2

I'm trying to create elasticsearch cluster using terraform.

Using terraform 0.11.13

Please can someone point out why I'm not able to create log groups? What is the Resource Access Policy? is it the same as the data "aws_iam_policy_document" I'm creating?

Note: I'm using elasticsearch_version = "7.9"

code:

resource "aws_cloudwatch_log_group" "search_test_log_group" {
  name = "/aws/aes/domains/test-es7/index-logs"
}

resource "aws_elasticsearch_domain" "amp_search_test_es7" {
  domain_name           = "es7"
  elasticsearch_version = "7.9"

  .....
  log_publishing_options {
    cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.search_test_log_group.arn}"
    log_type                 = "INDEX_SLOW_LOGS"
    enabled                  = true
  }


  access_policies = "${data.aws_iam_policy_document.elasticsearch_policy.json}"
}

data "aws_iam_policy_document" "elasticsearch_policy" {
  version = "2012-10-17"

  statement {
    effect = "Allow"

    principals {
      identifiers = ["*"]
      type        = "AWS"
    }

    actions   = ["es:*"]
    resources = ["arn:aws:es:us-east-1:xxx:domain/test_es7/*"]
  }

  statement {
    effect = "Allow"

    principals {
      identifiers = ["es.amazonaws.com"]
      type        = "Service"
    }

    actions = [
      "logs:PutLogEvents",
      "logs:PutLogEventsBatch",
      "logs:CreateLogStream",
    ]

    resources = ["arn:aws:logs:*"]
  }
}

I'm getting this error

aws_elasticsearch_domain.test_es7: Error creating ElasticSearch domain: ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group /aws/aes/domains/test-es7/index-logs does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream. Please check the Resource Access Policy.
Improve this question

1 Answer 1

Reset to default
3

For ElasticSearch (ES) to be able to write to CloudWatch (CW) Logs, you have to provide a resource-based policy on your CW logs.

This is achieved using aws_cloudwatch_log_resource_policy which is missing from your code.

In fact, TF docs have a ready to use example of how to do it for ES, thus you should be able to just copy and paste it.

ES access policies are different from CW log policies, as they determine who can do what on your ES domain. Thus, you would have to adjust that part of your code to meet your requirements.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.