Terraform for_each use case - amazon-web-services

I am creating a bunch of Route 53 resolver rules in each region and this works great with for_each loop:
resource "aws_route53_resolver_rule" "resolver-rule" {
for_each = var.resolver-rules
domain_name = each.value.domain-name
name = format("core-%s", each.value.domain-label)
rule_type = "FORWARD"
resolver_endpoint_id = aws_route53_resolver_endpoint.outbound-endpoint.id
target_ip {
ip = each.value.forwarder1
}
target_ip {
ip = each.value.forwarder2
}
tags = merge(var.tags, map("Name", format("core-%s-%s-%s", var.team_name, var.environment, each.value.domain-label)))
}
My var looks like this:
variable "resolver-rules" {
description = "A map of parameters needed for each resolver rule"
type = map(object({
domain-name = string
domain-label = string
forwarder1 = string
forwarder2 = string
}))
}
resolver-rules = {
"resolver-rule1" = {
domain-name = "10.in-addr.arpa."
domain-label = "10-in-addr-arpa"
forwarder1 = "10.10.1.100"
forwarder2 = "10.10.2.100"
}
"resolver-rule2" = {
domain-name = "mycompany.com."
domain-label = "mycompany-com"
forwarder1 = "10.10.1.100"
forwarder2 = "10.10.2.100"
}
}
Now I need to associate those rules with resource share (not posting here):
resource "aws_ram_resource_association" "rule-association" {
for_each = var.resolver-rules
resource_arn = aws_route53_resolver_rule.resolver-rule.arn
resource_share_arn = aws_ram_resource_share.rte53-resolver-share.arn
}
Question: how do I modify (enumerate) my resource association part, so that each association would be created for each rule I define (it has to be 1 to 1 association). I just can't wrap my head around it :)

Your aws_route53_resolver_rule.resolver-rule will be a map with keys of resolver-rule1 and resolver-rule2.
Therefore to access its arn in your rule-association you could do the following:
resource "aws_ram_resource_association" "rule-association" {
for_each = var.resolver-rules
resource_arn = aws_route53_resolver_rule.resolver-rule[each.key].arn
resource_share_arn = aws_ram_resource_share.rte53-resolver-share.arn
}
In your question, aws_ram_resource_share.rte53-resolver-share.arn is not shown, thus I don't know if you also require some changes to it or not.

Related

Use attributes in a tfvars file

I have a file fsx.tf with 2 resource blocks and a file prod.tfvars:
My fsx.tf looks like:
resource "aws_fsx_ontap_storage_virtual_machine" "fsx_svm" {
for_each = var.fsx_svm
file_system_id = aws_fsx_ontap_file_system.fsx.id
name = each.value.name
}
resource "aws_fsx_ontap_volume" "fsx_volumes" {
for_each = var.fsx_volumes
name = var.name
storage_virtual_machine_id = each.value.storage_virtual_machine_id
My prod.tfvars looks like:
fsx_svm = {
svm01 = {
name = "svm01-single-az"
}
}
fsx_volumes = {
vol01 = {
name = "FS"
storage_virtual_machine_id = fsx_svm.svm01.id
}
}
I get the following error:
Error: expected length of storage_virtual_machine_id to be in the range (21 - 21), got fsx_svm.svm01.id
OR
Variables not allowed here
How to set the attribute id of resource aws_fsx_ontap_storage_virtual_machine in the variable of fsx_volumes ? My goal is to be able to reuse the resource block for other .tfvars files.
In this case the best way to do this may be resource chaining with for_each [1]. This means instead of having to rely on variables you can just do this:
resource "aws_fsx_ontap_storage_virtual_machine" "fsx_svm" {
for_each = var.fsx_svm
file_system_id = aws_fsx_ontap_file_system.fsx.id
name = each.value.name
}
resource "aws_fsx_ontap_volume" "fsx_volumes" {
for_each = aws_fsx_ontap_storage_virtual_machine.fsx_svm
name = "${each.key}-${var.name}"
storage_virtual_machine_id = each.value.id
}
[1] https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#chaining-for_each-between-resources

