IAM Policy cannot be created due to InvalidTypeException

[3h4x]

Describe the Bug

ES was created without iam_role_arns. After adding it and applying it failed with:

module.elasticsearch.aws_iam_role.elasticsearch_user[0]: Creating...
module.elasticsearch.aws_iam_role.elasticsearch_user[0]: Creation complete after 1s [id=xxx-user]
module.elasticsearch.data.aws_iam_policy_document.default[0]: Refreshing state...
module.elasticsearch.aws_elasticsearch_domain_policy.default[0]: Creating...

Error: InvalidTypeException: Error setting policy: [{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "es:List*",
        "es:ESHttpPut",
        "es:ESHttpPost",
        "es:ESHttpHead",
        "es:ESHttpGet",
        "es:Describe*"
      ],
      "Resource": [
        "arn:aws:es:us-east-2:xxx:domain/xxx/*",
        "arn:aws:es:us-east-2:xxx:domain/xxx"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::xxx:role/xxx-user",
          "arn:aws:iam::xxx:role/xxx"
        ]
      }
    }
  ]
}]

  on .terraform/modules/elasticsearch/main.tf line 227, in resource "aws_elasticsearch_domain_policy" "default":
 227: resource "aws_elasticsearch_domain_policy" "default" {

This is due to IAM did not yet have Unique Identifier available. Every ARN entity is converted to Unique Identifier for security reasons.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids

Expected Behavior

It should simply apply changes. Second apply works fine.

Steps to Reproduce

1. Create cluster without iam_role_arns
2. Add iam_role_arns
   It might be hard to reproduce due to a lot of factors.

[ByJacob]

Have the same issue. When i try add this policy manual by AWS Management console I have error:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies

[timcosta]

I'm seeing this failure pretty consistently when the role is created and the domain policy is created at the same time. if i re-apply after the role has been created, the domain policy can be created successfully.

relevant module config:

  iam_role_arns = ["*"]
  iam_authorizing_role_arns = [
    for id in local.allowed_account_ids :
    "arn:aws:iam::${id}:root}"
  ]
  iam_actions = ["es:*"]

error on first apply:

│ Error: InvalidTypeException: Error setting policy: [{
│   "Version": "2012-10-17",
│   "Statement": [
│     {
│       "Sid": "",
│       "Effect": "Allow",
│       "Action": "es:*",
│       "Resource": [
│         "arn:aws:es:eu-west-1:ME:domain/prod-eu-1/*",
│         "arn:aws:es:eu-west-1:ME:domain/prod-eu-1"
│       ],
│       "Principal": {
│         "AWS": [
│           "arn:aws:iam::MEN:role/prod-eu-1-user",
│           "*"
│         ]
│       }
│     }
│   ]
│ }]

[mmorejon]

I have the same problem. Any idea?

[xposix]

I'm having the same issue too :(

[nitrocode]

Maybe the role has to be created first and then the domain policy. Perhaps an explicit depends_on may solve this issue.

[Warns]

The error seems still there, this was working though, trying to figure out what has changed.

│ Error: InvalidTypeException: Error setting policy: [{"Version":"2012-10-17"}]
│
│   with module.central_logs_opensearch.aws_elasticsearch_domain_policy.default[0],
│   on modules/aws-elasticsearch/main.tf line 287, in resource "aws_elasticsearch_domain_policy" "default":
│  287: resource "aws_elasticsearch_domain_policy" "default" {
│