Allow array notation in "Principal" section of IAM policy

[chiefy]

Error applying plan:

1 error(s) occurred:

* aws_elasticsearch_domain.es: InvalidTypeException: Error setting policy: [{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::XXXXX:root",
          "arn:aws:iam::XXXXX:role/iam_for_lambda"
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:XXXXX:domain/odd-catalog/*"
    }
  ]
}
]
    status code: 409, request id: [redacted]

If I change it to "AWS": "<some resource>" it works fine.

[radeksimko]

Hi @chiefy ,
this error is coming from the API. It's not caused by the array, but the IAM role.

It seems it's not possible to use IAM Roles in the ES access policies:
http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies

I also wonder how would one limit access to an IAM role, there's a few (imo valid) use cases: - SAML-federated user - EC2 instance profile - Lambda function (as you mentioned)

I have raised a question to the AWS support and will update this thread with response.
Either way I believe this is not something we can fix in Terraform.

[radeksimko]

After experimenting more with the config you provided:

resource "aws_elasticsearch_domain" "es" {
    domain_name = "odd-catalog"

    access_policies = <<CONFIG
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::REDACTED:root",
          "arn:aws:iam::REDACTED:role/iam_for_lambda"
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:REDACTED:domain/odd-catalog/*"
    }
  ]
}
CONFIG
}

$ terraform apply

aws_elasticsearch_domain.es: Creating...
  access_policies:  "" => "{\"Statement\":[{\"Action\":\"es:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::REDACTED:root\",\"arn:aws:iam::REDACTED:role/iam_for_lambda\"]},\"Resource\":\"arn:aws:es:us-west-2:REDACTED:domain/odd-catalog/*\"}],\"Version\":\"2012-10-17\"}"
  arn:              "" => "<computed>"
  cluster_config.#: "" => "<computed>"
  domain_id:        "" => "<computed>"
  domain_name:      "" => "odd-catalog"
  ebs_options.#:    "" => "<computed>"
  endpoint:         "" => "<computed>"
aws_elasticsearch_domain.es: Creation complete

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.

State path: terraform.tfstate

it turned out the error is intermittent which makes me think that IAM roles are allowed after all (although not documented), but AWS returns this error sometimes.

I managed to reproduce the erroneous state and reported the request ID back to Amazon. Also it seems we're not alone experiencing this: boto/boto3#305

@chiefy Can you try re-apply-ing your config now?

[chiefy]

@radeksimko thanks for your help.

So actually what I think is happening is that my aws_iam_role.iam_for_lambda resource is created first by terraform, and then there is a timing issue where the AWS SDK tries to create the ES w/ access policy ARNs that it doesn't believe exist yet. I wonder if adding a pause in between would solve it, but I agree this doesn't really appear to be a terraform issue per se.

If I do a terraform apply right after I get my error, everything works as expected since the API can find the specified IAM role.

[radeksimko]

@chiefy What you are describing is a known IAM issue although I'm not 100% sure that's actually causing the error here.

As long as you reference the IAM role via ${aws_iam_role.iam_for_lambda.arn} instead of hardcoding it, the ordering should be right (Terraform will create the role first and ES domain second) and you shouldn't hit the timing issue. If you do, the linked PR (above) + some PRs that will follow should hopefully address that.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.