-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] r/aws_elasticsearchdomain: add support for cognito_options #5346
Changes from 7 commits
74c0713
b4c214a
75ae8b4
64b95d7
745a3d4
2ccd6a7
7e2a584
a6f4c9a
dabbda5
4a2fa63
40161c2
e76d848
d7c407e
d997bc1
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -229,6 +229,33 @@ func resourceAwsElasticSearchDomain() *schema.Resource { | |
Default: "1.5", | ||
ForceNew: true, | ||
}, | ||
"cognito_options": { | ||
Type: schema.TypeList, | ||
Optional: true, | ||
ForceNew: false, | ||
MaxItems: 1, | ||
Elem: &schema.Resource{ | ||
Schema: map[string]*schema.Schema{ | ||
"enabled": { | ||
Type: schema.TypeBool, | ||
Optional: true, | ||
Default: true, | ||
}, | ||
"user_pool_id": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
}, | ||
"identity_pool_id": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
}, | ||
"role_arn": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
}, | ||
}, | ||
}, | ||
}, | ||
|
||
"tags": tagsSchema(), | ||
}, | ||
|
@@ -384,6 +411,21 @@ func resourceAwsElasticSearchDomainCreate(d *schema.ResourceData, meta interface | |
} | ||
} | ||
|
||
if v, ok := d.GetOk("cognito_options"); ok { | ||
|
||
options := v.([]interface{}) | ||
if len(options) > 1 { | ||
return fmt.Errorf("Only a single cognito_options block is expected") | ||
} else if len(options) == 1 { | ||
if options[0] == nil { | ||
return fmt.Errorf("At least one field is expected inside cognito_options") | ||
} | ||
|
||
s := options[0].(map[string]interface{}) | ||
input.CognitoOptions = expandESCognitoOptions(s) | ||
} | ||
} | ||
|
||
log.Printf("[DEBUG] Creating ElasticSearch domain: %s", input) | ||
|
||
// IAM Roles can take some time to propagate if set in AccessPolicies and created in the same terraform | ||
|
@@ -402,6 +444,9 @@ func resourceAwsElasticSearchDomainCreate(d *schema.ResourceData, meta interface | |
if isAWSErr(err, "ValidationException", "Domain is still being deleted") { | ||
return resource.RetryableError(err) | ||
} | ||
if isAWSErr(err, "ValidationException", "Amazon Elasticsearch must be allowed to use the passed role") { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❤️ |
||
return resource.RetryableError(err) | ||
} | ||
|
||
return resource.NonRetryableError(err) | ||
} | ||
|
@@ -504,6 +549,10 @@ func resourceAwsElasticSearchDomainRead(d *schema.ResourceData, meta interface{} | |
if err != nil { | ||
return err | ||
} | ||
err = d.Set("cognito_options", flattenESCognitoOptions(ds.CognitoOptions)) | ||
if err != nil { | ||
return err | ||
} | ||
if ds.SnapshotOptions != nil { | ||
d.Set("snapshot_options", map[string]interface{}{ | ||
"automated_snapshot_start_hour": *ds.SnapshotOptions.AutomatedSnapshotStartHour, | ||
|
@@ -634,6 +683,12 @@ func resourceAwsElasticSearchDomainUpdate(d *schema.ResourceData, meta interface | |
input.VPCOptions = expandESVPCOptions(s) | ||
} | ||
|
||
if d.HasChange("cognito_options") { | ||
options := d.Get("cognito_options").([]interface{}) | ||
s := options[0].(map[string]interface{}) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This line looks like it can cause a panic if if d.HasChange("cognito_options") {
// default to disabling (change as necessary! this could also be handled in expandESCognitoOptions)
input.CognitoOptions = &elasticsearch.CognitoOptions{
Enabled: aws.Bool(false),
}
// only enable if provided
if v, ok := d.GetOk("cognito_options"); ok && len(v.([]interface{})) > 0 {
m := v.([]interface{})[0].(map[string]interface{})
input.CognitoOptions = expandESCognitoOptions(m)
}
} I'd recommend adding a second TestStep to the acceptance test that covers trying to remove the |
||
input.CognitoOptions = expandESCognitoOptions(s) | ||
