search

terraform-aws-modules / terraform-aws-opensearch

Terraform module to create AWS OpenSearch resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/opensearch/aws
Apache License 2.0
18 stars 25 forks source link

can't use iam user as master_user_arn #18

Closed dim-ops closed 4 months ago

dim-ops commented 4 months ago

Description

I don't understand why this code doesn't work:

  advanced_security_options = {
    enabled                        = true
    anonymous_auth_enabled         = false
    internal_user_database_enabled = false

    master_user_options = {
      master_user_arn     = aws_iam_user.opensearch_cluster[each.key].arn
    }
  }

My error: creating OpenSearch Domain: ValidationException: If you don’t enable the internal user database, you must provide a master user ARN.

If I remove master_user_options block, it's work because my own user it's used

When I modify module

master_user_arn = try(master_user_options.value.master_user_arn, null) == null ? try(master_user_options.value.master_user_arn, data.aws_iam_session_context.current[0].issuer_arn) : null

by

master_user_arn = master_user_options.value.master_user_arn

it works

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists ✅

Versions

moritzzimmer commented 4 months ago

We face the same issue. At the moment it's not possible to specify a master_user_arn.

Example configuration: 

advanced_security_options = {
    enabled                        = true
    anonymous_auth_enabled         = false
    internal_user_database_enabled = false

    master_user_options = {
      master_user_arn = "arn:aws:iam::1234567890:role/My-Admin-Role"
    }
  }

As a workaround, we need to use the fallback data.aws_iam_session_context.current[0].issuer_arn to have one master user configured at least.

In general: what's the purpose behind using the current IAM source role as a fallback? Maybe it's sufficient to be able to provide a master_user_arn or use null? Still, it seems a change like #20 is needed.

antonbabenko commented 4 months ago

This issue has been resolved in version 1.3.1 :tada:

github-actions[bot] commented 2 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.