Error Using Variable as a Tag in Terraform

I have a question about tags in Terrafrom. I have this variables, and I'd like to use the Transit variable description name as a tag in my main.tf file. How do I go about it?
#VPC CIDRs
variable "All_VPCs" {
type = map(any)
default = {
Dev_VPC = {
ip = "10.0.3.0/24"
instance_tenancy = "default"
}
Transit_VPC = {
ip = "10.0.4.0/23"
instance_tenancy = "default"
description = "Transit_VPC"
}
}
}
I used this, but it didn't work.
resource "aws_internet_gateway" "Transit_Internet_Gateway" {
vpc_id = var.All_VPCs.Transit_VPC
tags = {
Name = "${var.All_VPCs.Transit_VPC.description}" + " Internet_Gateway"
}
You can't concatenate strings in Terraform with a + operator. The correct method of doing this is to use string interpolation (which you are already partially doing):
tags = {
Name = "${var.All_VPCs.Transit_VPC.description} Internet_Gateway"
}

Terraform "ocasional" variable

I have built the following Route 53 module to create a weighted record along with healthcheck:
resource "aws_route53_health_check" "health_check" {
for_each = var.weighted-records
ip_address = each.value.ip_address
fqdn = each.value.fqdn
port = each.value.port
type = each.value.type
resource_path = each.value.resource_path
failure_threshold = each.value.failure_threshold
request_interval = each.value.request_interval
search_string = each.value.search_string
measure_latency = each.value.measure_latency
invert_healthcheck = each.value.invert_healthcheck
tags = {
Name = format("chk-%s", each.value.name)
}
}
resource "aws_route53_record" "weighted_record" {
for_each = var.weighted-records
zone_id = each.value.zone_id
name = each.value.dns_name
type = each.value.dns_type
ttl = each.value.ttl
health_check_id = aws_route53_health_check.health_check[each.key].id
weighted_routing_policy {
weight = each.value.weight
}
set_identifier = each.value.name
records = [each.value.ip_address]
}
In most cases, my Health check IP is the same as the destination IP, so I use the same VAR: each.value.ip_address.
However, in some cases, I need to specify a different IP for a health check.
Is there a way to avoid introducing a new VAR for health check IP and put it in every record I build? I would like to have the VAR specified only if required.
I was hoping to use either "dynamic" or "try" functions.
Usually you specify optimal variables, by creating some default value for them:
variable "new_ip" {
default = ""
}
Then you check if the new_ip was provided or not:
ip_address = var.new_ip != "" ? var.new_ip : each.value.ip_address

