CloudFormation Elasticsearch Service - Circular dependency between resources on same resource

6
votes

thanks in advance!

I've been stuck on this issue for ages and can't find the solution...

Basically I want to implement the same access policy on my elasticsearch service but when I try to re-create this in cloudformation I receive a circular dependency error.. I know whats causing the error the Fn::GetAtt's which reference the elastic search DomainArn.

So my question is how do I go about implementing this statement without having to reference my elk domain arn?

Template contains errors.: Circular dependency between resources: [XXXXXX]

"XXXXXX": {
            "Type": "AWS::Elasticsearch::Domain",
            "Properties": {
                "AccessPolicies": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": {
                                    "Fn::GetAtt": ["myuser", "Arn"]
                                }
                            },
                            "Action": "es:*",
                            "Resource": {
                                "Fn::GetAtt": ["XXXXXX", "DomainArn"]
                            }
                        },
                        {
                            "Sid": "",
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": "*"
                            },
                            "Action": "es:*",
                            "Resource": {
                                "Fn::GetAtt": ["XXXXXX", "DomainArn"]
                            },
                            "Condition": {
                                "IpAddress": {
                                    "aws:SourceIp": [
                                        "xx.xx.xx.xx",
                                        "xx.xx.xx.xx"
                                    ]
                                }
                            }
                        }
                    ]
                },
                "DomainName": "XXXXXX",
                "EBSOptions": {
                    "EBSEnabled": "True",
                    "VolumeSize": 10,
                    "VolumeType": "gp2"
                },
                "ElasticsearchClusterConfig": {
                    "InstanceCount": 1,
                    "InstanceType": "t2.small.elasticsearch"
                },
                "ElasticsearchVersion": "5.1",
                "SnapshotOptions": {
                    "AutomatedSnapshotStartHour": 0
                },
                "Tags": {
                    "Key": "name",
                    "Value": "XXXXXX"
                }
            }
        },
1
amazon-web-serviceselasticsearchamazon-cloudformation
Did you raise this with AWS support? If nothing else they can log it as a "feature request" even though it's essentially a massive bugCarlR

1 Answers

7
votes

Rather than use Fn::GetAtt to retrieve the domain ARN, use Fn:Sub to construct the ARN using the rules here (scroll down to "Use the following syntax to specify domain resources for Amazon ES").

{ "Fn::Sub":"arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/XXXXXX" }