port #198 Parameterize access policies json for more flexibility (3rd try)

README.md

@@ -158,6 +158,7 @@ Here are automated tests for the complete example using [bats](https://github.co
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_access_policies"></a> [access\_policies](#input\_access\_policies) | JSON string for the IAM policy document specifying the access policies for the domain. | `string` | `""` | no |
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br/>This is for some rare cases where resources want additional configuration of tags<br/>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
 | <a name="input_advanced_options"></a> [advanced\_options](#input\_advanced\_options) | Key-value string pairs to specify advanced configuration options | `map(string)` | `{}` | no |
 | <a name="input_advanced_security_options_anonymous_auth_enabled"></a> [advanced\_security\_options\_anonymous\_auth\_enabled](#input\_advanced\_security\_options\_anonymous\_auth\_enabled) | Whether Anonymous auth is enabled. Enables fine-grained access control on an existing domain | `bool` | `false` | no |

elasticsearch_domain.tf

@@ -3,9 +3,9 @@
 #
 
 resource "aws_elasticsearch_domain_policy" "default" {
-  count           = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
+  count           = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0 || length(var.access_policies) > 0) ? 1 : 0
   domain_name     = length(var.elasticsearch_domain_name) > 0 ? var.elasticsearch_domain_name : module.this.id
-  access_policies = join("", data.aws_iam_policy_document.default[*].json)
+  access_policies = coalesce(var.access_policies, join("", data.aws_iam_policy_document.default[*].json))
 }
 
 resource "aws_elasticsearch_domain" "default" {

variables.tf

@@ -493,3 +493,13 @@ variable "advanced_security_options_anonymous_auth_enabled" {
   default     = false
   description = "Whether Anonymous auth is enabled. Enables fine-grained access control on an existing domain"
 }
+
+variable "access_policies" {
+  description = "JSON string for the IAM policy document specifying the access policies for the domain."
+  type        = string
+  default     = ""
+  validation {
+    condition     = var.access_policies == "" || try(jsondecode(var.access_policies), null) != null
+    error_message = "The access_policies JSON string is not valid."
+  }
+}