For configuring/managing aws managed elasticsearch clusters

---

- hosts: localhost
  tasks:
    - name: "Create ElasticSearch cluster"
      ec2_elasticsearch:
        name: "my-cluster"
        elasticsearch_version: "2.3"
        region: "us-west-1"
        instance_type: "m3.medium.elasticsearch"
        instance_count: 2
        dedicated_master: True
        zone_awareness: True
        dedicated_master_instance_type: "t2.micro.elasticsearch"
        dedicated_master_instance_count: 2
        ebs: True
        volume_type: "standard"
        volume_size: 10
        vpc_subnets: "subnet-e537d64a"
        vpc_security_groups: "sg-dd2f13cb"
        snapshot_hour: 13
        access_policies: "{{ lookup('file', 'cluster_policies.json') | from_json }}"
        profile: "myawsaccount"
      register: response

Non VPC clusters give endpoints at DomainStatus.Endpoint, however VPC clusters return it at DomainStatus.Endpoints.vpc

AWS currently provides no way to create the correct service role for a vpc limited elasticsearch cluster. To get the correct role configured in your account, create a test cluster in your vpc using the aws console. You can delete it afterwards. If you don't have this, the module will fail with this error:

Before you can proceed, you must enable a service-linked role to give Amazon ES permissions to access your VPC.

Access Policies may trigger continual updates if the format in cluster_policies.json differs from the AWS returned value. To debug this, you can use the cli to get the policy back so you can compare or replace the contents of your cluster_policies.json file.

aws es describe-elasticsearch-domain --domain-name my-cluster --query DomainStatus.AccessPolicies --output text