Terraform module for GCP secret module - google-cloud-platform

Error: Unsupported block type
│
│ on ..\Terraform_1.0.0_Win_O\config\secret\secret.tf line 6, in module "secret_user_managed_replication":
│ 6: replication {
│
│ Blocks of type "replication" are not expected here.

Related

Error in assigning gcs IAM permissions using nested map in terraform

Im trying to assign multiple roles to different members using terraform but im running into an error.This is for assigning iam permission in GCP.
Use a combination of nested map. But the nested map became complex since Im using two different variables and use them in creating resources.
main.tf looks like this
locals {
data_access = flatten([
for bkt_key, bkt_value in var.buckets_data : [
for user,roles in var.data_access : [
for role in roles:{
member = user
bkt = bkt_key
role = roles
}]
]
])
}
resource "google_storage_bucket_iam_member" "buckets_data_access" {
for_each = { for access in local.data_access : "${access.bkt}_${access.member}" => access... }
bucket = google_storage_bucket.tf_buckets_data[each.value.bkt].name
role = each.value.role
member = each.value.member
}
terraform.tfvars looks like this, Please note I'm using two different variables in the nested map of main.tf.
buckets_data = {
"landing" = {
region = "nane1",
storage_class = "COLDLINE",
versioning = "false",
data_tier = "raw",
lifecycle_rules = ["retention-2years"],
external_access = []
},
"dftemp" = {
region = "nane1",
storage_class = "STANDARD"
},
"curated" = {
region = "nane1",
storage_class = "STANDARD"
}
}
data_access = {
"group:GCP-npe#bell.ca"= ["roles/storage.objectViewer","roles/Browser"]
}
error I received in my terminal
$ terraform plan
╷
│ Error: Unsupported attribute
│
│ on main.tf line 29, in resource "google_storage_bucket_iam_member" "buckets_data_access":
│ 29: bucket = google_storage_bucket.tf_buckets_data[each.value.bkt].name
│ ├────────────────
│ │ each.value is tuple with 2 elements
│
│ This value does not have any attributes.
╵
╷
│ Error: Unsupported attribute
│
│ on main.tf line 29, in resource "google_storage_bucket_iam_member" "buckets_data_access":
│ 29: bucket = google_storage_bucket.tf_buckets_data[each.value.bkt].name
│ ├────────────────
│ │ each.value is tuple with 2 elements
│
│ This value does not have any attributes.
╵
╷
│ Error: Unsupported attribute
│
│ on main.tf line 30, in resource "google_storage_bucket_iam_member" "buckets_data_access":
│ 30: role = each.value.role
│ ├────────────────
│ │ each.value is tuple with 2 elements
│
│ This value does not have any attributes.
╵
╷
│ Error: Unsupported attribute
│
│ on main.tf line 30, in resource "google_storage_bucket_iam_member" "buckets_data_access":
│ 30: role = each.value.role
│ ├────────────────
│ │ each.value is tuple with 2 elements
│
│ This value does not have any attributes.
╵
╷
│ Error: Unsupported attribute
│
│ on main.tf line 31, in resource "google_storage_bucket_iam_member" "buckets_data_access":
│ 31: member = each.value.member
│ ├────────────────
│ │ each.value is tuple with 2 elements
│
│ This value does not have any attributes.
╵
╷
│ Error: Unsupported attribute
│
│ on main.tf line 31, in resource "google_storage_bucket_iam_member" "buckets_data_access":
│ 31: member = each.value.member
│ ├────────────────
│ │ each.value is tuple with 2 elements
│
│ This value does not have any attributes.
If my understanding is correct of what you are trying to do, the following flattening is better:
locals {
data_access = merge(flatten([
for bkt_key, bkt_value in var.buckets_data : [
for user,roles in var.data_access : {
for role in roles:
"${bkt_key}-${user}-${role}" => {
member = user
bkt = bkt_key
role = role
}}
]
])...) # please do NOT remove the dots
}
then
resource "google_storage_bucket_iam_member" "buckets_data_access" {
for_each = local.data_access
bucket = google_storage_bucket.tf_buckets_data[each.value.bkt].name
role = each.value.role
member = each.value.member
}

