Fix issue related to ES Service linked role

See hashicorp/terraform-provider-aws#5218
dsaidgovsg · Sep 18, 2018 · 24e46d4 · 24e46d4
1 parent cdeacf1
commit 24e46d4
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 0 deletions.
diff --git a/modules/elasticsearch/README.md b/modules/elasticsearch/README.md
@@ -47,6 +47,21 @@ module:
 - `var.lb_zone_id`: `module.core.internal_lb_zone_id`
 - `var.redirect_listener_arn`: `module.core.internal_lb_https_listener_arn`
 
+## Service Linked Role
+
+If, while applying, you get the error
+
+```
+* aws_elasticsearch_domain.es: Error reading IAM Role
+AWSServiceRoleForAmazonElasticsearchService: NoSuchEntity: The role with name
+AWSServiceRoleForAmazonElasticsearchService cannot be found.
+```
+
+while applying, you can set `create_service_linked_role` to true.
+
+You can see the relevant
+[issue](https://github.com/terraform-providers/terraform-provider-aws/issues/5218).
+
 ## Example Terraform configuration with Core integration
 
 ```hcl
@@ -93,6 +108,7 @@ module "es" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| create_service_linked_role | Create Elasticsearch service linked role. See README | string | `false` | no |
 | enable_slow_index_log | Enable slow log indexing | string | `false` | no |
 | es_access_cidr_block | Elasticsearch access CIDR block to allow access | list | - | yes |
 | es_additional_tags | Additional tags to apply on Elasticsearch | string | `<map>` | no |
@@ -126,6 +142,8 @@ module "es" {
 | slow_index_log_retention | Number of days to retain logs for. | string | `120` | no |
 | use_redirect | Indicates whether to use redirect users | string | `false` | no |
 
+
+
 ## Outputs
 
 | Name | Description |

diff --git a/modules/elasticsearch/main.tf b/modules/elasticsearch/main.tf
@@ -39,6 +39,8 @@ data "aws_iam_policy_document" "es_resource_attached_policy" {
 }
 
 resource "aws_elasticsearch_domain" "es" {
+  depends_on = ["aws_iam_service_linked_role.es"]
+
   domain_name           = "${local.es_domain_name}"
   elasticsearch_version = "${var.es_version}"
 
@@ -85,6 +87,12 @@ resource "aws_elasticsearch_domain_policy" "es_resource_attached_policy" {
   access_policies = "${data.aws_iam_policy_document.es_resource_attached_policy.json}"
 }
 
+resource "aws_iam_service_linked_role" "es" {
+  count = "${var.create_service_linked_role ? 1 : 0}"
+
+  aws_service_name = "es.amazonaws.com"
+}
+
 locals {
   endpoint       = "${aws_elasticsearch_domain.es.endpoint}"
   es_kms_key_id  = "${var.es_encrypt_at_rest ? var.es_kms_key_id : ""}"

diff --git a/modules/elasticsearch/variables.tf b/modules/elasticsearch/variables.tf
@@ -178,3 +178,11 @@ variable "redirect_rule_priority" {
   description = "Rule priority for redirect"
   default     = 100
 }
+
+#
+# Others
+#
+variable "create_service_linked_role" {
+  description = "Create Elasticsearch service linked role. See README"
+  default     = false
+}