Terraform for_each循环aws_auth ek被覆盖

Question

我正在创建自己的EKS集群，并遇到一些问题，通过在局部变量中动态声明的命名空间添加角色，我正在使用terraform-aws-eks auth标记v1.0.0将我的IAM角色填充到我在terraform中创建的组中。

我预计each.key变量会在map_roles的映射条目列表中填充/追加，但到目前为止还没有。auth映射中的最终结果表明，它只包含AdminAccessRole、my_eks_admin_role、dev-kiwi_admin_ shows和dev-kiwi_readonly_role。应该动态创建的前一个名称空间被覆盖。

在这种情况下，我甚至应该使用for_each吗？如何通过使用的名称空间动态地填充auth，并结合2个静态条目。

我感谢你的任何建议或帮助！

locals {
  namespaces = [
    "${var.env}-devops",
    "${var.env}-devops-ingress-nginx",
    "${var.env}-shared",
    "${var.env}-shared-ingress-nginx",
    "${var.env}-pear",
    "${var.env}-pear-ingress-nginx",
    "${var.env}-apple",
    "${var.env}-apple-ingress-nginx",
    "${var.env}-banana",
    "${var.env}-banana-ingress-nginx",
    "${var.env}-kiwi",
    "${var.env}-kiwi-ingress-nginx"
  ]
}

module "eks_auth" {
  source = "./terraform-modules/terraform-aws-eks-auth-1.0.0"
  eks    = module.eks
  # Additional IAM roles to add to the aws-auth configmap.
  for_each = toset(local.namespaces)
  map_roles = [
    {
      rolearn  = "arn:aws:iam::1234567890:role/AdminAccessRole"
      username = "AdminAccessRole"
      groups   = ["system:masters"]
    },
    {
      rolearn  = "arn:aws:iam::1234567890:role/my-eks-admin-role"
      username = "my_eks_admin_role"
      groups   = ["system:masters"]
    },
    {
      rolearn  = aws_iam_role.eks_namespace_admin_roles[each.key].arn
      username = "${each.key}_admin_role"
      groups   = ["${each.key}:${each.key}_group"]
    },
    {
      rolearn  = aws_iam_role.eks_namespace_readonly_roles[each.key].arn
      username = "${each.key}_readonly_role"
      groups   = ["${each.key}:${each.key}_group"]
    }
  ]

  map_users = [
    {
      userarn  = "arn:aws:iam::1234567890:user/terraform-service-account"
      username = "terraform-service-account"
      groups   = ["system:masters"]
    }
  ]
}

Terraform v1.0.11 aws提供程序版本= "~> 4.9.0“

Answer 1

通过在问题中显示的级别中添加for_each，terraform将尝试创建eks_auth模块的多个实例。

在您的情况下，您需要在变量创建中应用循环。另外，为了不循环静态定义，我们使用concat合并列表，例如。

  map_roles = concat( [ for index,value in toset(local.namespaces) :
   {
      rolearn  = aws_iam_role.eks_namespace_admin_roles[value].arn
      username = "${value}_admin_role"
      groups   = ["${value}:${value}_group"]
   },
   {
      rolearn  = aws_iam_role.eks_namespace_readonly_roles[value].arn
      username = "${value}_readonly_role"
      groups   = ["${value}:${value}_group"]
   }
  ], 
  [        
   {
       rolearn  = "arn:aws:iam::1234567890:role/AdminAccessRole"
       username = "AdminAccessRole"
       groups   = ["system:masters"]
   },
   {
      rolearn  = "arn:aws:iam::1234567890:role/my-eks-admin-role"
      username = "my_eks_admin_role"
      groups   = ["system:masters"]
   }
 ])

Answer 2

在托里斯的帮助下，这是问题的答案。

当试图循环几个地图条目时，它仍然会抛出错误，所以我将它们分开，并将多个列表连接起来。

module "eks_auth" {
  source = "./terraform-modules/terraform-aws-eks-auth-1.0.0"
  eks    = module.eks
  # Additional IAM roles to add to the aws-auth configmap.
  for_each = toset(local.namespaces)
  map_roles = concat(
    [
      for key in toset(local.namespaces) :
      {
        rolearn  = aws_iam_role.eks_namespace_admin_roles[key].arn
        username = "${key}_admin_role"
        groups   = ["${key}:${key}_group"]
      }
    ],
    [
      for key in toset(local.namespaces) :
      {
        rolearn  = aws_iam_role.eks_namespace_readonly_roles[key].arn
        username = "${key}_readonly_role"
        groups   = ["${key}:${key}_group"]
      }
    ],
    [
      {
        rolearn  = "arn:aws:iam::1234567890:role/AdminAccessRole"
        username = "AdminAccessRole"
        groups   = ["system:masters"]
      },
      {
        rolearn  = "arn:aws:iam::1234567890:role/my-eks-admin-role"
        username = "my_eks_admin_role"
        groups   = ["system:masters"]
      }
  ])
  # Additional IAM users to add to the aws-auth configmap.
  map_users = [
  ]
}