Terraform, ElasticSearch: Error: InvalidTypeException: Error setting policy

Question

I would like to attach the access policy below to the ElasticSearch:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "${resource_arn}/*"
    }
  ]
}

I added line iam_role_arns = ["*"], but I got error below:

module.elasticsearch.aws_elasticsearch_domain_policy.default[0]: Creating...
Error: InvalidTypeException: Error setting policy:

Here is the code:

module "elasticsearch" {
  source                  = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.24.1"
  security_groups                = [data.terraform_remote_state.vpc.outputs.default_security_group_id]
  vpc_id                         = data.terraform_remote_state.vpc.outputs.vpc_id
  zone_awareness_enabled         = var.zone_awareness_enabled
  subnet_ids                     = slice(data.terraform_remote_state.vpc.outputs.private_subnets, 0, 2)
  elasticsearch_version          = var.elasticsearch_version
  instance_type                  = var.instance_type
  instance_count                 = var.instance_count
  encrypt_at_rest_enabled        = var.encrypt_at_rest_enabled
  dedicated_master_enabled       = var.dedicated_master_enabled
  create_iam_service_linked_role = var.create_iam_service_linked_role
  kibana_subdomain_name          = var.kibana_subdomain_name
  ebs_volume_size                = var.ebs_volume_size
  dns_zone_id                    = var.dns_zone_id
  kibana_hostname_enabled        = var.kibana_hostname_enabled
  domain_hostname_enabled        = var.domain_hostname_enabled
  allowed_cidr_blocks            = ["0.0.0.0/0"]
  iam_role_arns                  = ["*"]
  advanced_options = {
    "rest.action.multi.allow_explicit_index" = "true"
  }
  context = module.this.context
}

Answer 1

you might be doing jasonencode while passing json policy file to module, if yes try passing policy file directly without any encoding. Eg: file("policy.json")

Answer 2

You can't create such an open access policy since your ES domain is in VPC. As explain in terraform-aws-elasticsearch source code comments, open access policy is only for IP range and non-VPC ES domains:

This statement is for non VPC ES to allow anonymous access from whitelisted IP ranges without requests signing

Just for completeness the use of

  allowed_cidr_blocks            = ["0.0.0.0/0"]
  iam_role_arns                  = ["*"]

should not result in policy error. In fact, it should produce the following (I tested on my ES domain):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*",
          "arn:aws:iam::xxxx:role/es-name"
        ]
      },
      "Resource": [
        "arn:aws:es:us-east-1:xxxxx:domain/es-name/*",
        "arn:aws:es:us-east-1:xxxx:domain/es-name"
      ]
    }
  ]
}