can't use iam user as master_user_arn

[dim-ops]

Description

I don't understand why this code doesn't work:

  advanced_security_options = {
    enabled                        = true
    anonymous_auth_enabled         = false
    internal_user_database_enabled = false

    master_user_options = {
      master_user_arn     = aws_iam_user.opensearch_cluster[each.key].arn
    }
  }

My error:
creating OpenSearch Domain: ValidationException: If you don’t enable the internal user database, you must provide a master user ARN.

If I remove master_user_options block, it's work because my own user it's used

When I modify module

master_user_arn = try(master_user_options.value.master_user_arn, null) == null ? try(master_user_options.value.master_user_arn, data.aws_iam_session_context.current[0].issuer_arn) : null

by

master_user_arn = master_user_options.value.master_user_arn

it works

• ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/ ✅
2. Re-initialize the project root to pull down modules: terraform init ✅
3. Re-attempt your terraform plan or apply and check if the issue still persists ✅

Versions

• Module version [Required]:
  ~> 1.0
• Terraform version:
  ~> 1.0
• Provider version(s):
  ~> 5.0

[moritzzimmer]

We face the same issue. At the moment it's not possible to specify a master_user_arn.

Example configuration:

advanced_security_options = {
    enabled                        = true
    anonymous_auth_enabled         = false
    internal_user_database_enabled = false

    master_user_options = {
      master_user_arn = "arn:aws:iam::1234567890:role/My-Admin-Role"
    }
  }

As a workaround, we need to use the fallback data.aws_iam_session_context.current[0].issuer_arn to have one master user configured at least.

In general: what's the purpose behind using the current IAM source role as a fallback? Maybe it's sufficient to be able to provide a master_user_arn or use null? Still, it seems a change like #20 is needed.

[antonbabenko]

This issue has been resolved in version 1.3.1 🎉

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.