provider/aws: Add aws_elasticsearch_domain_policy

builtin/providers/aws/provider.go

@@ -228,6 +228,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_elastic_beanstalk_configuration_template": resourceAwsElasticBeanstalkConfigurationTemplate(),
 			"aws_elastic_beanstalk_environment":            resourceAwsElasticBeanstalkEnvironment(),
 			"aws_elasticsearch_domain":                     resourceAwsElasticSearchDomain(),
+			"aws_elasticsearch_domain_policy":              resourceAwsElasticSearchDomainPolicy(),
 			"aws_elastictranscoder_pipeline":               resourceAwsElasticTranscoderPipeline(),
 			"aws_elastictranscoder_preset":                 resourceAwsElasticTranscoderPreset(),
 			"aws_elb":                                      resourceAwsElb(),

builtin/providers/aws/resource_aws_elasticsearch_domain.go

@@ -24,6 +24,7 @@ func resourceAwsElasticSearchDomain() *schema.Resource {
 			"access_policies": &schema.Schema{
 				Type:      schema.TypeString,
 				StateFunc: normalizeJson,
+				Computed:  true,
 				Optional:  true,
 			},
 			"advanced_options": &schema.Schema{

builtin/providers/aws/resource_aws_elasticsearch_domain_policy.go

@@ -0,0 +1,125 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	elasticsearch "github.com/aws/aws-sdk-go/service/elasticsearchservice"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsElasticSearchDomainPolicy() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsElasticSearchDomainPolicyUpsert,
+		Read:   resourceAwsElasticSearchDomainPolicyRead,
+		Update: resourceAwsElasticSearchDomainPolicyUpsert,
+		Delete: resourceAwsElasticSearchDomainPolicyDelete,
+
+		Schema: map[string]*schema.Schema{
+			"domain_name": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"access_policies": {
+				Type:             schema.TypeString,
+				StateFunc:        normalizeJson,
+				Required:         true,
+				DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs,
+			},
+		},
+	}
+}
+
+func resourceAwsElasticSearchDomainPolicyRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).esconn
+
+	out, err := conn.DescribeElasticsearchDomain(&elasticsearch.DescribeElasticsearchDomainInput{
+		DomainName: aws.String(d.Get("domain_name").(string)),
+	})
+	if err != nil {
+		return err
+	}
+
+	log.Printf("[DEBUG] Received ElasticSearch domain: %s", out)
+
+	ds := out.DomainStatus
+
+	if ds.AccessPolicies != nil && *ds.AccessPolicies != "" {
+		d.Set("access_policies", normalizeJson(*ds.AccessPolicies))
+	}
+
+	return nil
+}
+
+func resourceAwsElasticSearchDomainPolicyUpsert(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).esconn
+	domainName := d.Get("domain_name").(string)
+	_, err := conn.UpdateElasticsearchDomainConfig(&elasticsearch.UpdateElasticsearchDomainConfigInput{
+		DomainName:     aws.String(domainName),
+		AccessPolicies: aws.String(d.Get("access_policies").(string)),
+	})
+	if err != nil {
+		return err
+	}
+
+	d.SetId("esd-policy-" + domainName)
+
+	err = resource.Retry(50*time.Minute, func() *resource.RetryError {
+		out, err := conn.DescribeElasticsearchDomain(&elasticsearch.DescribeElasticsearchDomainInput{
+			DomainName: aws.String(d.Get("domain_name").(string)),
+		})
+		if err != nil {
+			return resource.NonRetryableError(err)
+		}
+
+		if *out.DomainStatus.Processing == false {
+			return nil
+		}
+
+		return resource.RetryableError(
+			fmt.Errorf("%q: Timeout while waiting for changes to be processed", d.Id()))
+	})
+	if err != nil {
+		return err
+	}
+
+	return resourceAwsElasticSearchDomainPolicyRead(d, meta)
+}
+
+func resourceAwsElasticSearchDomainPolicyDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).esconn
+
+	_, err := conn.UpdateElasticsearchDomainConfig(&elasticsearch.UpdateElasticsearchDomainConfigInput{
+		DomainName:     aws.String(d.Get("domain_name").(string)),
+		AccessPolicies: aws.String(""),
+	})
+	if err != nil {
+		return err
+	}
+
+	log.Printf("[DEBUG] Waiting for ElasticSearch domain policy %q to be deleted", d.Get("domain_name").(string))
+	err = resource.Retry(60*time.Minute, func() *resource.RetryError {
+		out, err := conn.DescribeElasticsearchDomain(&elasticsearch.DescribeElasticsearchDomainInput{
+			DomainName: aws.String(d.Get("domain_name").(string)),
+		})
+		if err != nil {
+			return resource.NonRetryableError(err)
+		}
+
+		if *out.DomainStatus.Processing == false {
+			return nil
+		}
+
+		return resource.RetryableError(
+			fmt.Errorf("%q: Timeout while waiting for policy to be deleted", d.Id()))
+	})
+	if err != nil {
+		return err
+	}
+
+	d.SetId("")
+	return nil
+}

