From 6eb14a8c7b0a0b08de29d11146175e2e3290cd58 Mon Sep 17 00:00:00 2001 From: Bruno Ferreira Date: Sun, 5 Mar 2023 01:07:35 +0000 Subject: [PATCH 1/4] parameterize access policies json for more flexibility --- main.tf | 4 ++-- variables.tf | 9 +++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 71fa7b0..746113c 100644 --- a/main.tf +++ b/main.tf @@ -291,7 +291,7 @@ data "aws_iam_policy_document" "default" { resource "aws_elasticsearch_domain_policy" "default" { count = module.this.enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0 domain_name = module.this.id - access_policies = join("", data.aws_iam_policy_document.default.*.json) + access_policies = coalesce(access_policies, join("", data.aws_iam_policy_document.default.*.json)) } module "domain_hostname" { @@ -321,4 +321,4 @@ module "kibana_hostname" { records = [join("", aws_elasticsearch_domain.default.*.endpoint)] context = module.this.context -} \ No newline at end of file +} diff --git a/variables.tf b/variables.tf index 4830134..60ed262 100644 --- a/variables.tf +++ b/variables.tf @@ -424,3 +424,12 @@ variable "auto_tune" { } } +variable "access_policies" { + description = "JSON string for the IAM policy document specifying the access policies for the domain." + type = string + default = "" + validation { + condition = var.access_policies == "" || try(jsondecode(var.access_policies), null) != null + error_message = "The access_policies JSON string is not valid." + } +} From 7955e750da4b44ff21cceef002b336d336436cc8 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Sun, 5 Mar 2023 01:11:56 +0000 Subject: [PATCH 2/4] Auto Format --- README.md | 1 + docs/terraform.md | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index 9261c0e..6cd684a 100644 --- a/README.md +++ b/README.md @@ -205,6 +205,7 @@ Available targets: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [access\_policies](#input\_access\_policies) | JSON string for the IAM policy document specifying the access policies for the domain. | `string` | `""` | no | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | | [advanced\_options](#input\_advanced\_options) | Key-value string pairs to specify advanced configuration options | `map(string)` | `{}` | no | | [advanced\_security\_options\_enabled](#input\_advanced\_security\_options\_enabled) | AWS Elasticsearch Kibana enchanced security plugin enabling (forces new resource) | `bool` | `false` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 1af9dd7..ff38aa3 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -42,6 +42,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [access\_policies](#input\_access\_policies) | JSON string for the IAM policy document specifying the access policies for the domain. | `string` | `""` | no | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | | [advanced\_options](#input\_advanced\_options) | Key-value string pairs to specify advanced configuration options | `map(string)` | `{}` | no | | [advanced\_security\_options\_enabled](#input\_advanced\_security\_options\_enabled) | AWS Elasticsearch Kibana enchanced security plugin enabling (forces new resource) | `bool` | `false` | no | From 5bd4e3f6f861e1fbacd3290ef2ee503668cd9004 Mon Sep 17 00:00:00 2001 From: Bruno Ferreira Date: Sun, 5 Mar 2023 01:17:05 +0000 Subject: [PATCH 3/4] add missing var --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 746113c..86b1733 100644 --- a/main.tf +++ b/main.tf @@ -291,7 +291,7 @@ data "aws_iam_policy_document" "default" { resource "aws_elasticsearch_domain_policy" "default" { count = module.this.enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0 domain_name = module.this.id - access_policies = coalesce(access_policies, join("", data.aws_iam_policy_document.default.*.json)) + access_policies = coalesce(var.access_policies, join("", data.aws_iam_policy_document.default.*.json)) } module "domain_hostname" { From 19798dbd4ce1b19b517616a7ce1aa87343daaf81 Mon Sep 17 00:00:00 2001 From: Bruno Ferreira Date: Sun, 5 Mar 2023 01:27:26 +0000 Subject: [PATCH 4/4] fix set policy when access policies string size is greater than 0 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 86b1733..cfe85a6 100644 --- a/main.tf +++ b/main.tf @@ -289,7 +289,7 @@ data "aws_iam_policy_document" "default" { } resource "aws_elasticsearch_domain_policy" "default" { - count = module.this.enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0 + count = module.this.enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0 || length(var.access_policies) > 0) ? 1 : 0 domain_name = module.this.id access_policies = coalesce(var.access_policies, join("", data.aws_iam_policy_document.default.*.json)) }