Missing dependency between domain and access policy resources

[ohmer]

While troubleshooting a domain permission error, I found out the missing dependency was the root cause.

https://github.com/terraform-aws-modules/terraform-aws-opensearch/blob/f4792509f652f8c085cdcdf3c9b576d6588bc8ca/main.tf#L266

Problem is exhibited when creating a cluster from scratch with the variables set as following:

create_access_policy = true

access_policy_statements = {
  iam = {
    principals = [
      {
        type        = "AWS"
        identifiers = ["*"]
      }
    ]
    actions = ["es:ESHttp*"]
  }
}

My best guess is aws_opensearch_domain_policy.this[0] is changed while aws_opensearch_domain.this[0] is still being changed.

[bryantbiggs]

what exactly is the issue or the error that you are receiving?

[oleksiikhoriev]

Terraform code:

...
  enable_access_policy = true
  # Access policy
  access_policy_statements = [
    {
      effect = "Allow"

      principals = [{
        type        = "*"
        identifiers = ["*"]
      }]

      actions = ["es:*"]

      condition = [{
        test     = "IpAddress"
        variable = "aws:SourceIp"
        values   = ["127.0.0.1/32"]
      }]
    }
  ]
...

Terraform apply output:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.opensearch.module.opensearch.aws_opensearch_domain_policy.this[0] will be created
  + resource "aws_opensearch_domain_policy" "this" {
      + access_policies = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "es:*"
                      + Effect    = "Allow"
                      + Principal = "*"
                      + Resource  = "arn:aws:es:eu-central-1:11*******03:domain/opensearch-domain/*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + domain_name     = "opensearch-domain"
      + id              = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.opensearch.module.opensearch.aws_opensearch_domain_policy.this[0]: Creating...
╷
│ Error: updating OpenSearch Domain Policy (): ValidationException: Apply a restrictive access policy to your domain
│ 
│   with module.opensearch.module.opensearch.aws_opensearch_domain_policy.this[0],
│   on .terraform/modules/opensearch.opensearch/main.tf line 263, in resource "aws_opensearch_domain_policy" "this":
│  263: resource "aws_opensearch_domain_policy" "this" {

The problem is in local _create_accesspolicy variable rule. It is require _access_policy_override_policy_documents_ and _access_policy_source_policydocuments variables.

Thanks!

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.