How to access object and iterate over it?

shad2y · March 30, 2022, 11:01pm

Hello there!
I am trying to implement nested for loops in order to loop through AWS IAM role names and kubernetes rolebinding names to pass them to the EKS aws-auth configmap.

I’ve got one input variable with list of objects type:

variable "namespaces" {
  type = list(object({
    name        = string
    read_users  = list(string)
    write_users = list(string)
  }))
}

namespaces = [
    {
      name        = "namespace1",
      read_users  = ["John", "Jane"],
      write_users = ["Alice", "Bob"],
    },
    {
      name        = "namespace2",
      read_users  = ["Alice", "Bob"],
      write_users = ["John", "Jane"],
    },
]

And I am creating few resources with for_each:

resource "aws_iam_role" "read" {
  for_each = { for i, v in var.namespaces : i => v }
  name     = "eks-read-role-${var.namespaces[each.key].name}"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          AWS = var.namespaces[each.key].read_users
        }
      },
    ]
  })

  inline_policy {
    name = "developer_policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Action   = ["eks:DescribeCluster"]
          Effect   = "Allow"
          Resource = "*"
        },
      ]
    })
  }
}

resource "kubernetes_role_binding" "read" {
  for_each = { for i, v in var.namespaces : i => v }
  metadata {
    name      = "read"
    namespace = var.namespaces[each.key].name
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "Role"
    name      = "read"
  }
  subject {
    kind = "User"
    name      = "eks-read-user-${var.namespaces[each.key].name}"
    api_group = "rbac.authorization.k8s.io"
    namespace = var.namespaces[each.key].name
  }
}

And I’m stucked in merging local variables and iterating over it.

locals {
  read_role = {
    for role in aws_iam_role.read : role.name => role.name
  }
  read_users = {
    for name in kubernetes_role_binding.read.subject : name.name => name.name
  }

  write_roles = [
    for role_name, user in local.read_role : {
      rolearn  = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${role_name}"
      username = user
    }
  ]
}

And i’m getting this kind of result:

- "rolearn": "arn:aws:iam::1111111111:role/eks-read-role-namespace2"
  "username": "eks-read-role-namespace2"
- "rolearn": "arn:aws:iam::1111111111:role/eks-read-role-namespace1"
  "username": "eks-read-role-namespace1"

I can’t get name values for kubernetes_role_binding.write.subject.name resource:

A managed resource “subject” “name” has not been declared

How can I obtain the value for each of the kubernetes_role_binding.write.subject.name
and aws_iam_role.read.name resoruces and iterate over them to produce this kind of
resulting output:

- "rolearn": "arn:aws:iam::1111111111:role/eks-read-role-namespace2"
  "username": "eks-read-user-namespace2"
- "rolearn": "arn:aws:iam::1111111111:role/eks-read-role-namespace1"
  "username": "eks-read-user-namespace1"

Thanks in advance!