search

hashicorp / terraform-provider-random

Utility provider that supports the use of randomness within Terraform configurations.
https://registry.terraform.io/providers/hashicorp/random/latest
Mozilla Public License 2.0
202 stars 116 forks source link

use replace in policy #344

Closed Snehil03 closed 1 year ago

Snehil03 commented 1 year ago

Terraform CLI and Provider Versions

Hi,

I am trying to create below role for all the clusters using below role defination and giving inline policy to it. While executing this it end up with error in Federated line that unknown variable passed h ( i think it comes from https ).

resource "aws_iam_role" "csi_driver_role" {
  name        = "CSIdriver${title(var.environment)}"
  description = "Manage EBS driver for ${var.environment} cluster ."
  path        = "/${var.environment}/k8s/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam:::${local.common.aws_account_id}:oidc-provider/replace(${var.cluster_oidc_issuer_url}, "https://", "")"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "replace(${var.cluster_oidc_issuer_url}, "https://", ""):aud": "sts.amazonaws.com",
          "replace(${var.cluster_oidc_issuer_url}, "https://", ""):sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
        }
      }
    }
  ]
}
EOF
}

2 approach : I tried to do these changes in vars.tf still there also , I can't get it working.

could you please guide me what can be used instead to get it automated for all the cluster where it will fetch oidc ?

Environments : EKS cluster : 1.21 Terraform 0.15.5

Thanks, Snehil

Use Cases or Problem Statement

use replace function in the inline policy so that it will change directly the value available and create new role.

Proposal

have more robust replace function

How much impact is this issue causing?

High

Additional Information

NA

Code of Conduct

bflad commented 1 year ago

Hi @Snehil03 👋 Thank you for raising this issue and sorry you ran into trouble here.

Please note that this repository, https://github.com/hashicorp/terraform-provider-random, is for the hashicorp/random Terraform Provider. Functions such as replace() in the Terraform configuration language are implemented within Terraform core so that issue tracker is generally more appropriate for these types of bug reports or feature requests with that functionality. General Terraform usage questions can be submitted to HashiCorp Discuss.

To briefly help you out here though, I do notice that your Terraform configuration may have some syntax issues. In particular these lines:

"Federated": "arn:aws:iam:::${local.common.aws_account_id}:oidc-provider/replace(${var.cluster_oidc_issuer_url}, "https://", "")"

"replace(${var.cluster_oidc_issuer_url}, "https://", ""):aud": "sts.amazonaws.com",
"replace(${var.cluster_oidc_issuer_url}, "https://", ""):sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"

The replace() calls are not wrapped with ${...} to signal to Terraform that this is Terraform-specific functionality within the string which should be evaluated. This is called interpolation. Changing them to something like the below may help:

"Federated": "arn:aws:iam:::${local.common.aws_account_id}:oidc-provider/${replace(var.cluster_oidc_issuer_url, "https://", "")}"

"${replace(var.cluster_oidc_issuer_url, "https://", "")}:aud": "sts.amazonaws.com",
"${replace(var.cluster_oidc_issuer_url, "https://", "")}:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"

If you have followup questions around your Terraform configuration or the usage of Terraform functions within strings/heredoc statements, please reach out in HashiCorp Discuss.

Snehil03 commented 1 year ago

Hi,

Thanks for the solution, I fixed it in an alternate way, I have passed the value of replace via main.tf in the particular module. That worked well in a good way as it's OIDC provider did not want secret to be shared as part of pipelines so marked particular variable with sensitive flag.

I wish you a nice day !

github-actions[bot] commented 5 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.