search

terraform-aws-modules / terraform-aws-opensearch

Terraform module to create AWS OpenSearch resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/opensearch/aws
Apache License 2.0
15 stars 22 forks source link

Access policy with custom input #24

Open oleksandrsv opened 1 week ago

oleksandrsv commented 1 week ago

Description

Hi, upon creating new OS domain from scratch I am unable to use custom access policy.

Here is the code:

terraform {
  source = "tfr:///terraform-aws-modules/opensearch/aws?version=1.4.0"
}

inputs = {
  # create cluster or no
  create                = true
  create_security_group = false

    # Access policy
  access_policy_statements = [
    {
      effect = "Allow"

      principals = [{
        type        = "*"
        identifiers = ["*"]
      }]

      actions = ["es:*"]

      condition = [{
        test     = "IpAddress"
        variable = "aws:SourceIp"
        values   = ["127.0.0.1/32"]
      }]
    }
  ]

Here is the plan:

Terraform will perform the following actions:

  # aws_opensearch_domain_policy.this[0] will be created
  + resource "aws_opensearch_domain_policy" "this" {
      + access_policies = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "es:*"
                      + Effect    = "Allow"
                      + Principal = "*"
                      + Resource  = "arn:aws:es:eu-west-1:1234567890:domain/opensearch/*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + domain_name     = "opensearch"
      + id              = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

If your request is for a new feature, please use the Feature request template.

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Reproduction Code [Required]

If I edit code this way:

  create_access_policy  = false

   access_policies = [
    {
      effect = "Allow"

      principals = [{
        type        = "*"
        identifiers = ["*"]
      }]

      actions = ["es:*"]

      condition = [{
        test     = "IpAddress"
        variable = "aws:SourceIp"
        values   = ["127.0.0.1/32"]
      }]
    }
  ]

Here is plan:

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Steps to reproduce the behavior:

Expected behavior

I expect for custom IAM policy to be added to OS domain.

Actual behavior

No IAM policy is added

Terminal Output Screenshot(s)

Additional context