Error when removing a role from OpenSearch Domain

[Abhilash2008]

Hello,

Thank you for your provider. We are using it for managing roles & role-mappings in the OpenSearch v1.2 domain.
As part of a test run, we successfully created set of roles in the domain but facing "cycle" error when trying to delete one of them.

Error: Cycle: elasticsearch_opensearch_role.role["write-role2"] (destroy), aws_iam_role.fgac_master_user_role, aws_opensearch_domain.opensearch, provider["registry.terraform.io/phillbaker/elasticsearch"]

Here is our tf-code:

provider "elasticsearch" {
  url                 = "https://${aws_opensearch_domain.opensearch.endpoint}"
  aws_region          = data.aws_region.current.name
  aws_assume_role_arn = aws_iam_role.fgac_master_user_role.arn
  sign_aws_requests   = true
  healthcheck         = false
}

## Creates an internal role in the OpenSearch cluster
resource "elasticsearch_opensearch_role" "role" {
  for_each = var.roles

  role_name           = each.key
  description         = try(each.value.description, "")
  cluster_permissions = try(each.value.cluster_permissions, [])

  dynamic "index_permissions" {
    for_each = try([each.value.index_permissions], [])
    content {
      index_patterns          = try(index_permissions.value.index_patterns, [])
      allowed_actions         = try(index_permissions.value.allowed_actions, [])
      document_level_security = try(index_permissions.value.document_level_security, "")
    }
  }

  dynamic "tenant_permissions" {
    for_each = try([each.value.tenant_permissions], [])
    content {
      tenant_patterns = try(tenant_permissions.value.tenant_patterns, [])
      allowed_actions = try(tenant_permissions.value.allowed_actions, [])
    }
  }

  depends_on = [elasticsearch_opensearch_roles_mapping.master_user_arn]
}

resource "elasticsearch_opensearch_roles_mapping" "master_user_arn" {
  for_each = {
    for key, value in var.role_mappings :
    key => value if contains(["all_access", "security_manager"], key)
  }

  role_name     = each.key
  description   = try(each.value.description, "")
  backend_roles = concat(try(each.value.backend_roles, []), [aws_iam_role.fgac_master_user_role.arn])
  hosts         = try(each.value.hosts, [])
  users         = try(each.value.users, [])

  depends_on = [aws_route53_record.DNS_record_opensearch]
}

Decoding below yaml file using yamldecode function and passing it as input to variable roles

write-role1:
  cluster_permissions:
  - "indices:admin/create"
  - "indices:data/write/bulk"
  index_permissions:
    index_patterns:
    - "*"
    allowed_actions:
    - "write"
    - "create_index"
write-role2:
  cluster_permissions:
  - "indices:admin/create"
  index_permissions:
    index_patterns:
    - "*"
    allowed_actions:
    - "write"

There is no useful info in terraform logs even with setting TF_LOG_PROVIDER=info.

Any help here is appreciated.

[dublx]

+1 - this would be great

[barthel]

Same with ISM policies.

[juanma-cvega]

I just had the same error with index templates

[iul1an]

Did you guys try it with the latest Terraform version? The issue reproduces with Terraform v1.2.9 but not with v1.3.7, at least for me with elasticsearch_opensearch_roles_mapping

[juanma-cvega]

Yes, I can confirm I don't get the issue with version 1.3.7 of Terraform when trying to delete an index template.