aws_elasticsearch_domain apply changes the resource on every execution

[hashibot]

This issue was originally opened by @caquino as hashicorp/terraform#7763. It was migrated here as part of the provider split. The original body of the issue is below.

---

Hi there,

Elasticsearch domain keeps being changed on every terraform run.

Terraform Version

Terraform v0.7.0-dev (a44573140bfcb26399494df71e89c902e540623d+CHANGES)

Affected Resource(s)

• aws_elasticsearch_domain

Terraform Configuration Files

resource "aws_elasticsearch_domain" "main" {
  domain_name = "test"
  advanced_options {
    "rest.action.multi.allow_explicit_index" = true
    "indices.fielddata.cache.size" = 40
  }

  ebs_options {
    ebs_enabled = true
    volume_size = 20
    volume_type = "gp2"
  }

  cluster_config {
    instance_type = "m3.medium.elasticsearch"
    instance_count = 4
    zone_awareness_enabled = true
  }

  snapshot_options {
    automated_snapshot_start_hour = 23
  }

  tags {
    Domain      = "test"
  }

  access_policies = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "es:*",
      "Principal": "*",
      "Effect": "Allow",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.168.0.0/24"
          ]
        }
      }
    }
  ]
}
EOF
}

Debug Output

As terraform does not crash does not appear to be relevant, but it can be sent upon request.

Panic Output

No crash.

Expected Behavior

After the first execution the resource should not be modified unless some parameter change is made.

Actual Behavior

terraform apply finishes without any error:
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the terraform show command.

State path: terraform.tfstate

Then if a terraform plan is executed

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.

aws_elasticsearch_domain.main: Refreshing state... (ID: REDACTED)

The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

~ aws_elasticsearch_domain.main
access_policies: "{"Statement":[{"Action":"es:","Condition":{"IpAddress":{"aws:SourceIp":"192.168.0.0/24"}},"Effect":"Allow","Principal":"","Resource":"REDACTED:domain/test/"}],"Version":"2012-10-17"}" => "{"Statement":[{"Action":"es:","Condition":{"IpAddress":{"aws:SourceIp":["192.168.0.0/24"]}},"Effec
t":"Allow","Principal":"*"}],"Version":"2012-10-17"}"
advanced_options.rest.action.multi.allow_explicit_index: "false" => "1"

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply
2. terraform plan or terraform apply

Important Factoids

No interesting facts

[tomelliff]

It looks like you have two issues here.

The first is that AWS adds the resource attribute to point to the ARN of your ES domain which you aren't including in your access policy.

You can solve this by either calculating the ARN yourself. It's of the format arn:aws:es:$region:$account-id:domain/$es-domain-name/* (note the trailing /*, it's important!), potentially using interpolation from elsewhere or you can leave it off the resource and use the aws_elasticsearch_domain_policy resource which allows you to interpolate the ARN of the ES domain more directly. There's further discussion of that approach towards the end of #576.

Your second issue is that your advanced options should be string values. So in your case you should have something like:

  advanced_options {
    "rest.action.multi.allow_explicit_index" = "true"
    "indices.fielddata.cache.size" = "40"
  }

This is discussed further in #51.

[bflad]

Documentation updated via #4942 and will release with version 1.25.0 of the AWS provider, likely middle of next week. If there are further issues here, please open a new issue. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!