DEV Community: Arpan The latest articles on DEV Community by Arpan (@arpanadhikari). https://dev.to/arpanadhikari https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F188334%2F8145170b-2623-4809-a5dc-f8d9d154d69a.jpeg DEV Community: Arpan https://dev.to/arpanadhikari en Reusable AWS iam role for service-accounts (IRSA for k8s ) terraform module Arpan Sat, 19 Feb 2022 06:23:54 +0000 https://dev.to/arpanadhikari/reusable-aws-iam-role-for-service-accounts-irsa-for-k8s-terraform-module-2og2 https://dev.to/arpanadhikari/reusable-aws-iam-role-for-service-accounts-irsa-for-k8s-terraform-module-2og2 <p>AWS supports authenticating your pods using an identity provider that your account is configured to trust.</p> <p>This tutorial will guide you through the process of creating an IAM role that your kubernetes pods will be able to assume.</p> <p>Pre-requisites:</p> <ul> <li>Familiarity with oidc provider in AWS</li> <li>Have an oidc provider setup in AWS</li> <li>Have a kubernetes cluster running in AWS (of course!)</li> </ul> <p>Creating oidc provider for AWS is beyond the scope of this tutorial.</p> <p>Now that that's out of the way,<br> Let's start with some terraform variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">#variables.tf</span> <span class="c1"># this is the url of the oidc_issuer</span> <span class="k">variable</span> <span class="s2">"oidc_issuer"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"oidc-example-irsa.s3.ap-southeast-2.amazonaws.com/subdomain.example.com"</span> <span class="p">}</span> <span class="c1"># role arn of the oidc provider</span> <span class="k">variable</span> <span class="s2">"oidc_arn"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"arn:aws:iam:01234567898:oidc-provider/oidc-example-irsa.s3.ap-southeast-2.amazonaws.com/subdomain.example.com"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"cluster.example.com"</span> <span class="p">}</span> <span class="c1"># service account variables</span> <span class="k">variable</span> <span class="s2">"service_accounts"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"blabladefault"</span><span class="p">,</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"blablans"</span> <span class="nx">statements</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*:*"</span><span class="p">]</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>I've prefilled all defaults here because we're going to rely on these defaults. You can also set them to <code>null</code> and pass your variables separately.</p> <p>Next, we'll need a resource block for the iam role.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">#main.tf</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"service_accounts"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span><span class="nx">for</span> <span class="nx">service_account</span> <span class="nx">in</span> <span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">service_accounts</span><span class="p">)</span> <span class="err">:</span> <span class="nx">service_account</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">service_account</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">.</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">namespace</span><span class="k">}</span><span class="s2">.sa.</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="c1">#allow federated role assumption using webIdentity(oidc)</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">oidc_issuer</span><span class="k">}</span><span class="s2">:sub"</span> <span class="p">=</span> <span class="s2">"system:serviceaccount:</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">namespace</span><span class="k">}</span><span class="s2">:</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">oidc_arn</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">]</span> <span class="p">})</span> <span class="c1">#generate multiple inline_policy resources </span> <span class="nx">dynamic</span> <span class="s2">"inline_policy"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">statements</span><span class="k">}</span><span class="s2">"</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"policy-</span><span class="k">${</span><span class="nx">inline_policy</span><span class="p">.</span><span class="nx">key</span><span class="k">}</span><span class="s2">"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="nx">inline_policy</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">Action</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="nx">inline_policy</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">Effect</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">inline_policy</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">Resource</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">tag</span><span class="err">-</span><span class="nx">key</span> <span class="p">=</span> <span class="s2">"tag-value"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h1> What's happening here? </h1> <p>We're using terraform's <a href="https://www.terraform.io/language/meta-arguments/for_each#the-for_each-meta-argument"><code>for_each</code> meta</a> argument to create multiple iam roles. The resource <code>aws_iam_role.service_accounts</code> is thus a <code>list</code> of iam roles.</p> <p>We're then using terraform's <a href="https://www.terraform.io/language/expressions/dynamic-blocks"><code>dynamic</code> block</a> to create multiple <code>inline_policy</code> resources within each iam role.</p> <p>Using a dynamic block inside a <code>for_each</code> argument allows us to render nested configurations like above.