Make aws_iam_service_linked_role optional (#6)

README.md

@@ -75,8 +75,9 @@ module "elasticsearch" {
 ```
 Available targets:
 
-  help                                This help screen
+  help                                Help screen
   help/all                            Display help for all targets
+  help/short                          This help short screen
   lint                                Lint terraform code
 
 ```
@@ -89,6 +90,7 @@ Available targets:
 | allowed_cidr_blocks | List of CIDR blocks to be allowed to connect to the cluster | list | `<list>` | no |
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
 | automated_snapshot_start_hour | Hour at which automated snapshots are taken, in UTC | string | `0` | no |
+| create_iam_service_linked_role | Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info | string | `true` | no |
 | dedicated_master_count | Number of dedicated master nodes in the cluster | string | `0` | no |
 | dedicated_master_enabled | Indicates whether dedicated master nodes are enabled for the cluster | string | `false` | no |
 | dedicated_master_type | Instance type of the dedicated master nodes in the cluster | string | `t2.small.elasticsearch` | no |

docs/targets.md

@@ -2,8 +2,9 @@
 ```
 Available targets:
 
-  help                                This help screen
+  help                                Help screen
   help/all                            Display help for all targets
+  help/short                          This help short screen
   lint                                Lint terraform code
 
 ```

docs/terraform.md

@@ -7,6 +7,7 @@
 | allowed_cidr_blocks | List of CIDR blocks to be allowed to connect to the cluster | list | `<list>` | no |
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
 | automated_snapshot_start_hour | Hour at which automated snapshots are taken, in UTC | string | `0` | no |
+| create_iam_service_linked_role | Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info | string | `true` | no |
 | dedicated_master_count | Number of dedicated master nodes in the cluster | string | `0` | no |
 | dedicated_master_enabled | Indicates whether dedicated master nodes are enabled for the cluster | string | `false` | no |
 | dedicated_master_type | Instance type of the dedicated master nodes in the cluster | string | `t2.small.elasticsearch` | no |

main.tf

@@ -1,5 +1,5 @@
 module "label" {
-  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.7"
+  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.5.3"
   enabled    = "${var.enabled}"
   namespace  = "${var.namespace}"
   name       = "${var.name}"
@@ -19,13 +19,13 @@ resource "aws_security_group" "default" {
 
 resource "aws_security_group_rule" "ingress_security_groups" {
   count                    = "${var.enabled == "true" ? length(var.security_groups) : 0}"
-  description              = "Allow inbound traffic from Security Group"
+  description              = "Allow inbound traffic from Security Groups"
   type                     = "ingress"
   from_port                = 0
   to_port                  = 0
   protocol                 = "-1"
   source_security_group_id = "${element(var.security_groups, count.index)}"
-  security_group_id        = "${aws_security_group.default.id}"
+  security_group_id        = "${join("", aws_security_group.default.*.id)}"
 }
 
 resource "aws_security_group_rule" "ingress_cidr_blocks" {
@@ -36,7 +36,7 @@ resource "aws_security_group_rule" "ingress_cidr_blocks" {
   to_port           = 0
   protocol          = "-1"
   cidr_blocks       = ["${var.allowed_cidr_blocks}"]
-  security_group_id = "${aws_security_group.default.id}"
+  security_group_id = "${join("", aws_security_group.default.*.id)}"
 }
 
 resource "aws_security_group_rule" "egress" {
@@ -47,11 +47,12 @@ resource "aws_security_group_rule" "egress" {
   to_port           = 0
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = "${aws_security_group.default.id}"
+  security_group_id = "${join("", aws_security_group.default.*.id)}"
 }
 
 # https://github.com/terraform-providers/terraform-provider-aws/issues/5218
 resource "aws_iam_service_linked_role" "default" {
+  count            = "${var.enabled == "true" && var.create_iam_service_linked_role == "true" ? 1 : 0}"
   aws_service_name = "es.amazonaws.com"
   description      = "AWSServiceRoleForAmazonElasticsearchService Service-Linked Role"
 }
@@ -105,12 +106,14 @@ resource "aws_elasticsearch_domain" "default" {
 }
 
 data "aws_iam_policy_document" "default" {
+  count = "${var.enabled == "true" ? 1 : 0}"
+
   statement {
     actions = ["${distinct(compact(var.iam_actions))}"]
 
     resources = [
-      "${aws_elasticsearch_domain.default.arn}",
-      "${aws_elasticsearch_domain.default.arn}/*",
+      "${join("", aws_elasticsearch_domain.default.*.arn)}",
+      "${join("", aws_elasticsearch_domain.default.*.arn)}/*",
     ]
 
     principals {
@@ -123,7 +126,7 @@ data "aws_iam_policy_document" "default" {
 resource "aws_elasticsearch_domain_policy" "default" {
   count           = "${var.enabled == "true" ? 1 : 0}"
   domain_name     = "${module.label.id}"
-  access_policies = "${data.aws_iam_policy_document.default.json}"
+  access_policies = "${join("", data.aws_iam_policy_document.default.*.json)}"
 }
 
 module "domain_hostname" {

variables.tf

@@ -179,3 +179,9 @@ variable "kibana_subdomain_name" {
   default     = "kibana"
   description = "The name of the subdomain for Kibana in the DNS zone (_e.g._ `kibana`, `ui`, `ui-es`, `search-ui`, `kibana.elasticsearch`)"
 }
+
+variable "create_iam_service_linked_role" {
+  type        = "string"
+  default     = "true"
+  description = "Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info"
+}