Search code examples
amazon-web-servicesterraformaws-elasticsearch

AWS Elasticsearch is not deleting even if count variable's values is zero

I am creating Elasticsearch and I am using count variable with value of 0 or 1.

My code:

resource "aws_elasticsearch_domain" "es" {
  count                 = "${var.enable_pipeline_1 ? 1 : 0}"
  domain_name           = "${var.name_prefix}"
  elasticsearch_version = "6.8"

  cluster_config {
    instance_type = "t2.small.elasticsearch"
  }

  vpc_options {
    subnet_ids = [
      "${aws_subnet.selected.id}",
    ]

    security_group_ids = ["${aws_security_group.security_group.id}"]
  }

  advanced_options = {
    "rest.action.multi.allow_explicit_index" = "true"
  }

  access_policies = <<CONFIG
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "es:*",
            "Principal": "*",
            "Effect": "Allow",
            "Resource": "arn:aws:es:${var.aws_region}:${var.aws_account_id}:domain/${var.name_prefix}/*"
        }
    ]
}
CONFIG

  snapshot_options {
    automated_snapshot_start_hour = 23
  }

  tags = {
    Domain = "ES-${var.name_prefix}"
  }

  ebs_options {
    ebs_enabled = true
    volume_type = "standard"
    volume_size = "${var.elasticserch_disk_size}"
  }

  log_publishing_options {
    cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.es_log_resource_policy.arn}"
    log_type                 = "INDEX_SLOW_LOGS"
  }

  depends_on = [
    "aws_iam_service_linked_role.es",
  ]
}

resource "aws_cloudwatch_log_group" "es_log_resource_policy" {
  count = "${var.enable_pipeline_1 ? 1 : 0}"
  name  = "${var.name_prefix}_es_log_group"
}

resource "aws_cloudwatch_log_resource_policy" "es_log_resource_policy" {
  count       = "${var.enable_pipeline_1 ? 1 : 0}"
  policy_name = "${var.name_prefix}_es_log_resource_policy"

  policy_document = <<CONFIG
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "es.amazonaws.com"
      },
      "Action": [
        "logs:PutLogEvents",
        "logs:PutLogEventsBatch",
        "logs:CreateLogStream"
      ],
      "Resource": "arn:aws:logs:*"
    }
  ]
}
CONFIG
}

resource "aws_iam_service_linked_role" "es" {
  count            = "${var.enable_pipeline_1 ? 1 : 0}"
  aws_service_name = "es.amazonaws.com"
}

So I have 2 problems now:

1st problem: If I set count value to zero then the elasticsearch domain should delete if exist but it is not deleting.

2nd problem: So I deleted domain manually on aws console and now I want to create domain but error said:

aws_iam_service_linked_role.es: Error creating service-linked role with name es.amazonaws.com: InvalidInput: Service role name AWSServiceRoleForAmazonElasticsearchService has been taken in this account, please try a different suffix.

I don't understand what is going wrong, any help please?

Thank you.

Solution

  • When creating AWS Elasticsearch domain AWS will automatically create a Service Role for you. It is needed so AWS systems can manage domains that are located in VPCs that are located in your account.

    To solve this issue you need to manually delete Service Role as described in documentation. You also need to remember that this role can be created only once per AWS account so if you want to create another domain with this exact code you need to delete aws_iam_service_linked_role resource as this role will already exist it the account. This role is also automatically created when you spin a new domain with AWS Console.

    We solved this by extracting aws_iam_service_linked_role into genric config directory that is deployed only once per account.