rolling back to IAM based policy due to instability with VPC

access_policy.json

+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "es:*",
+        "Condition": {
+            "IpAddress": {
+              "aws:SourceIp": [ "${other_ips}" ]
+            }
+          }
+    },
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "es:*",
+        "Condition": {
+            "IpAddress": {
+              "aws:SourceIp": ${nat_ips}
+            }
+          }
+      }
+    ]
+}
\ No newline at end of file

main.tf

 variable environment {}
 variable name {}
 
+variable nat_gateway_ips {}
+variable access_ips {}
 variable private_dns_zone {}
 variable private_dns_address {}
 variable public_dns_zone {}
 variable public_dns_address {}
-variable vpc_id {}
-variable subnet_ids {type = "list"}
-variable security_groups {type = "list"}
 
-variable elasticsearch_version {default = "5.5"}
+variable elasticsearch_version {default = "1.5"}
 variable automated_snapshot_start_hour {default = "02"}
 
 # EBS options
@@ -20,37 +19,28 @@ variable ebs_volume_size {default = "20"}
 # Cluster config
 # If zone awareness is enabled then an even number of data nodes is required.
 # Dedicated master count should be greater than 1
-# M3 medium minimum instance type for > ES 2.3
-variable instance_type {default = "m3.medium.elasticsearch"}
+variable instance_type {default = "t2.micro.elasticsearch"}
 variable instance_count {default = "2"}
 variable zone_awareness_enabled {default = "true"}
 variable dedicated_master_enabled {default = "true"}
-variable dedicated_master_type {default = "m3.medium.elasticsearch"}
+variable dedicated_master_type {default = "t2.micro.elasticsearch"}
 variable dedicated_master_count {default = "2"}
 
-resource "aws_security_group" "elasticsearch" {
-  name        = "elasticsearch"
-  description = "Allow ingress traffic to the ElasticSearch cluster"
-  vpc_id      = "${var.vpc_id}"
 
-  ingress {
-    from_port       = 80
-    to_port         = 443
-    protocol        = "tcp"
-    security_groups = ["${var.security_groups}"]
+data "template_file" "access_policy" {
+  template = "${file("${path.module}/access_policy.json")}"
+  vars {
+    nat_ips    = "${jsonencode(split(",", var.nat_gateway_ips))}"
+    other_ips = "${var.access_ips}"
   }
 }
 
+
 # Add var for domain name
 resource "aws_elasticsearch_domain" "elasticsearch" {
   domain_name = "es-${var.name}-${var.environment}"
   elasticsearch_version = "${var.elasticsearch_version}"
 
-  vpc_options {
-    security_group_ids = ["${aws_security_group.elasticsearch.id}"]
-    subnet_ids = ["${var.subnet_ids}"]
-  }
-
   ebs_options {
     ebs_enabled = "${var.ebs_enabled}"
     volume_type = "${var.ebs_volume_type}"
@@ -60,6 +50,7 @@ resource "aws_elasticsearch_domain" "elasticsearch" {
   snapshot_options {
     automated_snapshot_start_hour = "${var.automated_snapshot_start_hour}"
   }
+  access_policies = "${data.template_file.access_policy.rendered}"
 
   cluster_config {
     instance_type             = "${var.instance_type}"
@@ -83,6 +74,8 @@ resource "aws_elasticsearch_domain" "elasticsearch" {
   }
 }
 
+
+
 resource "aws_route53_record" "public" {
   zone_id = "${var.public_dns_zone}"
   name = "${var.public_dns_address}"
@@ -91,7 +84,6 @@ resource "aws_route53_record" "public" {
   records = ["${aws_elasticsearch_domain.elasticsearch.endpoint}"]
 }
 
-
 resource "aws_route53_record" "private" {
   zone_id = "${var.private_dns_zone}"
   name = "${var.private_dns_address}"
@@ -100,7 +92,6 @@ resource "aws_route53_record" "private" {
   records = ["${aws_elasticsearch_domain.elasticsearch.endpoint}"]
 }
 
-
 output "endpoint" {
   value = "${aws_elasticsearch_domain.elasticsearch.endpoint}"
 }