parameterize access policies json for more flexibility

bmbferreira · bmbferreira · commit f2882f7498e0 · 2024-04-01T00:58:33.000+01:00
diff --git a/elasticsearch_domain.tf b/elasticsearch_domain.tf
@@ -3,9 +3,9 @@
 #
 
 resource "aws_elasticsearch_domain_policy" "default" {
-  count           = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
+  count           = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0 || length(var.access_policies) > 0) ? 1 : 0
   domain_name     = module.this.id
-  access_policies = join("", data.aws_iam_policy_document.default[*].json)
+  access_policies = coalesce(var.access_policies, join("", data.aws_iam_policy_document.default[*].json))
 }
 
 resource "aws_elasticsearch_domain" "default" {
diff --git a/variables.tf b/variables.tf
@@ -448,3 +448,12 @@ variable "auto_tune" {
   }
 }
 
+variable "access_policies" {
+  description = "JSON string for the IAM policy document specifying the access policies for the domain."
+  type        = string
+  default     = ""
+  validation {
+    condition     = var.access_policies == "" || try(jsondecode(var.access_policies), null) != null
+    error_message = "The access_policies JSON string is not valid."
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -3,9 +3,9 @@`
`3`	`3`	`#`
`4`	`4`
`5`	`5`	`resource "aws_elasticsearch_domain_policy" "default" {`
`6`		`- count = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 \|\| length(var.iam_role_arns) > 0) ? 1 : 0`
	`6`	`+ count = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 \|\| length(var.iam_role_arns) > 0 \|\| length(var.access_policies) > 0) ? 1 : 0`
`7`	`7`	`domain_name = module.this.id`
`8`		`- access_policies = join("", data.aws_iam_policy_document.default[*].json)`
	`8`	`+ access_policies = coalesce(var.access_policies, join("", data.aws_iam_policy_document.default[*].json))`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`resource "aws_elasticsearch_domain" "default" {`
Original file line number	Diff line number	Diff line change
`@@ -448,3 +448,12 @@ variable "auto_tune" {`
`448`	`448`	`}`
`449`	`449`	`}`
`450`	`450`
	`451`	`+variable "access_policies" {`
	`452`	`+ description = "JSON string for the IAM policy document specifying the access policies for the domain."`
	`453`	`+ type = string`
	`454`	`+ default = ""`
	`455`	`+ validation {`
	`456`	`+ condition = var.access_policies == "" \|\| try(jsondecode(var.access_policies), null) != null`
	`457`	`+ error_message = "The access_policies JSON string is not valid."`
	`458`	`+ }`
	`459`	`+}`