search

cloudposse / terraform-aws-elasticsearch

Terraform module to provision an Elasticsearch cluster with built-in integrations with Kibana and Logstash.
https://cloudposse.com/accelerate
Apache License 2.0
216 stars 231 forks source link

Domain Policy is always changed #179

Open digitalkaoz opened 6 months ago

digitalkaoz commented 6 months ago

Describe the Bug

Terraform will perform the following actions:

  # module.elasticsearch.aws_elasticsearch_domain_policy.default[0] will be updated in-place
  ~ resource "aws_elasticsearch_domain_policy" "default" {
      ~ access_policies = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      + Sid       = "User"
                        # (4 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id              = "esd-policy-REDACTED-objects"
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

when i apply this change, and plan again, i will see this this change above again.

Expected Behavior

no stack changes are detected

Steps to Reproduce

simply use this module with an iam_role_arn :

module "elasticsearch" {
  source    = "cloudposse/elasticsearch/aws"
  namespace = var.project
  stage     = var.environment
  name      = var.name
  #environment = var.environment

  security_groups        = []
  vpc_enabled            = var.use_vpc
  vpc_id                 = var.use_vpc ? data.aws_vpc.env.id : null
  subnet_ids             = var.use_vpc ? [one(data.aws_subnets.private.ids)] : [one(data.aws_subnets.public.ids)]
  zone_awareness_enabled = false

  elasticsearch_version = "OpenSearch_2.11"
  instance_type         = var.es["type"]
  instance_count        = var.es["instances"]
  ebs_volume_size       = var.es["volume"]

  iam_role_arns = ["arn:aws:iam::${data.aws_caller_identity.self.account_id}:root"]
  iam_actions   = ["es:*"]
  aws_ec2_service_name = ["ec2.amazonaws.com", "lambda.amazonaws.com"]

  encrypt_at_rest_enabled         = true
  node_to_node_encryption_enabled = true

  dns_zone_id                     = data.aws_route53_zone.base.id
  kibana_hostname_enabled         = var.es["kibana"] != ""
  kibana_subdomain_name           = var.es["kibana"] != "" ? var.es["kibana"] : null
  custom_endpoint_enabled         = var.es["domain"] != ""
  custom_endpoint                 = "${var.es["domain"]}.${var.domain}"
  custom_endpoint_certificate_arn = data.aws_acm_certificate.cert.arn
  domain_endpoint_options_enforce_https = true
  domain_endpoint_options_tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
  cognito_authentication_enabled = true
  cognito_iam_role_arn           = aws_iam_role.es_service_role.arn
  cognito_identity_pool_id       = var.cognito["identity_pool_id"]
  cognito_user_pool_id           = var.cognito["user_pool_id"]

  #advanced_security_options_enabled = true # would force a destroy but is required for audit_logs
  log_publishing_application_enabled                  = true
  log_publishing_application_cloudwatch_log_group_arn = aws_cloudwatch_log_group.app_logs.arn
  log_publishing_search_enabled                       = true
  log_publishing_search_cloudwatch_log_group_arn      = aws_cloudwatch_log_group.slow_logs.arn
  #log_publishing_audit_enabled                        = true
  #log_publishing_audit_cloudwatch_log_group_arn       = aws_cloudwatch_log_group.audit_logs.arn
  log_publishing_index_enabled                        = true
  log_publishing_index_cloudwatch_log_group_arn       = aws_cloudwatch_log_group.slow_logs.arn

  advanced_options = {
    "rest.action.multi.allow_explicit_index" = "true"
    "override_main_response_version" = "true"
  }

  tags = local.tags
}

Screenshots

No response

Environment

❯ terraform --version
Terraform v1.6.4
on darwin_arm64

Additional Context

No response