aws_elasticsearch_domain keeps reapplying #5067
Comments
I think the easiest way we can get around this would be introducing a new resource, something like That way you'd be able to create the domain first and reference the ARN from created domain in the It is similar pattern to the one we already use for Longer term I think this will need solving in more wider context, it is also causing similar issues in most IAM policies where user needs to do a lot of self-referencing. See #3267 |
|
👍 unusable right now as-is, it wouldn't be a big deal but elasticsearch takes a good 15-20 minutes to apply these changes haha :D |
|
Moving some comments over from #3539. Hope they're useful. I'm seeing the same issue.... Looking at the output from the terraform apply, the access_policy is updated despite the fact that it is logically equivalent (no update should be required). The order of the elements in the access policy json are different. Also, it looks like the Resource ARN is being automatically injected into the access_policy. That explains why terraform see's the diff and triggers the modify. It would probably work to add the resource arn to the policy in the tf template after the initial creation of the ES domain (can't add it at the initial creation because you don't know what it is until after the resource is created). I can reproduce this on each terraform apply. Here is the output from the terraform apply: [ats_dependencies] access_policies: "{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"","Action":"es:","Resource":"arn:aws:es:us-west-2:763429161784:domain/ats-prod/","Condition":{"IpAddress":{"aws:SourceIp":["52.36.237.75/32","52.32.171.250/32","52.34.208.134/32","50.112.131.3/32","54.201.98.238/32","54.69.54.64/32","52.24.90.172/32"]}}}]}" => "{"Statement":[{"Action":"es:","Condition":{"IpAddress":{"aws:SourceIp":["52.36.237.75/32","52.32.171.250/32","52.34.208.134/32","50.112.131.3/32","54.201.98.238/32","54.69.54.64/32","52.24.90.172/32"]}},"Effect":"Allow","Principal":"*"}],"Version":"2012-10-17"}" |
|
Same issue here:
|
|
Workaround is to put the ARN in the access policy. This can be done as the ARN follows a known convention. i.e. |
|
👍 on introducing a |
|
+1 on introducing |
|
I tried the workaround @gposton suggested, to inline the policy and only use predefined vars, but it seems as if terraform still re-applies the access policy on each |
|
@cahlbin, take a look at the policy diff during terraform plan, and make sure the ordering of the keys in the access policy in the terraform template match what terraform is seeing in AWS. I'm not sure if the ordering is important or not, but I have a hunch that it might be. |
|
My impression from running into this in the past is that the AWS API is returning the JSON document in different equivalent orderings each time, (ie with the keys in a different order). If I run I don't think adding an Instead, I think the resource needs to stop treating the JSON as a meaningless string and applying a change when the AWS API returns a permuted variation of the original, and needs to assume AWS treats equivalent JSON documents equivalently and parse the JSON and compare the resulting data structures for equivalence. |
|
I'm having this problem, too. Here is my code. This is a real bummer. I'm going to have to abandon using the ElasticSearch service and build ElasticSearch servers by hand. This makes me very, very sad at Terraform. I can't have 10 minute (or longer) |
|
@n8gard this is fixable for me by being very careful with the ordering and formatting of This gets me a non-cycling |
|
@briankmc that worked! Would like to understand why but I'm happy to leave it as esoteric weirdness. Thanks! |
|
Even being very careful as @briankmc suggests. If I don't add the ARN it will apply every time. On the other hand I've added it but now run into I have a list with 2 statements. This only happens if I have the ARN on the first one. Essentially It will modify every time if it's only on the second one. This has been a huge headache for me this week. Is #8648 still the PR that should get this done? EDIT: It appears that this had something to do with my use of a rendered template, if instead I just inline the policy it works fine. weird. |
|
Is that your actual code? I believe you need to prefix the var names with "arn:aws:es:${var.region}:${var.account_id}:domain/${var.domain_name}/*" On Thu, Oct 13, 2016 at 1:41 PM, Brian Devins notifications@github.com
|
|
@daveadams Seems my edit wasn't fast enough to make it in the email. This was doing a rendered template. the workaround works once I remove that abstraction. |
|
in addition to the @briankmc workaround, there's a data resource called aws_caller_identity which exposes the data "aws_caller_identity" "current" {}
resource "aws_elasticsearch_domain" "es" {
domain_name = "${var.domain_name}"
...
access_policies = <<CONFIG
{
"Statement": [
{
"Action": "es:*",
"Condition": {
"IpAddress": {
"aws:SourceIp": ["127.0.0.1/32"]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": "arn:aws:es:ap-southeast-1:${data.aws_caller_identity.current.account_id}:domain/${var.domain_name}/*"
}
],
"Version": "2012-10-17"
}
CONFIG
...
}So, you don't need to provide extra variables to get this done |
|
It appears this is fixed by using data sources. If someone can get me a newer version |
|
The problem is that the resource gets reapplied, unless you specify the |
|
@orlando Ah, I missed that, reopening. |
|
I know the issue has been closed, but we are facing the same issue unfortunately. We are using Data block data "aws_iam_policy_document" "ElasticSearchPolicy" {
statement {
effect = "Allow"
actions = [
"es:ESHttpPost",
"es:ESHttpPut"
]
principals {
identifiers = [
"${var.lambda_fcn_arn}"
]
type = "AWS"
}
resources = [
"${aws_elasticsearch_domain.es.arn}/*"
]
}
statement {
effect = "Allow"
actions = [
"es:*"
]
condition {
test = "IpAddress"
values = [
"${var.list_one}",
"${var.list_two}"
]
variable = "aws:SourceIp"
}
}
}Domain Policy resource "aws_elasticsearch_domain_policy" "eslogextract" {
domain_name = "${aws_elasticsearch_domain.es.domain_name}"
access_policies = "${data.aws_iam_policy_document.ElasticSearchPolicy.json}"
}Every time we run a Terraform apply, it recreates and reapplies the policy to the ElasticSearch domain. This takes at least 10 minutes every time we run a |
|
I think this ticket has been closed prematurely. The issue raised by the OP still occurs. It seems that this ticket was closed because the Hashibot created a corresponding ticket in the terraform-provider-aws section. However, that ticket refers to a different issue: it's concerned with the policy change taking a long time. Moreover, in another comment elsewhere one of the Terraform team refers a user to this ticket for updates regarding the ES policy-recycling issue. Therefore, this ticket should be re-opened if this issue is not fixed and not covered by any other ticket. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Similar to #3634
I am using your JSON format to create the aws_elasticsearch_domain
It successfully creates, but every time I run it it says it is changing
to
(ie adding the 'Resource')
If I add the Resource entry after it it created then it no longer re-applies, but obviously I can't do it for creation as I dont know the ARN, also if I lookup the ARN, I get
Self reference: aws_elasticsearch_domain.logsThis is my first mild snag in ~6 months of using Terraform, it is honestly the best new tech ive used in the last 5y, thanks!
The text was updated successfully, but these errors were encountered: