max-rocket-internet
commented
5 years ago Actually, I'll close this.
I think if we allow setting the domain policy and VPC settings together then there's not much point in using the module, it's easier to just define the aws_elasticsearch_domain without the module.
I am using the module within a VPC and am not able to apply a IAM access policy. This is because of the count variable here: https://github.com/terraform-community-modules/tf_aws_elasticsearch/blob/master/main_vpc.tf#L75-L76
So as I understand it there's only 2 options:
"es:*""es:*"as long as they can reach the endpoint.I would say it's better to let the user to just choose all the options including the policy rather than force to choose between these limited options.
A simple example is to allow a Kinesis stream to send data to ES, here's the policy: https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-es