Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Service Linked Role Requred for ElasticSearch Domain Not Created Automatically
See original GitHub issue🐛 Bug Report
What is the problem?
CfnDomain does not create a service linked role automatically. I think this makes is impossible to deploy reliably using only CDK as the role may have been created by a previous domain and can’t be created twice in the same region. The only option seems to be pre-creating the role in the CLI before deploying which is awkward to document and difficult (maybe impossible) to automate.
Reproduction Steps
const vpc = new Vpc(this, "Vpc", {
maxAzs: 3
});
new CfnDomain(scope, 'Search', {
elasticsearchVersion: '6.7',
elasticsearchClusterConfig: {
instanceCount: 2,
zoneAwarenessEnabled: true,
instanceType: 't2.small.elasticsearch',
},
ebsOptions: {
ebsEnabled: true,
volumeSize: 10,
volumeType: 'gp2'
},
vpcOptions: {
securityGroupIds: [
vpc.vpcDefaultSecurityGroup
],
subnetIds: vpc.privateSubnets.map(subnet => subnet.subnetId),
}
});
Verbose Log
$ npm run cdk deploy
...
15/27 | 2:04:49 PM | CREATE_FAILED | AWS::Elasticsearch::Domain | Search Before you can proceed, you must enable a service-linked role to give Amazon ES permissions to access your VPC. (Service: AWSElasticsearch; Status Code: 400; Error Code: ValidationException;)
...
Environment
- CDK CLI Version: 1.4.0 (build 175471f)
- Module Version: @aws-cdk/aws-elasticsearch - 1.4.0
- OS: OSX
- Language: TypeScript
Related to #569 which indicates that these roles should be built automatically.
Issue Analytics
- State:
- Created 4 years ago
- Comments:13 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I think it is under appreciated how difficult a one off job like creating this role is in a fully automated provisioning setup. Especially if there is an arbitrary delay before it seems to work. Our setup requires us to be able to reliably build and deploy to a new region (or entirely new account) quickly. Having a single manual step in an otherwise automated process is a huge foot gun. It’s safer for us to just execute a well written set of instructions instead, validating on each step.
This single issue is completely blocking our migration to CDK. Given that this was closed without resolution a year ago I thought there might be a long term plan to add support for all services in CDK. I guess not? Telling us to build it ourselves is a weird stance to take from a company that makes billions of dollars and for a service we pay for. I’m happy to take a crack at it if AWS is willing to foot the bill for development time or provide my university free service in exchange.
You are right with your point that closing this case is wrong because it doesnt work for a lot of users as it seems. Furthermore doing stuff like this manually contradicts the whole concept of CDK. I can live with manually creating a Client VPN Endpoint but Roles should really work in order to get deploy step running.