Terraform for_each 循环 aws_auth eks 被覆盖

Question

我正在创建我自己的 EKS 集群，并且在通过我在本地声明的命名空间动态添加角色时遇到了一些问题我正在使用terraform-aws-eks-auth 标签 v1.0.0将我的 IAM 角色填充到我在terraform。

我希望 each.key 变量会填充/附加到 map_roles 的地图条目列表中，但到目前为止还没有这样做。 aws auth config map 中的最终结果表明它只包含 AdminAccessRole、my_eks_admin_role、dev-kiwi-ingress-nginx_admin_role 和 dev-kiwi-ingress-nginx_readonly_role。 以前应该动态创建的命名空间被覆盖了。

在这种情况下我什至应该使用 for_each 吗？ 我如何通过使用的命名空间动态填充 aws-auth，结合 2 static 条目。

我感谢任何建议或帮助！

locals {
  namespaces = [
    "${var.env}-devops",
    "${var.env}-devops-ingress-nginx",
    "${var.env}-shared",
    "${var.env}-shared-ingress-nginx",
    "${var.env}-pear",
    "${var.env}-pear-ingress-nginx",
    "${var.env}-apple",
    "${var.env}-apple-ingress-nginx",
    "${var.env}-banana",
    "${var.env}-banana-ingress-nginx",
    "${var.env}-kiwi",
    "${var.env}-kiwi-ingress-nginx"
  ]
}

module "eks_auth" {
  source = "./terraform-modules/terraform-aws-eks-auth-1.0.0"
  eks    = module.eks
  # Additional IAM roles to add to the aws-auth configmap.
  for_each = toset(local.namespaces)
  map_roles = [
    {
      rolearn  = "arn:aws:iam::1234567890:role/AdminAccessRole"
      username = "AdminAccessRole"
      groups   = ["system:masters"]
    },
    {
      rolearn  = "arn:aws:iam::1234567890:role/my-eks-admin-role"
      username = "my_eks_admin_role"
      groups   = ["system:masters"]
    },
    {
      rolearn  = aws_iam_role.eks_namespace_admin_roles[each.key].arn
      username = "${each.key}_admin_role"
      groups   = ["${each.key}:${each.key}_group"]
    },
    {
      rolearn  = aws_iam_role.eks_namespace_readonly_roles[each.key].arn
      username = "${each.key}_readonly_role"
      groups   = ["${each.key}:${each.key}_group"]
    }
  ]

  map_users = [
    {
      userarn  = "arn:aws:iam::1234567890:user/terraform-service-account"
      username = "terraform-service-account"
      groups   = ["system:masters"]
    }
  ]
}

Terraform v1.0.11 aws 提供商版本 = "~> 4.9.0"

Answer 1

通过在问题中显示的级别中添加for_each ，terraform 将尝试创建eks_auth模块的多个实例

在您的情况下，您需要在变量创建中应用循环。 此外，为了不循环遍历 static 定义，我们使用concat来合并列表，例如

  map_roles = concat( [ for index,value in toset(local.namespaces) :
   {
      rolearn  = aws_iam_role.eks_namespace_admin_roles[value].arn
      username = "${value}_admin_role"
      groups   = ["${value}:${value}_group"]
   },
   {
      rolearn  = aws_iam_role.eks_namespace_readonly_roles[value].arn
      username = "${value}_readonly_role"
      groups   = ["${value}:${value}_group"]
   }
  ], 
  [        
   {
       rolearn  = "arn:aws:iam::1234567890:role/AdminAccessRole"
       username = "AdminAccessRole"
       groups   = ["system:masters"]
   },
   {
      rolearn  = "arn:aws:iam::1234567890:role/my-eks-admin-role"
      username = "my_eks_admin_role"
      groups   = ["system:masters"]
   }
 ])

Answer 2

在 Tolis 的帮助下，这就是问题的答案。

当尝试 FOR 循环几个 map 条目时它仍然抛出错误，所以我将它们分开并连接多个列表。

module "eks_auth" {
  source = "./terraform-modules/terraform-aws-eks-auth-1.0.0"
  eks    = module.eks
  # Additional IAM roles to add to the aws-auth configmap.
  for_each = toset(local.namespaces)
  map_roles = concat(
    [
      for key in toset(local.namespaces) :
      {
        rolearn  = aws_iam_role.eks_namespace_admin_roles[key].arn
        username = "${key}_admin_role"
        groups   = ["${key}:${key}_group"]
      }
    ],
    [
      for key in toset(local.namespaces) :
      {
        rolearn  = aws_iam_role.eks_namespace_readonly_roles[key].arn
        username = "${key}_readonly_role"
        groups   = ["${key}:${key}_group"]
      }
    ],
    [
      {
        rolearn  = "arn:aws:iam::1234567890:role/AdminAccessRole"
        username = "AdminAccessRole"
        groups   = ["system:masters"]
      },
      {
        rolearn  = "arn:aws:iam::1234567890:role/my-eks-admin-role"
        username = "my_eks_admin_role"
        groups   = ["system:masters"]
      }
  ])
  # Additional IAM users to add to the aws-auth configmap.
  map_users = [
  ]
}