</p> <p>The beauty of this type of configuration is that you can reuse this as much as you'd like.</p> <p>Let's see an example, </p> <p>I've updated the <code>variables.tf</code> to add one more service account to the service_accounts variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">#variables.tf</span> <span class="c1"># ...</span> <span class="c1"># ...</span> <span class="c1"># [updated] service account variables with two service-accounts</span> <span class="k">variable</span> <span class="s2">"service_accounts"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"blabladefault"</span><span class="p">,</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"blablans"</span> <span class="nx">statements</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*:*"</span><span class="p">]</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"blabladefault2"</span><span class="p">,</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"blablans2"</span> <span class="nx">statements</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*:*"</span><span class="p">]</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Let's run <code>terraform plan</code> on this configuration.</p> <p>We see that it's now creating two service accounts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Terraform will perform the following actions: <span class="c"># aws_iam_role.service_accounts["blabladefault"] will be created</span> + resource <span class="s2">"aws_iam_role"</span> <span class="s2">"service_accounts"</span> <span class="o">{</span> + arn <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + assume_role_policy <span class="o">=</span> jsonencode<span class="o">(</span> <span class="o">{</span> + Statement <span class="o">=</span> <span class="o">[</span> + <span class="o">{</span> + Action <span class="o">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> + Condition <span class="o">=</span> <span class="o">{</span> + StringEquals <span class="o">=</span> <span class="o">{</span> + oidc-example-irsa.s3.ap-southeast-2.amazonaws.com/subdomain.example.com:sub <span class="o">=</span> <span class="s2">"system:serviceaccount:blablans:blabladefault"</span> <span class="o">}</span> <span class="o">}</span> + Effect <span class="o">=</span> <span class="s2">"Allow"</span> + Principal <span class="o">=</span> <span class="o">{</span> + Federated <span class="o">=</span> <span class="s2">"arn:aws:iam:01234567898:oidc-provider/oidc-example-irsa.s3.ap-southeast-2.amazonaws.com/subdomain.example.com"</span> <span class="o">}</span> <span class="o">}</span>, <span class="o">]</span> + Version <span class="o">=</span> <span class="s2">"2012-10-17"</span> <span class="o">}</span> <span class="o">)</span> + create_date <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + force_detach_policies <span class="o">=</span> <span class="nb">false</span> + <span class="nb">id</span> <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + managed_policy_arns <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + max_session_duration <span class="o">=</span> 3600 + name <span class="o">=</span> <span class="s2">"blabladefault.blablans.sa.cluster.example.com"</span> + name_prefix <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + path <span class="o">=</span> <span class="s2">"/"</span> + tags <span class="o">=</span> <span class="o">{</span> + <span class="s2">"tag-key"</span> <span class="o">=</span> <span class="s2">"tag-value"</span> <span class="o">}</span> + tags_all <span class="o">=</span> <span class="o">{</span> + <span class="s2">"tag-key"</span> <span class="o">=</span> <span class="s2">"tag-value"</span> <span class="o">}</span> + unique_id <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + inline_policy <span class="o">{</span> + name <span class="o">=</span> <span class="s2">"policy-0"</span> + policy <span class="o">=</span> jsonencode<span class="o">(</span> <span class="o">{</span> + Statement <span class="o">=</span> <span class="o">[</span> + <span class="o">{</span> + Action <span class="o">=</span> <span class="o">[</span> + <span class="s2">"*:*"</span>, <span class="o">]</span> + Effect <span class="o">=</span> <span class="s2">"Deny"</span> + Resource <span class="o">=</span> <span class="s2">"*"</span> <span class="o">}</span>, <span class="o">]</span> + Version <span class="o">=</span> <span class="s2">"2012-10-17"</span> <span class="o">}</span> <span class="o">)</span> <span class="o">}</span> <span class="o">}</span> <span class="c"># aws_iam_role.service_accounts["blabladefault2"] will be created</span> + resource <span class="s2">"aws_iam_role"</span> <span class="s2">"service_accounts"</span> <span class="o">{</span> + arn <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + assume_role_policy <span class="o">=</span> jsonencode<span class="o">(</span> <span class="o">{</span> + Statement <span class="o">=</span> <span class="o">[</span> + <span class="o">{</span> + Action <span class="o">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> + Condition <span class="o">=</span> <span class="o">{</span> + StringEquals <span class="o">=</span> <span class="o">{</span> + oidc-example-irsa.s3.ap-southeast-2.amazonaws.com/subdomain.example.com:sub <span class="o">=</span> <span class="s2">"system:serviceaccount:blablans2:blabladefault2"</span> <span class="o">}</span> <span class="o">}</span> + Effect <span class="o">=</span> <span class="s2">"Allow"</span> + Principal <span class="o">=</span> <span class="o">{</span> + Federated <span