builtin/providers/aws/resource_aws_elasticsearch_domain_policy_test.go

@@ -0,0 +1,62 @@
+package aws
+
+import (
+	"fmt"
+	"regexp"
+	"testing"
+
+	elasticsearch "github.com/aws/aws-sdk-go/service/elasticsearchservice"
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccAWSElasticSearchDomainPolicy_basic(t *testing.T) {
+	var domain elasticsearch.ElasticsearchDomainStatus
+	ri := acctest.RandInt()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckESDomainDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccESDomainPolicyConfig(ri),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckESDomainExists("aws_elasticsearch_domain.example", &domain),
+					resource.TestCheckResourceAttr("aws_elasticsearch_domain.example", "elasticsearch_version", "2.3"),
+					resource.TestMatchResourceAttr("aws_elasticsearch_domain_policy.main", "access_policies",
+						regexp.MustCompile("^{\"Statement\":.+")),
+				),
+			},
+		},
+	})
+}
+
+func testAccESDomainPolicyConfig(randInt int) string {
+	return fmt.Sprintf(`
+resource "aws_elasticsearch_domain" "example" {
+    domain_name = "tf-test-%d"
+    elasticsearch_version = "2.3"
+}
+
+resource "aws_elasticsearch_domain_policy" "main" {
+  domain_name = "${aws_elasticsearch_domain.example.domain_name}"
+  access_policies = <<POLICIES
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "es:*",
+            "Principal": "*",
+            "Effect": "Allow",
+            "Condition": {
+                "IpAddress": {"aws:SourceIp": "127.0.0.1/32"}
+            },
+            "Resource": "${aws_elasticsearch_domain.example.arn}"
+        }
+    ]
+}
+POLICIES
+}
+`, randInt)
+}

website/source/docs/providers/aws/r/elasticsearch_domain_policy.html.markdown

@@ -0,0 +1,47 @@
+---
+layout: "aws"
+page_title: "AWS: aws_elasticsearch_domain"
+sidebar_current: "docs-aws-resource-elasticsearch-domain"
+description: |-
+  Provides an ElasticSearch Domain.
+---
+
+# aws\_elasticsearch\_domain\_policy
+
+Allows setting policy to an ElasticSearch domain while referencing domain attributes (e.g. ARN)
+
+## Example Usage
+
+```
+resource "aws_elasticsearch_domain" "example" {
+    domain_name = "tf-test"
+    elasticsearch_version = "2.3"
+}
+
+resource "aws_elasticsearch_domain_policy" "main" {
+  domain_name = "${aws_elasticsearch_domain.example.domain_name}"
+  access_policies = <<POLICIES
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "es:*",
+            "Principal": "*",
+            "Effect": "Allow",
+            "Condition": {
+                "IpAddress": {"aws:SourceIp": "127.0.0.1/32"}
+            },
+            "Resource": "${aws_elasticsearch_domain.example.arn}"
+        }
+    ]
+}
+POLICIES
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `domain_name` - (Required) Name of the domain.
+* `access_policies` - (Optional) IAM policy document specifying the access policies for the domain

website/source/layouts/aws.erb

@@ -458,6 +458,10 @@
                             <a href="/docs/providers/aws/r/elasticsearch_domain.html">aws_elasticsearch_domain</a>
                         </li>
 
+                        <li<%= sidebar_current("docs-aws-resource-elasticsearch-domain-policy") %>>
+                            <a href="/docs/providers/aws/r/elasticsearch_domain_policy.html">aws_elasticsearch_domain_policy</a>
+                        </li>
+
                     </ul>
                 </li>