Help with nested for loop

shane · August 24, 2022, 11:40pm

I am attempting to create a kubernetes secret where the data keys/values come from a list of objects from a variable, this is the secret resource I am attemping to create, you can see have attempted a few different ways (there was alot more ways then just listed here that I tried).

resource "kubernetes_secret" "app" {
  count = length({ for c, container in var.containers : c => container if container.env_secrets != null }) > 0 ? 1 : 0
  metadata {
    name      = var.name
    namespace = var.namespace
  }

  data = {
    # for c, s in var.containers : c => merge({ for s in s.env_secrets != null ? s.env_secrets : [] : s.name => s.value })
    # for c in var.containers : c.env_secrets.name => c.env_secrets.value if c.env_secrets != null
    for s in var.containers.env_secrets : s.name => s.value if s != null
  }
}

The variable that I am referencing the var.containers is as follows, you can see that it is a list of objects, and within that list is an optional list of env_secrets, for each env_secret in each container I want to map the key/value to a key/value of a kubernetes secret, I only want one secret in total with ALL secret env keys/values in it.

variable "containers" {
  description = "containers to deploy in the pod"
  type = list(object({
    image_url = string
    image_tag = string
    name      = string

    env = optional(list(object({
      name  = string
      value = any
    })))

    env_secrets = optional(list(object({
      name  = string
      value = any
    })))

    ports = optional(list(object({
      name           = string
      container_port = number
      is_ingress = optional(object({
        domain_name        = string
        tls_cluster_issuer = string
        domain_path        = optional(string)
        enforce_https      = optional(bool)
        proxy_body_size    = optional(string)
      }))
    })))

    resources = optional(object({
      requests = optional(object({
        cpu    = string
        memory = string
      }))
      limits = optional(object({
        cpu    = string
        memory = string
      }))
    }))

    liveness_probe = optional(object({
      http_get = object({
        path = string
        port = number
      })

      initial_delay_seconds = optional(number)
      period_seconds        = optional(number)
      timeout_seconds       = optional(number)
      failure_threshold     = optional(number)
      success_threshold     = optional(number)
    }))

    readiness_probe = optional(object({
      http_get = object({
        path = string
        port = number
      })

      initial_delay_seconds = optional(number)
      period_seconds        = optional(number)
      timeout_seconds       = optional(number)
      failure_threshold     = optional(number)
      success_threshold     = optional(number)
    }))
  }))

  default = null
}

When I do the module now for example I would do the following

module "deployment_test" {
  source    = "../../../modules/goeasycare/terraform-k8s-deployment-template"
  namespace = "default"
  name      = "testing"

  containers = [
    {
      name      = "container-1"
      image_url = "image1"
      image_tag = "latest"

      env_secrets = [
        {
          name  = "THIS_IS_A_SECRET"
          value = "THIS IS SECRET VALUES"
        }
      ]
    },
    {
      name      = "container-2"
      image_url = "image2"
      image_tag = "latest"

      env_secrets = [
        {
          name  = "THIS_IS_A_SECRET_FOR_IMAGE_2"
          value = "THIS IS SECRET VALUES 2"
        }
      ]
    },
    {
      name      = "container-3"
      image_url = "image3"
      image_tag = "latest"
    },
  ]
}

and in the end the secret data would look something like this

data = {
    THIS_IS_A_SECRET = "BASE64OF(THIS IS A SECRET VALUES)"
    THIS_IS_A_SECRET_FOR_IMAGE_2 = "BASE64OF(THIS IS A SECRET VALUES 2)"
}

As for the secret creation itself that part works if any of the containers have an env_secret it will create 1 and only 1 secret I just need to figure out the loop for the data portion itself.

maxb · August 25, 2022, 7:05am

  merge(
    [for c in var.containers :
      { for s in coalesce(c.env_secrets, []) :
        s.name => s.value
      }
    ]...
  )

Although… if you do it this way, and use the same environment variable name in different pods, only one of the values will remain in the secret.

You may wish to consider refactoring to use one secret per container, or prefixing the secret keys with the container name, to avoid this pitfall.

shane · August 25, 2022, 11:17am

If I copy and paste what you put above it’s complaining that there is no attribute value

,

And as for the one secret data for the same var, that’s okay it’s assumed for us anyway that same env in the same pod would use the same reference so only saving one of the 2 env data would work as long as it captures ALL unique key/values.

maxb · August 25, 2022, 11:20am

You added { } around what I wrote

shane · August 25, 2022, 11:46am

ohh yes I thought the data still needed it, thank you that worked like a charm :), I have been banging my head off the wall for a day now trying to figure that out

apiVersion: v1
data:
  THIS_IS_A_SECRET: VEhJUyBJUyBTRUNSRVQgVkFMVUVT
  THIS_IS_A_SECRET_FOR_IMAGE_2: VEhJUyBJUyBTRUNSRVQgVkFMVUVT
kind: Secret
metadata:
  creationTimestamp: "2022-08-25T11:46:11Z"
  name: testing
  namespace: default
  resourceVersion: "370364663"
  uid: 966c4768-de31-445f-be70-f735285fa50e
type: Opaque

shane · August 25, 2022, 11:48am

I have ingress to do now lol don’t suppose you wanna enlighten me there

resource "kubernetes_ingress_v1" "app" {
  depends_on = [kubernetes_service.app]
  for_each   = { for c in var.containers : flatten([ for p in c.ports != null ? c.ports : [] : {} ]) => c }

  metadata {
    name      = var.name
    namespace = var.namespace

    annotations = {
      "kubernetes.io/ingress.class"                 = "nginx"
      "cert-manager.io/cluster-issuer"              = each.value.is_ingress.tls_cluster_issuer
      "nginx.ingress.kubernetes.io/ssl-redirect"    = each.value.is_ingress.enforce_https != null ? each.value.is_ingress.enforce_https : true
      "nginx.ingress.kubernetes.io/proxy-body-size" = each.value.is_ingress.proxy_body_size != null ? each.value.is_ingress.proxy_body_size : "1m"
    }
  }

  spec {
    tls {
      hosts       = [each.value.is_ingress.domain_name]
      secret_name = "${var.name}-${index(var.containers, each.value)}-tls-cert"
    }
    rule {
      host = each.value.is_ingress.domain_name
      http {
        path {
          path = each.value.is_ingress.domain_path != null ? each.value.is_ingress.domain_path : "/"
          backend {
            service {
              name = kubernetes_service.app[0].metadata.0.name
              port {
                name = each.value.name
              }
            }
          }
        }
      }
    }
  }
}

I need to create an ingress for each is_ingress NOT null in the list of ports in the list of containers

shane · August 25, 2022, 6:38pm

Nvm using your knowledge and some fiddling I was able to get ingress to behave as well, thank you for the lesson much appreciated

Topic		Replies	Views
Nested for loop help on list of list of data Terraform	3	246	June 15, 2024
For loop converting list to nested map Terraform	0	585	March 2, 2022
For_each over a set of objects, creating keys from an object property that is a list of strings Terraform	2	2770	June 17, 2023
How to create a Kubernetes secret with multiple KVPs from a variable collection Terraform k8s	5	3623	July 14, 2020
Answered: How should I do this nested loop? Terraform	1	337	February 23, 2023

Help with nested for loop

Related topics