Terraform: Iterating list for AWS Certificate validation with Cloudflare DNS

I have a map in a tfvars file that contains, Cloudflare zone id, site address, and zone (domain), I am wanting to iterate through that map, generating an ACM certificate, with a certificate validation DNS record being created in Cloudflare.
My map looks like this;
my_domains = {
example1 = {
cloudflare_zone_id = "00000000000000000000000000001"
address = "dev.example1.com"
domain = "example1.com"
}
example2 = {
cloudflare_zone_id = "0000000000000000000000000000002"
address = "dev.example2.com"
domain = "example2.com"
}
example3 = {
cloudflare_zone_id = "0000000000000000000000000000003"
address = "dev.library.example3.com"
domain = "example3.com"
}
}
I then have the following code for the certificate creation and validation:
resource "aws_acm_certificate" "my_certs" {
for_each = var.my_domains
domain_name = each.value.address
validation_method = "DNS"
subject_alternative_names = [
"*.${each.value.address}"
]
lifecycle {
create_before_destroy = true
}
}
resource "cloudflare_zone" "my_zone" {
for_each = var.my_domains
zone = each.value.domain
type = "full"
}
resource "cloudflare_record" "my_certificate_validation" {
for_each = {
for dvo in aws_acm_certificate.my_certs.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
zone_id = cloudflare_zone.my_zone.id
name = each.value.name
value = trimsuffix(each.value.record, ".")
type = each.value.type
ttl = 1
proxied = false
}
When I run a plan, I get the following errors:
Error: Missing resource instance key
on cfcertvalidation.tf line 23, in resource "cloudflare_record" "my_certificate_validation":
23: for dvo in aws_acm_certificate.my_certs.domain_validation_options : dvo.domain_name => {
Because aws_acm_certificate.my_certs has "for_each" set, its attributes must be
accessed on specific instances.
For example, to correlate with indices of a referring resource, use:
aws_acm_certificate.my_certs[each.key]
Error: Missing resource instance key
on cfcertvalidation.tf line 30, in resource "cloudflare_record" "my_certificate_validation":
30: zone_id = cloudflare_zone.my_zone.id
Because cloudflare_zone.cdt has "for_each" set, its attributes must be
accessed on specific instances.
For example, to correlate with indices of a referring resource, use:
cloudflare_zone.my_zone[each.key]
Note: I added the cloudflare_zone resource rther than using the zone id already in the map as a way to simplify things in troubleshooting.
I am sure the answer is in the suggestion for using a [each.key], but I'm not sure how to implement it.
Any assistance would be greatly appreciated.
I have changed the map somewhat for my solution, so for completeness I have included the changed map here:
variable "my_domains" {
type = map(any)
default = {
example1 = {
cf_zone_id = "0000000000000000000000000000"
address = "example1.com"
zone = "example1.com"
}
example2 = {
cf_zone_id = "0000000000000000000000000000"
address = "example2.com"
zone = "example2.com"
}
example3 = {
cf_zone_id = "0000000000000000000000000000"
address = "library.example3.com"
zone = "example3.com"
}
}
}
What follows is the working solution, we start out by creating a local variable of type list, looping through the my_domains map to get the cert validation records we need. That then gets converted into a map, which is then used by the cloudflare_record resource to create the relevant DNS entries.
resource "aws_acm_certificate" "my_certs" {
for_each = var.my_domains
domain_name = "${var.env_url_prefix}${var.my_domains[each.key] ["address"]}"
validation_method = "DNS"
subject_alternative_names = ["*.${var.env_url_prefix}${var.my_domains[each.key]["address"]}"]
lifecycle {
create_before_destroy = true
}
}
locals {
validation = [
for certs in keys(var.my_domains) : {
for dvo in aws_acm_certificate.my_certs[certs].domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
value = trimsuffix(dvo.resource_record_value, ".")
type = dvo.resource_record_type
zone_id = var.my_domains[certs]["cf_zone_id"] # Get the zone id
}
}
]
# transform the list into a map
validation_map = { for item in local.validation : keys(item)[0] => values(item)[0]
}
}
resource "cloudflare_record" "my_cert_validations" {
for_each = local.validation_map
zone_id = local.validation_map[each.key]["zone_id"]
name = local.validation_map[each.key]["name"]
value = local.validation_map[each.key]["value"]
type = local.validation_map[each.key]["type"]
ttl = 1
proxied = false #important otherwise validation will fail
}

Struggling to automate terraform WAF

I'm trying to terraform WAF ACL and associated rules. The terraform stack I'm working on is identical in DEV, QA , and PROD, differences are all handled using different variables. So my idea is to store a list of CIDRs in a variable, and automatically create ALLOW rules for each. My limited knowledge is slowing me down though. It creates the ipsets perfectly, but the rules and ACL complain,
variable cloud_allowed_cidr_list = {type="list" default=["1.2.3.4/32","4.3.2.1/32"]}
resource "aws_waf_ipset" "ipset" {
count = "${length(var.cloud_allowed_cidr_list)}"
name = "ipset-${count.index}"
ip_set_descriptors {
type = "IPV4"
value = "${element(var.cloud_allowed_cidr_list, count.index)}"
}
}
resource "aws_waf_rule" "matchIPrule" {
count = "${length(var.cloud_allowed_cidr_list)}"
depends_on = ["aws_waf_ipset.ipset"]
name = "matchMancIPrule${count.index}"
metric_name = "matchMancIPrule${count.index}"
predicates {
data_id = "${aws_waf_ipset.ipset.*.id}"
negated = false
type = "IPMatch"
}
}
resource "aws_waf_web_acl" "waf_acl" {
depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.matchIPrule"]
name = "mancACL${count.index}"
metric_name = "mancACL${count.index}"
default_action {
type = "BLOCK"
}
rules {
action {
type = "ALLOW"
}
priority = "${count.index}"
rule_id = "${aws_waf_rule.matchIPrule.id}"
type = "REGULAR"
}
}
It fell apart when I realised that rules have multiple predicates, and the ACL has multiple rules .....how do you create that dynamically ? If anyone has any examples of doing something similar I'd be very grateful.
Since the release of 0.12 you can now do this using dynamic blocks.
No need to use count to iterate over your array.
resource "aws_waf_ipset" "ipset" {
name = "youripset"
dynamic "ip_set_descriptors" {
iterator = ip
for_each = var.cloud_allowed_cidr_list
content {
type = "IPV4"
value = ip.value
}
}
}