class="o">=</span> <span class="s2">"arn:aws:iam:01234567898:oidc-provider/oidc-example-irsa.s3.ap-southeast-2.amazonaws.com/subdomain.example.com"</span> <span class="o">}</span> <span class="o">}</span>, <span class="o">]</span> + Version <span class="o">=</span> <span class="s2">"2012-10-17"</span> <span class="o">}</span> <span class="o">)</span> + create_date <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + force_detach_policies <span class="o">=</span> <span class="nb">false</span> + <span class="nb">id</span> <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + managed_policy_arns <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + max_session_duration <span class="o">=</span> 3600 + name <span class="o">=</span> <span class="s2">"blabladefault2.blablans2.sa.cluster.example.com"</span> + name_prefix <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + path <span class="o">=</span> <span class="s2">"/"</span> + tags <span class="o">=</span> <span class="o">{</span> + <span class="s2">"tag-key"</span> <span class="o">=</span> <span class="s2">"tag-value"</span> <span class="o">}</span> + tags_all <span class="o">=</span> <span class="o">{</span> + <span class="s2">"tag-key"</span> <span class="o">=</span> <span class="s2">"tag-value"</span> <span class="o">}</span> + unique_id <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + inline_policy <span class="o">{</span> + name <span class="o">=</span> <span class="s2">"policy-0"</span> + policy <span class="o">=</span> jsonencode<span class="o">(</span> <span class="o">{</span> + Statement <span class="o">=</span> <span class="o">[</span> + <span class="o">{</span> + Action <span class="o">=</span> <span class="o">[</span> + <span class="s2">"*:*"</span>, <span class="o">]</span> + Effect <span class="o">=</span> <span class="s2">"Deny"</span> + Resource <span class="o">=</span> <span class="s2">"*"</span> <span class="o">}</span>, <span class="o">]</span> + Version <span class="o">=</span> <span class="s2">"2012-10-17"</span> <span class="o">}</span> <span class="o">)</span> <span class="o">}</span> <span class="o">}</span> Plan: 2 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>This plan was generated from the example above. If it doesn't work for you, please leave a comment and I'll try and help you out.</p> aws terraform kubernetes Using 'dynamic' block to generate IAM policy statements in Terraform Arpan Thu, 27 Jan 2022 14:01:17 +0000 https://dev.to/arpanadhikari/using-dynamic-block-to-generate-iam-policy-statements-in-terraform-52gd https://dev.to/arpanadhikari/using-dynamic-block-to-generate-iam-policy-statements-in-terraform-52gd <p>Terraform has a cool resource block called the 'dynamic' block that allows generating multiple nested blocks for a resource.</p> <p>This tutorial will show you how to generate multiple IAM policy statements using this dynamic block.</p> <p>In this example we have a list of AWS Principals that we want to allow access to our bucket named <em>dev-to-multi-account-bucket</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># variables.tf</span> <span class="k">variable</span> <span class="s2">"aws_accounts"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">))</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"A map of lists of AWS Principals"</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"mgmt"</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arn:aws:iam::123456789876:root"</span><span class="p">]</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arn:aws:iam::098765432123:root"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># bucket_policy.tf</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket_policy"</span> <span class="s2">"cross_account_policy"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"dev-to-multi-account-bucket"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">allow_access_from_another_account</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="c1"># dynamic policy statement block for each account specified</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"allow_access_from_another_account"</span> <span class="p">{</span> <span class="nx">dynamic</span> <span class="s2">"statement"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_accounts</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:*"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:s3:::dev-to-multi-account-bucket/</span><span class="k">${</span><span class="nx">statement</span><span class="p">.</span><span class="nx">key</span><span class="k">}</span><span class="s2">*"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">flatten</span><span class="p">(</span><span class="nx">statement</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Explaination</strong></p> <p>So what's really happening here? Let's look at the <em>aws_iam_policy_document.allow_access_from_another_account</em> "data" resource block. </p> <p>We are leveraging the dynamic block within this resource to iterate through the <em>aws_accounts</em> variable. This generates multiple statements inside the policy allowing us to rely on the variable's length.</p> <p>The variable <em>statement</em> has two important attributes: <em>key</em> and <em>value</em>. These allow you to target the respective section of the key-value map.</p> <p>We can access these attributes through the <code>statement</code> variable. Terraform automatically assigns this variable name from the dynamic block's configuration. In this case, it's named <code>statement</code>.