From dee80796306964793219d1569d6c546a04b0c006 Mon Sep 17 00:00:00 2001
From: Steve Teuber <steve.teuber@idealo.de>
Date: Tue, 23 May 2023 11:06:16 +0200
Subject: [PATCH] fix(role_mapping): ensure role mappings exists when using
 internal_user_database

---
 role_mapping.tf | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/role_mapping.tf b/role_mapping.tf
index 2cd440b..9e310e3 100644
--- a/role_mapping.tf
+++ b/role_mapping.tf
@@ -14,7 +14,7 @@ resource "elasticsearch_opensearch_roles_mapping" "role_mapping" {
 }
 
 resource "elasticsearch_opensearch_roles_mapping" "master_user_arn" {
-  for_each = var.master_user_arn == "" ? {} : {
+  for_each = var.advanced_security_options_internal_user_database_enabled ? {} : {
     for key in ["all_access", "security_manager"] :
     key => try(local.role_mappings[key], {})
   }
@@ -27,3 +27,18 @@ resource "elasticsearch_opensearch_roles_mapping" "master_user_arn" {
 
   depends_on = [aws_route53_record.opensearch]
 }
+
+resource "elasticsearch_opensearch_roles_mapping" "master_user_name" {
+  for_each = var.advanced_security_options_internal_user_database_enabled ? {
+    for key in ["all_access", "security_manager"] :
+    key => try(local.role_mappings[key], {})
+  } : {}
+
+  role_name     = each.key
+  description   = try(each.value.description, "")
+  backend_roles = try(each.value.backend_roles, [])
+  hosts         = try(each.value.hosts, [])
+  users         = concat(try(each.value.users, []), [var.advanced_security_options_master_user_name])
+
+  depends_on = [aws_route53_record.opensearch]
+}