DEV Community: Arun Singh Sisodiya

Mastering Terraform Functions: A Guide with Examples 👨‍💻

Arun Singh Sisodiya — Sat, 25 Feb 2023 10:52:20 +0000

Discover the power of Terraform functions and learn how to use them to simplify your infrastructure as code. From filesystem functions to collection and encoding functions, we cover it all with examples and images.

Introduction

In this blog post, we’ll explore the world of Terraform functions and how they can help you write more concise and powerful infrastructure as code. With Terraform functions, you can perform advanced data manipulation, simplify variable interpolation, and work with files and directories. We’ll show you how to use Terraform functions in your code, with examples and images to guide you.

What are Terraform functions?

👋 Hey there, fellow Terraform users! Are you looking to level up your infrastructure-as-code game? Well, have you considered using Terraform functions? 🤔

Terraform functions allow you to perform various operations on your Terraform code. They can generate dynamic values, manipulate strings, and perform mathematical calculations, among other things. This blog post will cover some of the most common Terraform functions and how you can use them in your code.

Terraform functions are used in the expression of an argument and return a value of a specified type. The built-in functions can be generalized using the syntax below:

<function_name>(arg 1, arg 2)

The number and type of arguments accepted by Terraform functions are predefined. The Terraform language includes several built-in functions that you can call from within expressions to transform and combine values.

🌟 Interpolation Functions 🌟

Interpolation functions are used to insert a value into a string. They can be used in resource configuration blocks, data source configuration blocks, and other parts of your Terraform code.

Let’s see some examples and do some hands-on:

format(): This function is used to format a string. It takes one or more arguments and returns a formatted string.

Syntax→ `fomrat(spec, values...)`

E.g.
> format("Hello, %s!", "Terraform")
Hello Terraform
> format("There are %d lights", 4)
There are 4 lights

join(): This function is used to concatenate a list of strings. It takes two arguments: a separator and a list of strings.

Syntax→ join(separator, list)
```
E.g.
> join(", ", ["foo", "bar", "baz"])
foo, bar, baz
> join(", ", ["foo"])
foo
```

lookup(): This function is used to look up a value in a map. It takes two arguments: the map and the key.

Syntax→ `lookup(map, key, default)`

E.g.
> lookup({a="ay", b="bee"}, "a", "what?")
ay
> lookup({a="ay", b="bee"}, "c", "what?")
what?

🌟 Numeric Functions 🌟

Numeric functions are used to perform mathematical calculations. They can be used in resource configuration blocks, data source configuration blocks, and other parts of your Terraform code.

Let’s see some examples and do some hands-on:

abs(): abs returns the absolute value of the given number.
```
> abs(23)
23
> abs(0)
0
> abs(-12.4)
12.4
```
ceil(): ceil returns the closest whole number that is greater than or equal to the given value, which may be a fraction.
```
> ceil(5)
5
> ceil(5.1)
6
```
floor(): floor returns the closest whole number that is less than or equal to the given value, which may be a fraction.
```
> floor(5)
5
> floor(4.9)
4
```
log(): log returns the logarithm of a given number in a given base.

Syntax→ log(number, base)
```
E.g.
> log(50, 10)
1.6989700043360185
> log(16, 2)
4
```
max(): max takes one or more numbers and returns the greatest number from the set. If the numbers are in a list or set value, use ... to expand the collection to individual arguments:
```
> max(12, 54, 3)
54
> max([12, 54, 3]...)
54
```
min(): min takes one or more numbers and returns the smallest number from the set.If the numbers are in a list or set value, use ... to expand the collection to individual arguments:
```
> min(12, 54, 3)
3
> min([12, 54, 3]...)
3
```
pow(): pow calculates an exponent, by raising its first argument to the power of the second argument.
```
> pow(3, 2)
9
> pow(4, 0)
1
```
signum(): signum determines the sign of a number, returning a number between -1 and 1 to represent the sign.
```
> signum(-13)
-1
> signum(0)
0
> signum(344)
1
```
parseint(): parseint parses the given string as a representation of an integer in the specified base and returns the resulting number. The base must be between 2 and 62 inclusive. All bases use the arabic numerals 0 through 9 first. Bases between 11 and 36 inclusive use case-insensitive latin letters to represent higher unit values. Bases 37 and higher use lowercase latin letters and then uppercase latin letters. If the given string contains any non-digit characters or digit characters that are too large for the given base then parseint will produce an error.
```
> parseint("100", 10)
100

> parseint("FF", 16)
255

> parseint("-10", 16)
-16

> parseint("1011111011101111", 2)
48879

> parseint("aA", 62)
656

> parseint("12", 2)

Error: Invalid function argument

Invalid value for "number" parameter: cannot parse "12" as a base 2 integer.
```

🌟 String Functions 🌟

String functions are used to manipulate strings. They can be used in resource configuration blocks, data source configuration blocks, and other parts of your Terraform code.

Let’s see some examples and do some hands-on:

lower(): lower converts all cased letters in the given string to lowercase.
```
> lower("HELLO")
hello
> lower("АЛЛО!")
алло!
```
upper(): upper converts all cased letters in the given string to uppercase.
```
> upper("hello")
HELLO
> upper("алло!")
АЛЛО!
```

replace(): replace searches a given string for another given substring, and replaces each occurrence with a given replacement string.

Syntax→ `replace(string, substring, replacement)`

E.g.
> replace("1 + 2 + 3", "+", "-")
1 - 2 - 3

> replace("hello world", "/w.*d/", "everybody")
hello everybody

trim(): trim removes the specified set of characters from the start and end of the given string.

Syntax→ `trim(string, str_character_set)`

E.g.
> trim("?!hello?!", "!?")
"hello"

> trim("foobar", "far")
"oob"

> trim("   hello! world.!  ", "! ")
"hello! world."