</p> <p>After running <code>terraform plan</code>, we see a plan that looks something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># aws_s3_bucket_policy.cross_account_policy will be created</span> <span class="err">+</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket_policy"</span> <span class="s2">"cross_account_policy"</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"dev-to-multi-account-bucket"</span> <span class="err">+</span> <span class="nx">id</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">(</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="err">+</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"s3:*"</span> <span class="err">+</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="err">+</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::123456789876:root"</span> <span class="p">}</span> <span class="err">+</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="err">+</span> <span class="s2">"arn:aws:s3:::dev-to-multi-account-bucket/mgmt*"</span><span class="p">,</span> <span class="p">]</span> <span class="err">+</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">""</span> <span class="p">},</span> <span class="err">+</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"s3:*"</span> <span class="err">+</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="err">+</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::098765432123:root"</span> <span class="p">}</span> <span class="err">+</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="err">+</span> <span class="s2">"arn:aws:s3:::dev-to-multi-account-bucket/prod*"</span><span class="p">,</span> <span class="p">]</span> <span class="err">+</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">""</span> <span class="p">},</span> <span class="p">]</span> <span class="err">+</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Nice!</p> <p>Find more about dynamic blocks in <a href="https://www.terraform.io/language/expressions/dynamic-blocks">Terraform's official documentation page.</a></p> devops aws terraform tutorial My take on GitHub co-pilot's Terraform skills Arpan Thu, 20 Jan 2022 13:42:39 +0000 https://dev.to/arpanadhikari/my-take-on-github-co-pilots-terraform-skills-2fhm https://dev.to/arpanadhikari/my-take-on-github-co-pilots-terraform-skills-2fhm <p><strong>Introduction</strong></p> <p>So after a long wait in the waiting list, I've finally been able to get my hands on GitHub's co-pilot.</p> <p>If you're not familiar with co-pilot, check it out <a href="https://copilot.github.com/">here</a>.</p> <p>It's been a couple of weeks since copilot's been setup on my VSCode and I must say, this looks really promising!</p> <p>Since working with Terraform is part of my day job, I was curious to see how it would perform as my co-pilot declaring resources through it on my personal device. So this article focuses on its Terraform prowess.</p> <p><strong>Terraform and Co-pilot</strong></p> <p>It was impressive to see the bot recognise my coding style and immediately infer what I was trying to do. However, it didn't fully understand my intentions until I was a little further into the code.</p> <p>The gif below shows copilot trying to guess what I'm trying to do:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--7kL_9s-g--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/w2itepwkkagj6btx6g6s.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--7kL_9s-g--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/w2itepwkkagj6btx6g6s.gif" alt="Github co-pilot with terraform" width="591" height="591"></a></p> <p>Below is where it truly shines by making meaningful suggestions to my output resource.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--jSU76mDf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fi3g8racgni4rdv9ypd4.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--jSU76mDf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fi3g8racgni4rdv9ypd4.gif" alt="Github co-pilot with terraform, context recognition" width="599" height="599"></a></p> <p>While not mind-blowing, it can save time by suggesting something you would either type yourself anyway of copy from somewhere else. </p> <p>Here's another example; I added some extra variables to the module to test whether co-pilot would detect those and try to suggest them as outputs. To (or not, at this stage) my surprise, it did!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--iKG6di6s--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/qnhw4sa8ibpse3x5wyxr.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--iKG6di6s--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/qnhw4sa8ibpse3x5wyxr.gif" alt="Github co-pilot with terraform" width="594" height="594"></a></p> <p><strong>What about Makefiles?</strong><br> My quick test with a go-project makefile seems shows fruitful results.The co-pilot made a great suggestion for a makefile target to release the binary with version and platform suffixes! Well done co-pilot ;)<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--rKpmf95M--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/gumw5y07shpm15xtop9y.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--rKpmf95M--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/gumw5y07shpm15xtop9y.gif" alt="Image description" width="880" height="564"></a></p> <p><strong>Final thoughts</strong></p> <p>Is co-pilot more than just a copy-paste bot? Well, I think so. It's impressive that it understands and makes mostly good suggestions for Terraform, I can imagine how good it would be for other more widely available languages on GitHub.</p> terraform githubcopilot automation