Issue while creating ElasticSearch Domain

infra-helpdesk · December 10, 2023, 4:00pm

Hi,

When I am trying to create an AWS ElasticSearch domain using Terraform, I face this issue. Could anyone help me understand what’s wrong here and how I can resolve it?

My Code:

Create CloudWatch log groups for audit and slow search logs

resource “aws_cloudwatch_log_group” “terraform-elk-slowsearch” {
name = “terraform-elk-slowsearch”
retention_in_days = 14
}

resource “aws_cloudwatch_log_group” “terraform-elk-audit” {
name = “terraform-elk-audit”
retention_in_days = 14
}

#Retrieve the ARN of the Elasticsearch domain after it has been created
data “aws_elasticsearch_domain” “terraform-elk” {
domain_name = aws_elasticsearch_domain.terraform-elk.domain_name
}

Creating the Elasticsearch domain

resource “aws_elasticsearch_domain” “terraform-elk” {
domain_name = “terraform-elk”
elasticsearch_version = “7.10”
access_policies = jsonencode({
Version = “2012-10-17”
Statement = [
{
Effect = “Allow”
Principal = “"
Action = "es:”
Resource = “"
},
{
Effect = “Allow”
Principal = {
Service = “es.amazonaws.com”
}
Action = "logs:”
Resource = aws_cloudwatch_log_group.terraform-elk-slowsearch.arn
Condition = {
ArnEquals = {
“aws:SourceArn” = aws_cloudwatch_log_group.terraform-elk-slowsearch.arn
}
}
},
{
Effect = “Allow”
Principal = {
Service = “es.amazonaws.com”
}
Action = “logs:*”
Resource = aws_cloudwatch_log_group.terraform-elk-audit.arn
Condition = {
ArnEquals = {
“aws:SourceArn” = aws_cloudwatch_log_group.terraform-elk-audit.arn
}
}
}
]
})

cluster_config {
instance_type = “t3.medium.elasticsearch”
instance_count = “1” # Ensure only 1 node
dedicated_master_enabled = false # Disable dedicated master nodes
zone_awareness_enabled = false # Disable zone awareness
}

advanced_security_options {
enabled = “true”
internal_user_database_enabled = “true”
master_user_options {
master_user_name = “terraform”
master_user_password = “@!#OpkeyOne$$Prod2024!!”
}
}

domain_endpoint_options {
enforce_https = “true”
tls_security_policy = “Policy-Min-TLS-1-2-2019-07”
}

encrypt_at_rest {
enabled = “true”
}

node_to_node_encryption {
enabled = “true”
}

log_publishing_options {
cloudwatch_log_group_arn = aws_cloudwatch_log_group.terraform-elk-slowsearch.arn
log_type = “AUDIT_LOGS”
}

log_publishing_options {
cloudwatch_log_group_arn = aws_cloudwatch_log_group.terraform-elk-slowsearch.arn
log_type = “SEARCH_SLOW_LOGS”
}

snapshot_options {
automated_snapshot_start_hour = “23”
}

ebs_options {
ebs_enabled = “true”
volume_size = “35”
volume_type = “gp2”
}

tags = {
PID = “P09.11”
}
}

Error:
│ Error: creating Elasticsearch Domain (terraform-elk): ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group terraform-elk-slowsearch does not grant sufficient permissions for Amazon OpenSearch Service to create a log stream. Please check the Resource Access Policy.
│
│ with aws_elasticsearch_domain.terraform-elk,
│ on main.tf line 478, in resource “aws_elasticsearch_domain” “terraform-elk”:
│ 478: resource “aws_elasticsearch_domain” “terraform-elk” {

Topic		Replies	Views
ElasticSearch domain ValidationException on Cloudwatch Logs Resource Policy Terraform	3	3291	May 29, 2023
Error creating CloudTrail with terraform AWS	0	2285	September 8, 2020
Aws_elasticsearch_domain Issue (Terraform 0.14.7 and ES 7.9) List longer than MaxItems HCP Terraform	1	699	March 22, 2021
Incoherent state due to credentials expiration AWS	4	226	September 8, 2023
Aws_elasticsearch_domain resource supports till which Opensearch version AWS	0	176	March 8, 2024

Issue while creating ElasticSearch Domain

Create CloudWatch log groups for audit and slow search logs

Creating the Elasticsearch domain

Related topics