resource/aws_elasticsearch_domain: Add advanced_security_options for enabling fine grained access control

[jon-fearer]

This PR adds support for fine grained access control in elasticsearch domain. Ready for review.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #12161
Closes #12160
Closes #12054

Release note for CHANGELOG:

resource/aws_elasticsearch_domain: Add advanced_security_options block for fine grained access control

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSDataElasticsearchDomain'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSDataElasticsearchDomain -timeout 120m
=== RUN   TestAccAWSDataElasticsearchDomain_basic
=== PAUSE TestAccAWSDataElasticsearchDomain_basic
=== RUN   TestAccAWSDataElasticsearchDomain_advanced
=== PAUSE TestAccAWSDataElasticsearchDomain_advanced
=== CONT  TestAccAWSDataElasticsearchDomain_basic
=== CONT  TestAccAWSDataElasticsearchDomain_advanced
--- PASS: TestAccAWSDataElasticsearchDomain_basic (890.71s)
--- PASS: TestAccAWSDataElasticsearchDomain_advanced (1192.15s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	1192.216s

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSElasticSearchDomain_AdvancedSecurityOptions'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSElasticSearchDomain_AdvancedSecurityOptions -timeout 120m
=== RUN   TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_UserDB
=== PAUSE TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_UserDB
=== RUN   TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_IAM
=== PAUSE TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_IAM
=== CONT  TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_UserDB
=== CONT  TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_IAM
--- PASS: TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_IAM (1147.78s)
--- PASS: TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_UserDB (1228.56s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	1228.629s

[anGie44]

Hi @jon-fearer! Thanks so much for your recent changes. I've added some small comments otherwise, this looks great 👍

Output of acceptance tests:

--- PASS: TestAccAWSElasticSearchDomain_duplicate (651.17s)
--- PASS: TestAccAWSElasticSearchDomain_LogPublishingOptions (831.48s)
--- PASS: TestAccAWSElasticSearchDomain_vpc (1074.52s)
--- PASS: TestAccAWSElasticSearchDomain_basic (1098.30s)
--- PASS: TestAccAWSDataElasticsearchDomain_basic (1177.30s)
--- PASS: TestAccAWSElasticSearchDomain_v23 (1375.02s)
--- PASS: TestAccAWSElasticSearchDomain_complex (1384.87s)
--- PASS: TestAccAWSElasticSearchDomain_RequireHTTPS (1487.45s)
--- PASS: TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_IAM (1541.80s)
--- PASS: TestAccAWSDataElasticsearchDomain_advanced (1546.86s)
--- PASS: TestAccAWSElasticSearchDomain_policy (1693.58s)
--- PASS: TestAccAWSElasticSearchDomain_CognitoOptionsCreateAndRemove (1761.71s)
--- PASS: TestAccAWSElasticSearchDomain_encrypt_at_rest_specify_key (994.10s)
--- PASS: TestAccAWSElasticSearchDomain_NodeToNodeEncryption (846.31s)
--- PASS: TestAccAWSElasticSearchDomain_encrypt_at_rest_default_key (1299.51s)
--- PASS: TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_UserDB (2046.35s)
--- PASS: TestAccAWSElasticSearchDomain_tags (1025.26s)
--- PASS: TestAccAWSElasticSearchDomainPolicy_basic (2230.74s)
--- PASS: TestAccAWSElasticSearchDomain_CognitoOptionsUpdate (2333.08s)
--- PASS: TestAccAWSElasticSearchDomain_vpc_update (2338.11s)
--- PASS: TestAccAWSElasticSearchDomain_internetToVpcEndpoint (2408.67s)
--- PASS: TestAccAWSElasticSearchDomain_warm (2979.44s)
--- PASS: TestAccAWSElasticSearchDomain_update (2325.21s)
--- PASS: TestAccAWSElasticSearchDomain_withDedicatedMaster (3573.93s)
--- PASS: TestAccAWSElasticSearchDomain_update_volume_type (2969.69s)
--- PASS: TestAccAWSElasticSearchDomain_update_version (3262.25s)
--- PASS: TestAccAWSElasticSearchDomain_ClusterConfig_ZoneAwarenessConfig (5348.95s)

[jon-fearer]

@anGie44 Ok, we made those changes 👍

[anGie44]

Hi @jon-fearer, thanks for the pushed up changes! i noticed a comment in here, though now removed, in regards to disabling advanced_configuration_options after enabling. I do see though that API does not allow modification of the advanced security options after creation, so let's document this in the website docs for users as well as remove the line in the Update method since the API does not allow for modifications. Would you mind adding a test as well to showcase the enabled=false behavior?

[anGie44]

Looks great, thanks for all your work @jon-fearer @JustinSchuyler! 🚀

Output of acceptance tests:

--- PASS: TestAccAWSElasticSearchDomain_duplicate (463.74s)
--- PASS: TestAccAWSElasticSearchDomain_v23 (712.44s)
--- PASS: TestAccAWSElasticSearchDomain_LogPublishingOptions (787.64s)
--- PASS: TestAccAWSElasticSearchDomain_basic (859.88s)
--- PASS: TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_Disabled (1100.80s)
--- PASS: TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_IAM (1118.13s)
--- PASS: TestAccAWSElasticSearchDomain_complex (1253.35s)
--- PASS: TestAccAWSElasticSearchDomain_policy (887.89s)
--- PASS: TestAccAWSElasticSearchDomain_AdvancedSecurityOptions_UserDB (1392.44s)
--- PASS: TestAccAWSElasticSearchDomain_encrypt_at_rest_default_key (689.71s)
--- PASS: TestAccAWSElasticSearchDomain_vpc (1497.09s)
--- PASS: TestAccAWSElasticSearchDomain_encrypt_at_rest_specify_key (728.75s)
--- PASS: TestAccAWSElasticSearchDomain_NodeToNodeEncryption (948.76s)
--- PASS: TestAccAWSElasticSearchDomain_RequireHTTPS (1818.79s)
--- PASS: TestAccAWSElasticSearchDomain_tags (753.73s)
--- PASS: TestAccAWSElasticSearchDomain_CognitoOptionsUpdate (1886.03s)
--- PASS: TestAccAWSElasticSearchDomain_WithVolumeType_Missing (670.45s)
--- PASS: TestAccAWSDataElasticsearchDomain_advanced (2194.04s)
--- PASS: TestAccAWSDataElasticsearchDomain_basic (2218.43s)
--- PASS: TestAccAWSElasticSearchDomain_internetToVpcEndpoint (2435.42s)
--- PASS: TestAccAWSElasticSearchDomain_vpc_update (2498.53s)
--- PASS: TestAccAWSElasticSearchDomainPolicy_basic (2616.31s)
--- PASS: TestAccAWSElasticSearchDomain_CognitoOptionsCreateAndRemove (2851.52s)
--- PASS: TestAccAWSElasticSearchDomain_update (2367.82s)
--- PASS: TestAccAWSElasticSearchDomain_withDedicatedMaster (3809.66s)
--- PASS: TestAccAWSElasticSearchDomain_warm (3952.93s)
--- PASS: TestAccAWSElasticSearchDomain_update_volume_type (2875.87s)
--- PASS: TestAccAWSElasticSearchDomain_update_version (3354.05s)
--- PASS: TestAccAWSElasticSearchDomain_ClusterConfig_ZoneAwarenessConfig (5541.94s)

[jon-fearer]

Thanks! @anGie44

[JustinSchuyler]

Thank you for all the feedback + help reviewing this PR @anGie44, @DrFaust92, and @vsakati!

[ghost]

This has been released in version 2.69.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!