There are many more terraform functions. You can find the details here: https://developer.hashicorp.com/terraform/language/functions

🌟 Conclusion 🌟

Terraform functions can help you write more efficient and dynamic infrastructure code. By using these functions, you can easily manipulate strings, perform mathematical calculations, and generate dynamic values. So give them a try and see how they can improve your Terraform workflows! 🔥

🔒💻 Master EKS IRSA and Terraform for Fine-Grained AWS Resource Access Control on Kubernetes.🚀

Arun Singh Sisodiya — Wed, 22 Feb 2023 16:29:21 +0000

IRSA (IAM Roles for Service Accounts) is a feature of EKS (Amazon Elastic Kubernetes Service) that allows you to grant Kubernetes pods and containers permissions to AWS resources using IAM roles. This allows you to use IAM policies to control access to your AWS resources from your Kubernetes applications.

Prerequisites

An AWS account with permissions to create EKS clusters and IAM roles.
The AWS CLI and kubectl are installed on your local machine.
A running EKS cluster with at least one node group. You can use eksctl or terraform eks module to spin up the EKS cluster

Let us begin by describing the steps we must follow to implement IRSA on the EKS cluster.

Step 1: Create an IAM policy

The first step is to create an IAM policy that grants the necessary permissions to your EKS pods. You can use the following example policy as a starting point:

resource "aws_iam_policy" "s3_access_policy" {
  name_prefix = "eks-s3-access-policy-"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = [
          "s3:Get*",
          "s3:List*",
        ]
        Resource = "*"
      },
    ]
  })
}

This policy allows your pods to read and list objects in all S3 buckets in your AWS account. Replace the resource ARN with the ARN of the specific resource you want to grant access to.

Step 2: Create an IAM role

Next, create an IAM role that your EKS pods can assume to gain the permissions defined in the IAM policy. You can use the following Terraform code to create a new IAM role:

resource "aws_iam_role" "s3_access_role" {
  name               = "eks-s3-access"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Principal = {
          Service = "eks.amazonaws.com"
        }
        Action = "sts:AssumeRole"
      },
    ]
  })
}

Replace eks-s3-access with a name of your choice.

Step 3: Attach the IAM policy to the IAM role

Once you've created the IAM role, attach the IAM policy you created in step 1 to the role using the following Terraform code:

resource "aws_iam_role_policy_attachment" "s3_access_policy_attachment" {
  policy_arn = aws_iam_policy.s3_access_policy.arn
  role       = aws_iam_role.s3_access_role.name
}

Replace aws_iam_policy.s3_access_policy.arn with the ARN of the IAM policy you created in step 1, and aws_iam_role.s3_access_role.name with the name of the IAM role you created in step 2.

Step 4: Create a Kubernetes service account

Next, create a Kubernetes service account that you can associate with the IAM role you created in step 2. Use the following Terraform code to create a new service account:

resource "kubernetes_service_account" "s3_access_sa" {
  metadata {
    name = "s3-access-sa"
  }
}

Note: If you want to create Kubernetes service account using terraform, you must use Kubernetes Provider by terraform.

Step 5: Annotate the service account with the IAM role ARN

To associate the Kubernetes service account with the IAM role you created in step 2, annotate the service account with the ARN of the role using the following Terraform code:

resource "kubernetes_service_account_annotation" "s3_access_sa_annotation" {
  metadata {
    name = kubernetes_service_account.s3_access_sa.metadata.0.name
    namespace = "default"
  }
  annotations = {
    "eks.amazonaws.com/role-arn" = aws_iam_role.s3_access_role.arn
  }
}

Replace aws_iam_role.s3_access_role.arn with the ARN of the IAM role you created in step 2, and kubernetes_service_account.s3_access_sa.metadata.0.name with the name of the Kubernetes service account you created in step 4.

Step 6: Deploy a sample pod

Finally, deploy a sample pod that uses the IAM role you created in step 2 to access an AWS resource. Use the following Terraform code to deploy a sample pod:

resource "kubernetes_manifest" "sample_pod" {
  manifest = jsonencode({
    apiVersion = "v1"
    kind       = "Pod"
    metadata = {
      name = "sample-pod"
    }
    spec = {
      containers = [
        {
          name  = "sample-container"
          image = "nginx"
          volumeMounts = [
            {
              name      = "aws-credentials"
              mountPath = "/var/run/secrets/aws"
            },
          ]
          env = [
            {
              name  = "AWS_REGION"
              value = "us-west-2"
            },
          ]
        },
      ]
      volumes = [
        {
          name = "aws-credentials"
          projected = {
            sources = [
              {
                serviceAccountToken = {
                  path = "aws-credentials"
                  expirationSeconds = 86400
                }
              },
            ]
          }
        },
      ]
      serviceAccountName = kubernetes_service_account.s3_access_sa.metadata.0.name
    }
  })
}

This deploys a sample Nginx container that mounts the AWS credentials from the Kubernetes service account and sets the AWS region environment variable. Replace kubernetes_service_account.s3_access_sa.metadata.0.name with the name of the Kubernetes service account you created in step 4.
That's it! Once you apply these Terraform configurations, you should have a Kubernetes pod that has access to the AWS resource specified in the IAM policy you created in step 1, using the IAM role you created in step 2.

Conclusion

In conclusion, EKS IRSA is a powerful feature that allows you to achieve fine-grained access control to AWS resources on Kubernetes clusters. With Terraform, you can easily automate the process of creating and managing IAM roles, Kubernetes service accounts, and their association, allowing you to streamline your infrastructure management workflow. By following this step-by-step guide, you can implement EKS IRSA with Terraform and take advantage of its benefits to achieve greater security and efficiency in your Kubernetes environment.