I need help on parameter-constraints

laurentiuspurba · August 15, 2022, 9:24pm

Hello all,

I created a module with the following code

data "vault_policy_document" "rule-document" {
  dynamic "rule" {
    for_each = var.token_policies
    content {
      path               = rule.value.path
      capabilities       = rule.value.vault_policy_capability
    }
  }
}

And I want to update this part of code by adding parameter-constraints as describe here.

But adding allowed_parameters, my TF plan got the following error

╷
│ Error: Unsupported argument
│
│   on .terraform/modules/github-actions-approle/main.tf line 13, in data "vault_policy_document" "rule-document":
│   13:       allowed_parameters = {
│
│ An argument named "allowed_parameters" is not expected here.

This is the following code:

data "vault_policy_document" "rule-document" {
  dynamic "rule" {
    for_each = var.token_policies
    content {
      path               = rule.value.path
      #capabilities       = rule.value.vault_policy_capability
      capabilities       = ["read", "list", "create", "delete", "update"]
      description        = "Hello World!"
      allowed_parameters = {
        "foobarz" = ["cloud-engineering"]
        "foo" = ["bar"]
      }
    }
  }
}

I really appreciate any helps on this.

Thank you,
Laurentius

ausmartway · August 16, 2022, 12:30am

According to the document, it should be allowed_parameter instead of allowed_parameters

laurentiuspurba · August 16, 2022, 12:52am

I did try that as well, but got a different error message:

╷
│ Error: Unsupported argument
│
│   on .terraform/modules/github-actions-approle/main.tf line 20, in data "vault_policy_document" "rule-document":
│   20:       allowed_parameter  = {
│
│ An argument named "allowed_parameter" is not expected here. Did you mean to
│ define a block of type "allowed_parameter"?

TF code:

data "vault_policy_document" "rule-document" {
  dynamic "rule" {
    for_each = var.token_policies
    content {
      path               = rule.value.path
      #capabilities       = rule.value.vault_policy_capability
      capabilities       = ["read", "list", "create", "delete", "update"]
      description        = "Hello World!"
      allowed_parameter  = {
        "bar" = ["baz/*"]
      }
    }
  }
}

ausmartway · August 16, 2022, 12:57am

According to the doc, allowed_parameter is a [list](https://www.terraform.io/language/expressions/types#list), not a map.

laurentiuspurba · August 16, 2022, 12:57pm

I did try that as well, but I might miss something. Using list, I got an error

------------------------------------------------------------------------

╷
│ Error: Unsupported argument
│
│   on .terraform/modules/github-actions-approle/main.tf line 13, in data "vault_policy_document" "rule-document":
│   13:       allowed_parameter  = ["bar", "baz"]
│
│ An argument named "allowed_parameter" is not expected here. Did you mean to
│ define a block of type "allowed_parameter"?
╵

------------------------------------------------------------------------

The code is as follows:

data "vault_policy_document" "rule-document" {
  dynamic "rule" {
    for_each = var.token_policies
    content {
      path               = rule.value.path
      #capabilities       = rule.value.vault_policy_capability
      capabilities       = ["read", "list", "create", "delete", "update"]
      description        = "Hello World!"
      allowed_parameter  = ["bar", "baz"]
    }
  }
}

stuart-c · August 16, 2022, 2:54pm

If you look at the docs: Terraform Registry

It looks to be expecting something like

allowed_parameter = [{key = "xxx", value = "xxx"}]

laurentiuspurba · August 16, 2022, 3:20pm

I did that before, and I just tried it as you suggested, but still got the error:

│ Error: Unsupported argument
│
│   on .terraform/modules/github-actions-approle/main.tf line 13, in data "vault_policy_document" "rule-document":
│   13:       allowed_parameter  = [{key = "secret", value = "cloud-engineering"}]
│
│ An argument named "allowed_parameter" is not expected here. Did you mean to
│ define a block of type "allowed_parameter"?

The code is as follows:

data "vault_policy_document" "rule-document" {
  dynamic "rule" {
    for_each = var.token_policies
    content {
      path               = rule.value.path
      #capabilities       = rule.value.vault_policy_capability
      capabilities       = ["read", "list", "create", "delete", "update"]
      description        = "Hello World!"
      allowed_parameter  = [{key = "secret", value = "cloud-engineering"}]
    }
  }
}

laurentiuspurba · August 16, 2022, 3:27pm

I think I found it. CMIIW.

data "vault_policy_document" "rule-document" {
  dynamic "rule" {
    for_each = var.token_policies
    content {
      path               = rule.value.path
      #capabilities       = rule.value.vault_policy_capability
      capabilities       = ["read", "list", "create", "delete", "update"]
      description        = "Hello World!"
      allowed_parameter {
        key = "secret"
        value = "cloud-engineering"
      }
    }
  }
}

laurentiuspurba · August 16, 2022, 3:33pm

Well, the value should be a [list], so it should be like this:

data "vault_policy_document" "rule-document" {
  dynamic "rule" {
    for_each = var.token_policies
    content {
      path               = rule.value.path
      #capabilities       = rule.value.vault_policy_capability
      capabilities       = ["read", "list", "create", "delete", "update"]
      description        = "Hello World!"
      allowed_parameter {
        key = "secret"
        value = [var.team_name]
      }
    }
  }
}

ausmartway · August 17, 2022, 5:23am

thanks for letting us know so everyone can benifit.