search

phillbaker / terraform-provider-elasticsearch

An elasticsearch provider for terraform
https://registry.terraform.io/providers/phillbaker/elasticsearch
Mozilla Public License 2.0
304 stars 134 forks source link

Failed to create OpenDistroRole: HTTP 403 Forbidden #285

Closed hkilicer closed 2 years ago

hkilicer commented 2 years ago

Hello, when I try to create any type of resources which is Failed to create OpenDistroRole: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.

Terraform Version is 1.1.7
AWS Provider version is hashicorp/aws v4.17.1
ElasticSearch provider version is phillbaker/elasticsearch v2.0.2

I've built Open Search cluster with official AWS provider, everything is functioning well cluster wise. I just want to create a simple index with elasticsearch provider as a part of automation.

I tried to use assume_role and user/password authentication methods but not luck.

Assume role policy:

statement {
  sid = "StatementOpenSearch"
  effect  = "Allow"
  actions = ["sts:AssumeRole"]

  principals {
    type        = "AWS"
    identifiers = [
      "arn:aws:iam::<aws_account_id>:user/my_user"
    ]
  }

  principals {
    type = "Service"
    identifiers = [
        "sts.amazonaws.com",
        "opensearchservice.amazonaws.com"
    ]
  }
}

Provider Config:

provider "elasticsearch" {
  url = "https://vpc-<domain>.us-west-2.es.amazonaws.com"
  #aws_assume_role_arn = "arn:aws:iam::<account-id>role/my-role"
  username = var.user_name
  password = var.user_password
  aws_region = var.aws_region
  healthcheck = false
}

Also fine-grained access control is enabled, I can login the system with Master user credentials that I used in provider section above.

Please lemme know if I'm missing something here, thanks.

phillbaker commented 2 years ago

@hkilicer can you please include the following:

If the OpenSearch cluster has a domain access policy or other security configured, AWS's documentation is the most helpful guide: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html, this provider is an interface to those resources.

phillbaker commented 2 years ago

I'm going to close this issue as no further information was provided. Please re-open if a reproducible test case can be provided.