How to successfully create elasticsearch IAM policy with terraform?

[egul...@gmail.com]

Hello,

I'm trying to create elasticsearch_access_policy but for some reason there's something wrong and I can't figure it out what.

Here's my code:

module "tf-account-id" {
      source = "git::https://some-path-to/tf-account-id.git"
}


data "aws_iam_policy_document" "elasticsearch_access_policy_document" {
    statement {
       sid = "1"
       actions = [
         "es:*",
         ]
       effect = "Allow"
       condition {
         test = "IpAddress"
         variable = "aws:SourceIp"
         values = [
            "",
            "${var.sourceip}",
            ]
         }
         principals {
           type = "AWS"
           identifiers = ["arn:aws:iam:${module.tf-account-id.id}/*"]
         }
       }
}


resource "aws_iam_policy" "elasticsearch_access_policy" {
    name = "elasticsearch_access"
    path = "/"
    policy = "${data.aws_iam_policy_document.elasticsearch_access_policy_document.json}"
}

tf plan shows no errors but tf apply results in:

Error applying plan:
1 error(s) occurred:
* aws_iam_policy.elasticsearch_access_policy: Error creating IAM policy elasticsearch_access: MalformedPolicyDocument: The policy failed legacy parsing
        status code: 400, request id: 98e5cb65-a78e-11e6-8c37-b3baab09bf37

Is there somewhere policy parser that we can use to track down what is going on here with my simple policy?

Maybe there's something obvious to someone here that I can't see after punching few hrs on the keyboard.

Any advice really appreciated. I'm using terraform v0.7.4

Thank you,
E.G

[Paddy Foran]

Hi E.G.,

I can't say for sure, but at a quick glance it looks like the problem you're running into is related to https://github.com/hashicorp/terraform/issues/6438. I'm trying to track down the source of the problem today. So I can't offer a great solution at the moment, but hopefully one will be forthcoming shortly.

Thanks,

Paddy

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/7071a2fa-25a4-4d97-9200-261575d39532%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[egul...@gmail.com]

No problem,
Thanks for the quick reply.

I actually updated terraform to v0.7.10 but still no dice.. :(.

I wish these Errors would be a little more descriptive.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

[egul...@gmail.com]

Is there other way to create IAM policy document that can interpolate variables, like "${module.tf-account-id.id}" in my case?

I'm curious to see how others solved it. 

I would really appreciate any tip for workaround.

Thank you

On Thursday, November 10, 2016 at 3:56:39 PM UTC-6, Paddy Foran wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

[Paddy Foran]

Hey E.G., sorry for the delayed response. I'm pretty sure this is a race condition, but I want to be really sure before I treat it like one. Sorry for the imprecise errors; sadly, they're all we have access to. I'm going to keep digging on this, though, and see if I can't get us a satisfactory resolution.

As for interpolating variables, I'm too new to Terraform to be able to answer that with much confidence, so I'll let someone who knows a bit more chime in. :)

Sorry for the frustration!

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/86331b12-0367-4824-a963-3dbc2ce52e56%40googlegroups.com.

[egul...@gmail.com]

Hey there,

no problemo :).

I actually think I figure out the problem. I converted policy that is generated by 'tf apply' to IAM format using regex and used AWS Policy Generator to validate it. 

I removed principals and double quotes under condition, so policy looks like this now:

  data "aws_iam_policy_document" "elasticsearch_access_policy_document" {

   statement {

      sid = "20161114001"

      effect = "Allow"

      actions = [

        "es:*",

        ]

      condition {

        test = "IpAddress"

        variable = "aws:SourceIp"

        values = [

           "${var.sourceip}",

           ]

        }

     resources = [

      "arn:aws:elasticsearch:::${var.domain_name}"

      ]

   }

}

It would be awesome if TF Error would simply say something like: "invalid empty value in condition", that way I would know that I'm stupid and shouldn't use quotes without values :)

For some reason "principals" fails and I can't figure it why, so I'll let it go and see how far I can go without it for now.

I didn't get too far.... :D

I get problem with 'tf plan' now:

Error running plan: 1 error(s) occurred:

* aws_elasticsearch_domain.es: "access_policies" contains an invalid JSON: invalid character 'e' looking for beginning of value

I assume that 'e' is the first character from my policy name but again it doesn't kind of make sense what actually is wrong here :(

and here's how my domain definition looks like:

resource "aws_elasticsearch_domain" "es" {

    domain_name = "${var.domain_name}"

    elasticsearch_version = "${var.elasticsearch_version}"

    ebs_options {

        ebs_enabled = "${var.ebs_enabled}"

        volume_type = "${var.volume_type}"

        volume_size = "${var.volume_size}"

    }

    cluster_config {

        instance_type = "${var.instance_type}"

        instance_count = "${var.instance_count}"

    }

    advanced_options {

        "rest.action.multi.allow_explicit_index" = true

    }

    #access_policies = "${aws_iam_policy.elasticsearch_access_policy.id}"

    access_policies = "${aws_iam_policy.elasticsearch_access_policy.name}"

    snapshot_options {

        automated_snapshot_start_hour = 23

    }

    tags {

      Domain = "${var.domain_tag}"

      Managed_by = "Managed by Terraform"

    }

}

Is that something more obvious to you? Maybe this is something much easier to fix? :)

As you can see I've tried using 'id' but then it's the same error just instead of complaining about "e" it complaints about "a" character :).

Any tip appreciated :)

Thank you

[Paddy Foran]

If you use the TF_LOG environment variable, you can see the actual request terraform is sending, complete with the JSON. Pop that into a JSON validator, and it should show you where the issue is. :)

Also, re: interpolating variables, there's a good discussion of it here: https://groups.google.com/d/msgid/terraform-tool/CAEpa1D%2BEM6kqAm%2BWR9LBtX-8VOqz5o9y6mt%3DCy2s7d%3Dd-LJ0Lg%40mail.gmail.com?utm_medium=email&utm_source=footer

Hope that helps!

Best,

Paddy

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/14e2a86b-8e76-4479-8155-e4a5786fcf47%40googlegroups.com.