Home > Software engineering >  Terraform for_each loop aws_auth eks gets overwritten
Terraform for_each loop aws_auth eks gets overwritten

Time:04-29

I am creating my very own EKS cluster and had some issues adding in roles via my namespace declared in locals dynamically I am using the terraform-aws-eks-auth Tag v1.0.0 to populate my IAM roles into the groups that i have created in terraform.

I expect that each.key variable would populate/append in the list of maps entries of map_roles but so far it doesn't do so. The end result in aws auth config map shows that it only contains AdminAccessRole, my_eks_admin_role, dev-kiwi-ingress-nginx_admin_role and dev-kiwi-ingress-nginx_readonly_role. The previous namespaces that was supposed to be dynamically created were overwritten.

Should I even use for_each in such case? How can I populate aws-auth dynamically by namespaces used, combined with 2 static entries.

I appreciate any advice or help!

locals {
  namespaces = [
    "${var.env}-devops",
    "${var.env}-devops-ingress-nginx",
    "${var.env}-shared",
    "${var.env}-shared-ingress-nginx",
    "${var.env}-pear",
    "${var.env}-pear-ingress-nginx",
    "${var.env}-apple",
    "${var.env}-apple-ingress-nginx",
    "${var.env}-banana",
    "${var.env}-banana-ingress-nginx",
    "${var.env}-kiwi",
    "${var.env}-kiwi-ingress-nginx"
  ]
}

module "eks_auth" {
  source = "./terraform-modules/terraform-aws-eks-auth-1.0.0"
  eks    = module.eks
  # Additional IAM roles to add to the aws-auth configmap.
  for_each = toset(local.namespaces)
  map_roles = [
    {
      rolearn  = "arn:aws:iam::1234567890:role/AdminAccessRole"
      username = "AdminAccessRole"
      groups   = ["system:masters"]
    },
    {
      rolearn  = "arn:aws:iam::1234567890:role/my-eks-admin-role"
      username = "my_eks_admin_role"
      groups   = ["system:masters"]
    },
    {
      rolearn  = aws_iam_role.eks_namespace_admin_roles[each.key].arn
      username = "${each.key}_admin_role"
      groups   = ["${each.key}:${each.key}_group"]
    },
    {
      rolearn  = aws_iam_role.eks_namespace_readonly_roles[each.key].arn
      username = "${each.key}_readonly_role"
      groups   = ["${each.key}:${each.key}_group"]
    }
  ]

  map_users = [
    {
      userarn  = "arn:aws:iam::1234567890:user/terraform-service-account"
      username = "terraform-service-account"
      groups   = ["system:masters"]
    }
  ]
}

Terraform v1.0.11 aws provider version = "~> 4.9.0"

CodePudding user response:

By adding the for_each in the level shown in the question, terraform will attempt to create multiple instances of the eks_auth module

In your case you need to apply the looping in the variable creation. Also in order to not loop through the static definitions we use concat to merge the lists E.g.

  map_roles = concat( [ for index,value in toset(local.namespaces) :
   {
      rolearn  = aws_iam_role.eks_namespace_admin_roles[value].arn
      username = "${value}_admin_role"
      groups   = ["${value}:${value}_group"]
   },
   {
      rolearn  = aws_iam_role.eks_namespace_readonly_roles[value].arn
      username = "${value}_readonly_role"
      groups   = ["${value}:${value}_group"]
   }
  ], 
  [        
   {
       rolearn  = "arn:aws:iam::1234567890:role/AdminAccessRole"
       username = "AdminAccessRole"
       groups   = ["system:masters"]
   },
   {
      rolearn  = "arn:aws:iam::1234567890:role/my-eks-admin-role"
      username = "my_eks_admin_role"
      groups   = ["system:masters"]
   }
 ])

CodePudding user response:

With the help from Tolis, this is the answer to the issue.

It was still throwing out errors when tried to FOR loop a couple of map entries, so i split them up and concat multiple list instead.

module "eks_auth" {
  source = "./terraform-modules/terraform-aws-eks-auth-1.0.0"
  eks    = module.eks
  # Additional IAM roles to add to the aws-auth configmap.
  for_each = toset(local.namespaces)
  map_roles = concat(
    [
      for key in toset(local.namespaces) :
      {
        rolearn  = aws_iam_role.eks_namespace_admin_roles[key].arn
        username = "${key}_admin_role"
        groups   = ["${key}:${key}_group"]
      }
    ],
    [
      for key in toset(local.namespaces) :
      {
        rolearn  = aws_iam_role.eks_namespace_readonly_roles[key].arn
        username = "${key}_readonly_role"
        groups   = ["${key}:${key}_group"]
      }
    ],
    [
      {
        rolearn  = "arn:aws:iam::1234567890:role/AdminAccessRole"
        username = "AdminAccessRole"
        groups   = ["system:masters"]
      },
      {
        rolearn  = "arn:aws:iam::1234567890:role/my-eks-admin-role"
        username = "my_eks_admin_role"
        groups   = ["system:masters"]
      }
  ])
  # Additional IAM users to add to the aws-auth configmap.
  map_users = [
  ]
}
  • Related