1

I am trying to update AWS elasticsearch access policy through serverless yaml configuration:

resources:
  Resources:
    ELInstanceName:
      Type: "AWS::Elasticsearch::Domain"
      Properties:
        ElasticsearchVersion: "7.1"
        DomainName: "domain-name"
        ElasticsearchClusterConfig:
          DedicatedMasterEnabled: false
          InstanceCount: "3"
          ZoneAwarenessEnabled: false
          InstanceType: "m4.large.elasticsearch"
        EBSOptions:
          EBSEnabled: true
          Iops: 0
          VolumeSize: 10
          VolumeType: "gp2"
        AccessPolicies:
          Version: "2012-10-17"
          Statement:
            -
              Effect: "Allow"
              Principal:
                AWS:
                  - arn:aws:iam::XXXXXXXXX:user/user1
                  - arn:aws:iam::XXXXXXXXX:user/user2
                  - arn:aws:iam::XXXXXXXXX:role/Cognito_custom_Auth_Role
              Action: "es:*"
              Resource: "*"

On executing command serverless deploy, either execution hung up or terminate with the following error

............
Serverless: Operation failed!
Serverless Error ---------------------------------------

An error occurred - domain-name elasticsearch instance already exists.

Also sometimes the command executed without error but there is no change in ES access policy when checked in AWS console.

Am I missing any configuration details for updating the resource? What can be done to update access policy for ES resource using serverless?

Nikhil Shinde
  • 11
  • 2

1 Answers1

0

DomainName:

"If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. "

This would explain your problems if updates to AccessPolicies does require replacement of the domain. According to the docs it doesn't but perhaps there is some other change being made to the domain that does?

One workaround is to not hard code the DomainName.

JoBu
  • 176
  • 1
  • 5
  • Thanks for replying, How does recommended workaround work? If there are multiple elasticsearch domains, how can I update access-policy of specific domain without using domain-name since there isn't configuration to mention arn, etc? – Nikhil Shinde May 12 '20 at 12:03
  • How do you want to update the access-policy? Using CloudFormation you only use the name of the Resource (ELInstanceName is the name of your domain resource in your example). – JoBu May 13 '20 at 08:15
  • The property DomainName is causing the issue. How to update specific ES domain without setting DomainName? since on setting DomainName, it tries to create the new domain with same name instead of updating what's already present. – Nikhil Shinde May 14 '20 at 08:08
  • Have you tried removing the property DomainName and then when you refer to the domain you use the name of the CloudFormation resource instead? In your case "ELInstanceName", as I mentioned in the previous comment. – JoBu May 15 '20 at 09:07