} | ||
|
||
if d.HasChange("log_publishing_options") { | ||
input.LogPublishingOptions = make(map[string]*elasticsearch.LogPublishingOption) | ||
options := d.Get("log_publishing_options").(*schema.Set).List() | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1088,6 +1088,51 @@ func flattenESClusterConfig(c *elasticsearch.ElasticsearchClusterConfig) []map[s | |
return []map[string]interface{}{m} | ||
} | ||
|
||
func expandESCognitoOptions(m map[string]interface{}) *elasticsearch.CognitoOptions { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It seems like its possible to simply some of the resource logic by accepting the e.g. if v, ok := d.GetOk("cognito_options"); ok {
input.CognitoOptions = expandESCognitoOptions(v.([]interface{}))
} |
||
options := elasticsearch.CognitoOptions{} | ||
|
||
if cognitoEnabled, ok := m["enabled"]; ok { | ||
options.Enabled = aws.Bool(cognitoEnabled.(bool)) | ||
|
||
if cognitoEnabled.(bool) { | ||
|
||
if v, ok := m["user_pool_id"]; ok && v.(string) != "" { | ||
options.UserPoolId = aws.String(v.(string)) | ||
} | ||
if v, ok := m["identity_pool_id"]; ok && v.(string) != "" { | ||
options.IdentityPoolId = aws.String(v.(string)) | ||
} | ||
if v, ok := m["role_arn"]; ok && v.(string) != "" { | ||
options.RoleArn = aws.String(v.(string)) | ||
} | ||
} | ||
} | ||
|
||
return &options | ||
} | ||
|
||
func flattenESCognitoOptions(c *elasticsearch.CognitoOptions) []map[string]interface{} { | ||
m := map[string]interface{}{} | ||
|
||
if c.Enabled != nil { | ||
m["enabled"] = *c.Enabled | ||
} | ||
|
||
if aws.BoolValue(c.Enabled) { | ||
if c.UserPoolId != nil { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nitpick: We can remove the m["identity_pool_id"] = aws.StringValue(c.IdentityPoolId)
m["user_pool_id"] = aws.StringValue(c.UserPoolId)
m["role_arn"] = aws.StringValue(c.RoleArn) |
||
m["user_pool_id"] = *c.UserPoolId | ||
} | ||
if c.IdentityPoolId != nil { | ||
m["identity_pool_id"] = *c.IdentityPoolId | ||
} | ||
if c.RoleArn != nil { | ||
m["role_arn"] = *c.RoleArn | ||
} | ||
} | ||
|
||
return []map[string]interface{}{m} | ||
} | ||
|
||
func flattenESEBSOptions(o *elasticsearch.EBSOptions) []map[string]interface{} { | ||
m := map[string]interface{}{} | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -120,6 +120,14 @@ Security Groups and Subnets referenced in these attributes must all be within th | |
* `cloudwatch_log_group_arn` - (Required) ARN of the Cloudwatch log group to which log needs to be published. | ||
* `enabled` - (Optional, Default: true) Specifies whether given log publishing option is enabled or not. | ||
|
||
**cognito_options** supports the following attribute: | ||
|
||
AWS documentation: [Amazon Cognito Authentication for Kibana](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html) | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is missing the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🤦♂️ |
||
* `user_pool_id` - (Required) ID of the Cognito User Pool to use | ||
* `identity_pool_id` - (Required) ID of the Cognito Identity Pool to use | ||
* `role_arn` - (Required) ARN of the IAM role that has the AmazonESCognitoAccess policy attached | ||
|
||
## Attributes Reference | ||
|
||
In addition to all arguments above, the following attributes are exported: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: This error checking is already performed by the attribute schema so it can be removed 👍
MaxItems: 1
handleslen(options) > 1
Required: true
on nested arguments handlesoptions[0] == nil
I'd recommend going with the below to simplify this:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh cool! That's much cleaner!