如何利用 for_each 缩短我的 Terraform 代码？

Question

I would like to create a set of Azure policies and add them to an initiative using Terraform.

The way I have set up my architecture/structure however feels wrong, as I have to repeat myself over and over again. There are going to be a lot more instances (like module "resource-group-policy" {} ) of my policy-module . Currently, I also have to add a policy_definition_reference for each of the policy resources.

My first approach was to come up with an additional module that bundles similar instances of my policy-module together. This way my main.tf become a lot shorter and readable, however, it almost doubled my code, as I had to introduce an output var for each of my submodules to output the policies id.

Is there a way I can leverage for example the for_each statement to significantly shorten my terraform code?

./policy-module/main.tf

terraform {
   # ...
}

resource "azurerm_policy_definition" "policy" {
    # ...
}

./policy-module/output.tf

output "id" {
    value = azurerm_policy_definition.policy.id
}

./policy-module/variables.tf

variable "pattern" {
    type = string
}

# ...

./main.tf

terraform {
  # ...
}

provider "azurerm" {
  # ...
}

resource "azurerm_policy_set_definition" "initiative" {    
    # ...

    policy_definition_reference {
      policy_definition_id = module.management-group-policy.id
    }

    policy_definition_reference {
      policy_definition_id = module.resource-group-policy.id
    }

    # ...    
}
    
module "management-group-policy" {
    source = "./policy-module"

    pattern = "mg-*"
    type = "Microsoft.Management/managementGroups"
    display_name = "Management Groups"
}

module "resource-group-policy" {
    source = "./policy-module"

    pattern = "rg-*"
    type = "Microsoft.Resources/resourceGroups"
    display_name = "Resource Groups"
}

# many more variations of modul

Answer 1

Start with something like this:

module "policies" {
    source = "./policy-module"

    for_each = {
        rg = {
            pattern = "rg-*",
            type = "Microsoft.Resources/resourceGroups",
            display_name = "Resource Groups"
        },
        mg = {
            pattern = "mg-*",
            type = "Microsoft.Management/managementGroups",
            display_name = "Management Groups"
        }
    }

    pattern = each.value.pattern
    type = each.value.type
    display_name = each.value.display_name
}

Your azurerm_policy_set_definition is actually the trickier one:

resource "azurerm_policy_set_definition" "initiative" {    
    # ...

    policy_definition_reference {
        for_each = module.policies

        policy_definition_id = each.key.id
    }
}

I'm not 100% sure about this, have a play around but the essence being that you need to iterate again over the policies which you created above.