Why does terraform need aws_elasticsearch_domain_policy resource #5059
Comments
ghost
mentioned this issue
|
As discussed in the original issue that led to it being created it allows you to directly interpolate the ARN of the Elasticsearch domain instead of having to build it as is shown in the docs in #4942 (which should be on the website in the next release). Without providing the ARN of the domain when creating the policy in line you will get a constant diff as AWS helpfully adds the ARN to restrict to just that ES domain and then Terraform detects the diff and removes it. |
bflad
added
question
|
@tomelliff is correct here. While the additional resource is not strictly required for usage, we have found in many cases when dealing with resource policies (e.g. Elasticsearch Domain policies, S3 Bucket policies, ECR Repository policies) that being able to directly reference the appropriate identifier/ARN of the resource itself (only available after resource creation) makes Terraform configurations easier to implement. Having it separated also allows for separate teams to manage each piece of infrastructure. For example, a security team might manage access to an Elasticsearch Domain while a development team manages the actual cluster. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
This issue was originally opened by @wutianchen as hashicorp/terraform#18376. It was migrated here as a result of the provider split. The original body of the issue is below.
We can define access_policy in resource aws_elasticsearch_domain by supplying a policy document, why do we need aws_elasticsearch_domain_policy resource in this case ?
The text was updated successfully, but these errors were encountered: