Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Domain Policy is always changed #179

Open
digitalkaoz opened this issue Mar 13, 2024 · 2 comments
Open

Domain Policy is always changed #179

digitalkaoz opened this issue Mar 13, 2024 · 2 comments
Labels
bug 🐛 An issue with the system

Comments

@digitalkaoz
Copy link

digitalkaoz commented Mar 13, 2024
edited
Loading

Describe the Bug

Terraform will perform the following actions:

  # module.elasticsearch.aws_elasticsearch_domain_policy.default[0] will be updated in-place
  ~ resource "aws_elasticsearch_domain_policy" "default" {
      ~ access_policies = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      + Sid       = "User"
                        # (4 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id              = "esd-policy-REDACTED-objects"
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

when i apply this change, and plan again, i will see this this change above again.

Expected Behavior

no stack changes are detected

Steps to Reproduce

simply use this module with an iam_role_arn :

module "elasticsearch" {
  source    = "cloudposse/elasticsearch/aws"
  namespace = var.project
  stage     = var.environment
  name      = var.name
  #environment = var.environment

  security_groups        = []
  vpc_enabled            = var.use_vpc
  vpc_id                 = var.use_vpc ? data.aws_vpc.env.id : null
  subnet_ids             = var.use_vpc ? [one(data.aws_subnets.private.ids)] : [one(data.aws_subnets.public.ids)]
  zone_awareness_enabled = false

  elasticsearch_version = "OpenSearch_2.11"
  instance_type         = var.es["type"]
  instance_count        = var.es["instances"]
  ebs_volume_size       = var.es["volume"]

  iam_role_arns = ["arn:aws:iam::${data.aws_caller_identity.self.account_id}:root"]
  iam_actions   = ["es:*"]
  aws_ec2_service_name = ["ec2.amazonaws.com", "lambda.amazonaws.com"]

  encrypt_at_rest_enabled         = true
  node_to_node_encryption_enabled = true

  dns_zone_id                     = data.aws_route53_zone.base.id
  kibana_hostname_enabled         = var.es["kibana"] != ""
  kibana_subdomain_name           = var.es["kibana"] != "" ? var.es["kibana"] : null
  custom_endpoint_enabled         = var.es["domain"] != ""
  custom_endpoint                 = "${var.es["domain"]}.${var.domain}"
  custom_endpoint_certificate_arn = data.aws_acm_certificate.cert.arn
  domain_endpoint_options_enforce_https = true
  domain_endpoint_options_tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
  cognito_authentication_enabled = true
  cognito_iam_role_arn           = aws_iam_role.es_service_role.arn
  cognito_identity_pool_id       = var.cognito["identity_pool_id"]
  cognito_user_pool_id           = var.cognito["user_pool_id"]

  #advanced_security_options_enabled = true # would force a destroy but is required for audit_logs
  log_publishing_application_enabled                  = true
  log_publishing_application_cloudwatch_log_group_arn = aws_cloudwatch_log_group.app_logs.arn
  log_publishing_search_enabled                       = true
  log_publishing_search_cloudwatch_log_group_arn      = aws_cloudwatch_log_group.slow_logs.arn
  #log_publishing_audit_enabled                        = true
  #log_publishing_audit_cloudwatch_log_group_arn       = aws_cloudwatch_log_group.audit_logs.arn
  log_publishing_index_enabled                        = true
  log_publishing_index_cloudwatch_log_group_arn       = aws_cloudwatch_log_group.slow_logs.arn

  advanced_options = {
	"rest.action.multi.allow_explicit_index" = "true"
    "override_main_response_version" = "true"
  }

  tags = local.tags
}

Screenshots

No response

Environment

❯ terraform --version
Terraform v1.6.4
on darwin_arm64

Additional Context

No response
@digitalkaoz digitalkaoz added the bug 🐛 An issue with the system label Mar 13, 2024
@antonio-robles-1
Copy link

Hi @digitalkaoz,

Have you found any workaround on this?

@digitalkaoz
Copy link
Author

digitalkaoz commented Nov 5, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 An issue with the system
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@digitalkaoz @antonio-robles-1