Search code examples
terraformterraform-provider-azureterragruntterraform-template-file

How to use array as input in terragrunt which accepts only as string in terraform


Describe the bug

we have terraform code for key vault (Azure) in which object Id is string for access policies . but wanted to give as array i.e multiple user id (object id) in single object id.

Steps To Reproduce the issue.

main.tf :

resource "azurerm_key_vault" "example" {
  name                        = "examplekeyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name                    = "standard"

  dynamic "access_policy" {
    for_each = var.access_policies
    content {
      tenant_id = data.azurerm_client_config.current.tenant_id
      object_id = access_policy.value["object_id"]
      secret_permissions = access_policy.value["secret_permissions"]
      key_permissions = access_policy.value["key_permissions"]
    }
  }
}

variables.tf:

variable "access_policies" {
  type = set(
  object({
    object_id = string,
    secret_permissions = set(string),
    key_permissions = set(string)
    })
  )
}

keyvault > terragrunt.hcl :

    input ={
    access_policies = [

    { object_id = "xyz", secret_permissions = ["Get","Set"], key_permissions = ["Get"] },
    { object_id = "abc", secret_permissions = ["Get"], key_permissions = ["Get"] } ]

above code is working fine

Expecting behavior as below ...

i want to keep object id as array and secret permission and key permission in 1 line ...something like below which is not working even if keep object_id = set(string) in variables.tf

    { object_id = ["xyz","abc"], secret_permissions = ["Get","Set"], key_permissions = ["Get"] },

in fact i wanted to keep this object ids as common in global_var.hcl file so that all environment can use have same object_id rather than local terragrunt file.

===================================================================

i tried with set(string) for object id in varaibles.tf file as below , but still issue exist.

ERROR - object_id must be string

variables.tf:

variable "access_policies" {
  type = set(
    object({
    object_id = set(string),
    secret_permissions = set(string),
    key_permissions = set(string)
    })
  )
}

Solution

  • I have already tried that , it shows "ERROR - object_id must be string " , it is not accepting in array for object_ID.. i have edited that in question body

    To handle multiple object_ids within the constraints of Terraform, you need to use a nested loop approach.

    • Thanks @Marko_E, nested loop involves creating a dynamic block for each access policy and then another dynamic block for each object_id within that policy.

    Terraform Configuration

    variables.tf:

    variable "access_policies" {
      type = list(
        object({
          object_ids         = list(string),
          secret_permissions = list(string),
          key_permissions    = list(string)
        })
      )
    }
    
    

    main.tf:

    resource "azurerm_key_vault" "example" {
      name                        = "examplekeyvault"
      location                    = azurerm_resource_group.example.location
      resource_group_name         = azurerm_resource_group.example.name
      enabled_for_disk_encryption = true
      tenant_id                   = data.azurerm_client_config.current.tenant_id
      soft_delete_retention_days  = 7
      purge_protection_enabled    = false
      sku_name                    = "standard"
    
      dynamic "access_policy" {
        for_each = flatten([for policy in var.access_policies : [
          for object_id in policy.object_ids : {
            object_id          = object_id
            secret_permissions = policy.secret_permissions
            key_permissions    = policy.key_permissions
          }
        ]])
        content {
          tenant_id          = data.azurerm_client_config.current.tenant_id
          object_id          = access_policy.value["object_id"]
          secret_permissions = access_policy.value["secret_permissions"]
          key_permissions    = access_policy.value["key_permissions"]
        }
      }
    }
    

    global_var.hcl:

    access_policies = [
      { object_ids = ["xyz", "abc"], secret_permissions = ["Get", "Set"], key_permissions = ["Get"] }
    ]
    
    • The outer dynamic block iterates each policy in var.access_policies. For each policy, the inner dynamic block iterates each object_id in the policy's object_ids.

    • This nested structure works on each object_id individually within its policy.

    Result:

    enter image description here