parameterize access policies json for more flexibility

cloudposse · Mar 31, 2024 · f2882f7 · f2882f7
1 parent 2fed109
commit f2882f7
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/elasticsearch_domain.tf b/elasticsearch_domain.tf
@@ -3,9 +3,9 @@
 #
 
 resource "aws_elasticsearch_domain_policy" "default" {
-  count           = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
+  count           = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0 || length(var.access_policies) > 0) ? 1 : 0
   domain_name     = module.this.id
-  access_policies = join("", data.aws_iam_policy_document.default[*].json)
+  access_policies = coalesce(var.access_policies, join("", data.aws_iam_policy_document.default[*].json))
 }
 
 resource "aws_elasticsearch_domain" "default" {

diff --git a/variables.tf b/variables.tf
@@ -448,3 +448,12 @@ variable "auto_tune" {
   }
 }
 
+variable "access_policies" {
+  description = "JSON string for the IAM policy document specifying the access policies for the domain."
+  type        = string
+  default     = ""
+  validation {
+    condition     = var.access_policies == "" || try(jsondecode(var.access_policies), null) != null
+    error_message = "The access_policies JSON string is not valid."
+  }
+}