Service Linked Role Requred for ElasticSearch Domain Not Created Automatically
See original GitHub issue🐛 Bug Report
What is the problem?
CfnDomain
does not create a service linked role automatically. I think this makes is impossible to deploy reliably using only CDK as the role may have been created by a previous domain and can’t be created twice in the same region. The only option seems to be pre-creating the role in the CLI before deploying which is awkward to document and difficult (maybe impossible) to automate.
Reproduction Steps
const vpc = new Vpc(this, "Vpc", {
maxAzs: 3
});
new CfnDomain(scope, 'Search', {
elasticsearchVersion: '6.7',
elasticsearchClusterConfig: {
instanceCount: 2,
zoneAwarenessEnabled: true,
instanceType: 't2.small.elasticsearch',
},
ebsOptions: {
ebsEnabled: true,
volumeSize: 10,
volumeType: 'gp2'
},
vpcOptions: {
securityGroupIds: [
vpc.vpcDefaultSecurityGroup
],
subnetIds: vpc.privateSubnets.map(subnet => subnet.subnetId),
}
});
Verbose Log
$ npm run cdk deploy
...
15/27 | 2:04:49 PM | CREATE_FAILED | AWS::Elasticsearch::Domain | Search Before you can proceed, you must enable a service-linked role to give Amazon ES permissions to access your VPC. (Service: AWSElasticsearch; Status Code: 400; Error Code: ValidationException;)
...
Environment
- CDK CLI Version: 1.4.0 (build 175471f)
- Module Version: @aws-cdk/aws-elasticsearch - 1.4.0
- OS: OSX
- Language: TypeScript
Related to #569 which indicates that these roles should be built automatically.
Issue Analytics
- State:
- Created 4 years ago
- Comments:13 (1 by maintainers)
Top Results From Across the Web
Before you can proceed, you must enable a service-linked ...
The service-linked role can be created using the AWS CLI. aws iam create-service-linked-role --aws-service-name opensearchservice.amazonaws.
Read more >Using service-linked roles for Amazon OpenSearch Service
A service-linked role is a unique type of IAM role that is linked directly to OpenSearch Service. Service-linked roles are predefined by OpenSearch...
Read more >Before you can proceed, you must enable a service-linked ...
In the aws.amazon.com IAM console, I cannot select that service for a role. I believe it is supposed to be created automatically. Has...
Read more >Amazon Elasticsearch Service - Gruntwork Docs
Whether or not the Service Linked Role for Elasticsearch should be created within this module. Normally the service linked role is created automatically...
Read more >aws_elasticsearch_domain | Resources | hashicorp/aws
desired_state - (Required) The Auto-Tune desired state for the domain. ... You must have created the service linked role for the Elasticsearch service...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I think it is under appreciated how difficult a one off job like creating this role is in a fully automated provisioning setup. Especially if there is an arbitrary delay before it seems to work. Our setup requires us to be able to reliably build and deploy to a new region (or entirely new account) quickly. Having a single manual step in an otherwise automated process is a huge foot gun. It’s safer for us to just execute a well written set of instructions instead, validating on each step.
This single issue is completely blocking our migration to CDK. Given that this was closed without resolution a year ago I thought there might be a long term plan to add support for all services in CDK. I guess not? Telling us to build it ourselves is a weird stance to take from a company that makes billions of dollars and for a service we pay for. I’m happy to take a crack at it if AWS is willing to foot the bill for development time or provide my university free service in exchange.
You are right with your point that closing this case is wrong because it doesnt work for a lot of users as it seems. Furthermore doing stuff like this manually contradicts the whole concept of CDK. I can live with manually creating a Client VPN Endpoint but Roles should really work in order to get deploy step running.