Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use list(string) for iam policy document #23

Merged
merged 12 commits into from
Dec 21, 2021

Conversation

nitrocode
Copy link
Member

@nitrocode nitrocode commented Dec 20, 2021

what

  • Use list(string) for iam policy document

why

This module runs into the dreaded for_each error

│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform
│ cannot predict how many instances will be created. To work around this, use the -target argument to
│ first apply only the resources that the for_each depends on.

The way it is triggered is if the var.aws_iam_policy_document supplied contains a JSON document that requires another submodule to be applied.

This was seen in a teleport cluster component which provisioned

  1. teleport-backend submodule which returns DynamoDB and S3 resource arns
  2. Raw policy document json is constructed with the DynamoDB and S3 resource arns
  3. helm-release module takes input of the policy document
    • iam-policy module takes statements from the policy document
    • eks-iam-role module takes input from iam-module and throws an error because (1) isn't applied

This fix was tested locally using a forked module of terraform-aws-helm-release which uses this feature branch

references

commands

# Use current tests where the iam policy doc is a string
terraform plan -var-file=fixtures.us-east-2.tfvars > stdout.string.plan 2>&1

# Modify test inputs where the iam policy doc is a list(string)
terraform plan -var-file=fixtures.us-east-2.tfvars > stdout.list.plan 2>&1

# no diff between
diff stdout.string.plan stdout.list.plan

@nitrocode nitrocode requested a review from Nuru December 20, 2021 23:44
@nitrocode nitrocode requested review from a team as code owners December 20, 2021 23:44
@nitrocode
Copy link
Member Author

/test all

@nitrocode
Copy link
Member Author

/test all

@nitrocode
Copy link
Member Author

/test all

@nitrocode
Copy link
Member Author

/test all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants