terraform-provider-aws: Creating aws_elasticsearch_domain can't be done due to absence of AWSServiceRoleForAmazonElasticsearchService role
Community Note
- Please vote on this issue by adding a π reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave β+1β or βme tooβ comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v0.11.7
- provider.archive v1.0.3
- provider.aws v1.27.0
- provider.null v1.0.0
- provider.random v1.3.1
Affected Resource(s)
- aws_elasticsearch_domain
Terraform Configuration Files
resource "aws_elasticsearch_domain" "es" {
domain_name = "${substr(random_pet.random_pet_name.id,0,28)}"
elasticsearch_version = "6.2"
# Anyone in
access_policies = "${data.aws_iam_policy_document.es_policy.json}"
cluster_config {
instance_type = "${var.es_instance_size}"
instance_count = "${var.es_instance_count}"
}
ebs_options {
ebs_enabled = true
volume_type = "gp2"
volume_size = "${var.es_eb_disk_size}"
}
vpc_options {
subnet_ids = ["${element(aws_db_subnet_group.elasticsearch_sb.subnet_ids, 0)}"]
security_group_ids = ["${aws_security_group.allow_all.id}"]
}
snapshot_options {
automated_snapshot_start_hour = 23
}
tags {
Name = "${random_pet.random_pet_name.id}"
component = "${var.component}"
description = "${var.es_description}"
}
}
Debug Output
https://gist.github.com/sarunask/69b7e612d92ee992d7a70f506623f35f
Panic Output
No panic
Expected Behavior
ES Cluster created
Actual Behavior
Terraform gave error:
- aws_elasticsearch_domain.es: Error reading IAM Role AWSServiceRoleForAmazonElasticsearchService: NoSuchEntity: The user with name AWSServiceRoleForAmazonElasticsearchService cannot be found. status code: 404, request id: 2fe1c895-89d7-11e8-8212-c38ddc7e67d2
Steps to Reproduce
terraform apply
Important Factoids
In current AWS account there are no previous ElasticSearch clusters.
References
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 51
- Comments: 18 (5 by maintainers)
Commits related to this issue
- Fix issue related to ES Service linked role See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 — committed to dsaidgovsg/terraform-modules by lawliet89 6 years ago
- Fix issue related to ES Service linked role (#160) * Fix issue related to ES Service linked role See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 * Fix repetition — committed to dsaidgovsg/terraform-modules by lawliet89 6 years ago
- Document VPC based ES clusters It's necessary to have already created the elasticsearch.amazonaws.com service linked role before attempting to create a VPC based ES cluster. This can either be done ... — committed to tomelliff/terraform-provider-aws by tomelliff 5 years ago
- Remove ES service linked role creation This is not currently working due to the error message being different than expected ('cannot be found' instead of the expected 'Role not found'). Instead of f... — committed to tomelliff/terraform-provider-aws by tomelliff 5 years ago
You can just add this ressource before creating your domain:
This will create the needed role for ES
Seems that aws_iam_service_linked_role resource fails if the role has already been created outside the current terraform state which makes this hard to couple with the creation of an es cluster.
It may also need to add a dependency on this role from ES domains like
It will prevent issues on destroy:
The error on destroy is raised because the role cannot be destroyed if thereβs one ES domain in the VPC. ES domain must be destroyed before the role.
I had the same issue and I got over it by creating (through the GUI) a test ES domain first, that created the AWSServiceRoleForAmazonElasticsearchService and after that I was able to apply my terraform code successfully. It is kind of the obvious workaround but Iβm commenting this anyway in case someone else got stuck.