condition = [{
        test     = "IpAddress"
        variable = "aws:SourceIp"
        values   = ["127.0.0.1/32"]
      }]
    }
  ]
...

Terraform apply output:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.opensearch.module.opensearch.aws_opensearch_domain_policy.this[0] will be created
  + resource "aws_opensearch_domain_policy" "this" {
      + access_policies = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "es:*"
                      + Effect    = "Allow"
                      + Principal = "*"
                      + Resource  = "arn:aws:es:eu-central-1:11*******03:domain/opensearch-domain/*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + domain_name     = "opensearch-domain"
      + id              = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.opensearch.module.opensearch.aws_opensearch_domain_policy.this[0]: Creating...
╷
│ Error: updating OpenSearch Domain Policy (): ValidationException: Apply a restrictive access policy to your domain
│ 
│   with module.opensearch.module.opensearch.aws_opensearch_domain_policy.this[0],
│   on .terraform/modules/opensearch.opensearch/main.tf line 263, in resource "aws_opensearch_domain_policy" "this":
│  263: resource "aws_opensearch_domain_policy" "this" {

The problem is in local create_access_policy variable rule. It is require access_policy_override_policy_documents and access_policy_source_policy_documents variables.

Thanks!

github-actions commented

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions commented

This issue was automatically closed because of stale in 10 days

github-actions commented

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.