From f2882f7498e0007e92321df4eaed580dfe3d6051 Mon Sep 17 00:00:00 2001
From: Bruno Ferreira <bmibferreira@gmail.com>
Date: Sun, 5 Mar 2023 01:07:35 +0000
Subject: [PATCH] parameterize access policies json for more flexibility

---
 elasticsearch_domain.tf | 4 ++--
 variables.tf            | 9 +++++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/elasticsearch_domain.tf b/elasticsearch_domain.tf
index 2d3071e..9c4cc7f 100644
--- a/elasticsearch_domain.tf
+++ b/elasticsearch_domain.tf
@@ -3,9 +3,9 @@
 #
 
 resource "aws_elasticsearch_domain_policy" "default" {
-  count           = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
+  count           = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0 || length(var.access_policies) > 0) ? 1 : 0
   domain_name     = module.this.id
-  access_policies = join("", data.aws_iam_policy_document.default[*].json)
+  access_policies = coalesce(var.access_policies, join("", data.aws_iam_policy_document.default[*].json))
 }
 
 resource "aws_elasticsearch_domain" "default" {
diff --git a/variables.tf b/variables.tf
index 805bf70..c70f5ee 100644
--- a/variables.tf
+++ b/variables.tf
@@ -448,3 +448,12 @@ variable "auto_tune" {
   }
 }
 
+variable "access_policies" {
+  description = "JSON string for the IAM policy document specifying the access policies for the domain."
+  type        = string
+  default     = ""
+  validation {
+    condition     = var.access_policies == "" || try(jsondecode(var.access_policies), null) != null
+    error_message = "The access_policies JSON string is not valid."
+  }
+}