Getting error while generating keyring using terraform on Google KMS

I'm attempting to use Terraform to create a keyring on GCP, but it appears that the permissions are missing.
│ Error: Error creating KeyRing: googleapi: Error 403: Permission 'cloudkms.keyRings.create' denied on resource 'projects/cs-project-366414/locations/us-west2/keyRings/keyring1' (or it may not exist).
│
│ with google_kms_key_ring.Terra,
│ on main.tf line 28, in resource "google_kms_key_ring" "Terra":
│ 28: resource "google_kms_key_ring" "Terra" {
│
╵
╷
│ Error: Error creating CryptoKey: googleapi: Error 403: Permission 'cloudkms.cryptoKeys.create' denied on resource 'projects/cs-project-366414/locations/us-west2/keyRings/keyring1/cryptoKeys/bqkey-3' (or it may not exist).
│
│ with google_kms_crypto_key.gcp_key,
│ on main.tf line 43, in resource "google_kms_crypto_key" "gcp_key":
│ 43: resource "google_kms_crypto_key" "gcp_key" { # Create a Key on GCP Keyring.
Expected:
Keyring on GCP
Key in GCP

Im getting error on terraform while deploying module "apigwmethodintegration_token"

│ Error: Invalid template interpolation value
│
│ on main.tf line 390, in module "apigwmethodintegration_token":
│ 390: "token" = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${var.region}:${data.aws_caller_identity.current.account_id}:function:${module.lambda_token.lambdafunction_name}/invocations"
│ ├────────────────
│ │ module.lambda_token.lambdafunction_name is tuple with 1 element
│
│ Cannot include the given value in a string template: string required.
╵
╷
│ Error: Invalid template interpolation value
│
│ on main.tf line 391, in module "apigwmethodintegration_token":
│ 391: "change-temp-password" = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${var.region}:${data.aws_caller_identity.current.account_id}:function:${module.lambda_change_temp_password.lambdafunction_name}/invocations"
│ ├────────────────
│ │ module.lambda_change_temp_password.lambdafunction_name is tuple with 1 element
│
│ Cannot include the given value in a string template: string required.
At the offending lines, change:
module.lambda_token.lambdafunction_name to module.lambda_token.lambdafunction_name[0],
and module.lambda_change_temp_password.lambdafunction_name to module.lambda_change_temp_password.lambdafunction_name[0].

IAM Policy to only allow requests coming through ECS

I am looking to implement an IAM policy for the following scenario:
┌──────────────┐
│ Internet │─ ┐
└──────────────┘
│ │
│
▼ │
┌──────────────┐
│ AlB │ │
└──────────────┘
│ │
│
┌────────┼───────┐ │
│ECS ▼ │
│┌──────────────┐│ │
││ Task ││
│└──────────────┘│ │
│ │ │
└────────┼───────┘ │
│
▼ │
┌──────────────┐
│ API GW │◀ ┘
└──────────────┘
I want to prevent users from accessing the API gateway directly. I want to create an IAM policy on the API gateway that will only accept requests coming via an ECS task. I was thinking of using the calledVia context key but this only seems to support a small list of services but not ECS.

Terraform - how to access the tuple and extract the invoke_arn and function_name

I have written terraform code which:
Creates IAM Role
Creates lambda functions and attaches the above created role
Dynamo DB table creation
Creates API gateway, resources and adds POST method with lambda integration.
The first 3 steps works well. However while creating and configuring the API gateway, I am encountering below error in resource aws_api_gateway_integration & aws_lambda_permission, where I am trying to attach the lambda function "save_course" to the POST method under "courses" resource
│
│ on main.tf line 117, in resource "aws_api_gateway_integration" "apigateway84f0f20":
│ 117: uri = module.awsLambda["save_course.py"].lambda_invoke_urn
│ ├────────────────
│ │ module.awsLambda["save_course.py"].lambda_invoke_urn is tuple with 1 element
│
│ Inappropriate value for attribute "uri": string required.
╵
╷
│ Error: Incorrect attribute value type
│
│ on main.tf line 141, in resource "aws_lambda_permission" "lambda_permission":
│ 141: function_name = module.awsLambda["save_course.py"].function_name
│ ├────────────────
│ │ module.awsLambda["save_course.py"].function_name is tuple with 1 element
│
│ Inappropriate value for attribute "function_name": string required.
Not sure how to access the tuple and extract the invoke_arn and function_name. After going through the generated terraform.tfstate file, I have tried different combinations to extract the required value. Not sure where I am wrong.
The terraform code along with generated terraform.tfstate file is available at my location:
https://github.com/myanees284/lambda_website
git clone https://github.com/myanees284/lambda_website.git
terraform init
terraform apply -auto-approve
Change your locals from
lambda_invoke_urn=aws_lambda_function.lambda.*.invoke_arn
lambda_name=aws_lambda_function.lambda.*.function_name
to
lambda_invoke_urn=aws_lambda_function.lambda.invoke_arn
lambda_name=aws_lambda_function.lambda.function_name