diff --git a/modules/elasticsearch/README.md b/modules/elasticsearch/README.md index acb53e20..5645fb11 100644 --- a/modules/elasticsearch/README.md +++ b/modules/elasticsearch/README.md @@ -47,6 +47,21 @@ module: - `var.lb_zone_id`: `module.core.internal_lb_zone_id` - `var.redirect_listener_arn`: `module.core.internal_lb_https_listener_arn` +## Service Linked Role + +If, while applying, you get the error + +``` +* aws_elasticsearch_domain.es: Error reading IAM Role +AWSServiceRoleForAmazonElasticsearchService: NoSuchEntity: The role with name +AWSServiceRoleForAmazonElasticsearchService cannot be found. +``` + +you can set `create_service_linked_role` to true. + +You can see the relevant +[issue](https://github.com/terraform-providers/terraform-provider-aws/issues/5218). + ## Example Terraform configuration with Core integration ```hcl @@ -93,6 +108,7 @@ module "es" { | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| create_service_linked_role | Create Elasticsearch service linked role. See README | string | `false` | no | | enable_slow_index_log | Enable slow log indexing | string | `false` | no | | es_access_cidr_block | Elasticsearch access CIDR block to allow access | list | - | yes | | es_additional_tags | Additional tags to apply on Elasticsearch | string | `` | no | @@ -126,6 +142,8 @@ module "es" { | slow_index_log_retention | Number of days to retain logs for. | string | `120` | no | | use_redirect | Indicates whether to use redirect users | string | `false` | no | + + ## Outputs | Name | Description | diff --git a/modules/elasticsearch/main.tf b/modules/elasticsearch/main.tf index 45a13805..b5e410ff 100644 --- a/modules/elasticsearch/main.tf +++ b/modules/elasticsearch/main.tf @@ -39,6 +39,8 @@ data "aws_iam_policy_document" "es_resource_attached_policy" { } resource "aws_elasticsearch_domain" "es" { + depends_on = ["aws_iam_service_linked_role.es"] + domain_name = "${local.es_domain_name}" elasticsearch_version = "${var.es_version}" @@ -85,6 +87,12 @@ resource "aws_elasticsearch_domain_policy" "es_resource_attached_policy" { access_policies = "${data.aws_iam_policy_document.es_resource_attached_policy.json}" } +resource "aws_iam_service_linked_role" "es" { + count = "${var.create_service_linked_role ? 1 : 0}" + + aws_service_name = "es.amazonaws.com" +} + locals { endpoint = "${aws_elasticsearch_domain.es.endpoint}" es_kms_key_id = "${var.es_encrypt_at_rest ? var.es_kms_key_id : ""}" diff --git a/modules/elasticsearch/variables.tf b/modules/elasticsearch/variables.tf index 724404e5..b18ae69d 100644 --- a/modules/elasticsearch/variables.tf +++ b/modules/elasticsearch/variables.tf @@ -178,3 +178,11 @@ variable "redirect_rule_priority" { description = "Rule priority for redirect" default = 100 } + +# +# Others +# +variable "create_service_linked_role" { + description = "Create Elasticsearch service linked role. See README" + default = false +}