DEV Community: Darren Horwitz The latest articles on DEV Community by Darren Horwitz (@darrenhorwitz1). https://dev.to/darrenhorwitz1 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F830021%2F1142777d-1321-4903-9d88-6dd74d377593.png DEV Community: Darren Horwitz https://dev.to/darrenhorwitz1 en pattern(composition) : terraform nested for loop Darren Horwitz Sat, 25 Mar 2023 14:05:49 +0000 https://dev.to/darrenhorwitz1/patterncomposition-terraform-nested-for-loop-o2b https://dev.to/darrenhorwitz1/patterncomposition-terraform-nested-for-loop-o2b <p>Recently I have discovered a pattern that has emerged to become extremely handy when wanting to build out resources that are composed together, typically a one-to-many relationship. </p> <h2> One-to-Many </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgxydmrsxerlayrugus6z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgxydmrsxerlayrugus6z.png" alt="one-to-many"></a></p> <p>Now in terraform/cloud land the above image one can express the above image with something as simple as a security-group. The security group can be expressed as the "parent" and a security-group rule can would be expressed as a child of security-group. Thus, the security group is a composition of many security-group rules.</p> <h2> Foo Bar Code </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">map</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"foo"</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"child1"</span><span class="p">,</span> <span class="s2">"child4"</span><span class="p">]</span> <span class="s2">"bar"</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"child2"</span><span class="p">,</span> <span class="s2">"child5"</span><span class="p">]</span> <span class="s2">"baz"</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"child3"</span><span class="p">,</span> <span class="s2">"child6"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">out</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">([</span><span class="nx">for</span> <span class="nx">parentKey</span><span class="p">,</span> <span class="nx">parentValue</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">map</span> <span class="err">:</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">child</span> <span class="nx">in</span> <span class="nx">parentValue</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="nx">parentKey</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="nx">child</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">child</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]...)</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"out"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">out</span> <span class="p">}</span> </code></pre> </div> <p>The above code loops through each key-value pair in the map and then it loops through each item in the array (the value of the respective pair).</p> <p>The for expression in the array will create a map based on the key and item . This is responsible for grouping the maps by the keys of the initial map.</p> <p>The next for expression in the map is responsible for the creation of the key - values based on the respective value (array of strings ). The key will get namespaced by the respective key (e.g. "foo") and the respective value of the element in the array (e.g. "child1").</p> <p>Resulting in the composed key : "foo/child1" </p> <p>The result of the two for expressions before the merge looks like such: </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="nx">array</span> <span class="err">=</span> <span class="p">[</span> <span class="p">{</span> <span class="s2">"foo/child1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child1"</span> <span class="p">},</span> <span class="s2">"foo/child4"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child4"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="s2">"bar/child2"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child2"</span> <span class="p">},</span> <span class="s2">"bar/child5"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child5"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="s2">"baz/child3"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child3"</span> <span class="p">},</span> <span class="s2">"baz/child6"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child6"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">]</span> </code></pre> </div> <p>The ellipsis at the end of the array is similar to the spread operator in Javascript , similarly in golang it's a vararg . </p> <p>What it does is spread the three maps as args in the merge function like such <code>merge({...},{...},{...})</code>.</p> <p>From there the merge function handles the rest by merge the 3 maps into a single map. Just be careful with this as you need unique keys , otherwise the duplicated key will get overridden with the last respective value. </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="nx">console</span> <span class="k">output</span> <span class="err">+</span> <span class="nx">out</span> <span class="err">=</span> <span class="p">{</span> <span class="err">+</span> <span class="s2">"bar/child2"</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child2"</span> <span class="p">}</span> <span class="err">+</span> <span class="s2">"bar/child5"</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child5"</span> <span class="p">}</span> <span class="err">+</span> <span class="s2">"baz/child3"</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child3"</span> <span class="p">}</span> <span class="err">+</span> <span class="s2">"baz/child6"</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child6"</span> <span class="p">}</span> <span class="err">+</span> <span class="s2">"foo/child1"</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child1"</span> <span class="p">}</span> <span class="err">+</span> <span class="s2">"foo/child4"</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"child4"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Example </h2> <p>So obviously the above pattern is pretty nifty, let's find an example of how this pattern can become useful.</p> <p>Lets say , you need to create a bunch of vpc-endpoints and you want each endpoint to have its own security-group because you need to control what can access these endpoints.</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 4.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1">## variables</span> <span class="nx">default_vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-id"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"subnet-1-id"</span><span class="p">,</span> <span class="s2">"subnet-2-id"</span><span class="p">]</span> <span class="nx">endpoint_services</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"s3"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.eu-west-1.s3"</span><span class="p">,</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">vpce_name_tag</span> <span class="p">=</span> <span class="s2">"s3-interface"</span><span class="p">,</span> <span class="nx">security_group_ingress_rules</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"team-z-vpc-443"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">443</span><span class="p">,</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.0.0/24"</span><span class="p">],</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span><span class="p">,</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow https vpc traffic in "</span><span class="p">,</span> <span class="p">},</span> <span class="s2">"onprem-443"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">443</span><span class="p">,</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"192.168.0.0/16"</span><span class="p">],</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span><span class="p">,</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow https onprem traffic in "</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="s2">"ddb"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.eu-west-1.dynamodb"</span><span class="p">,</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">vpce_name_tag</span> <span class="p">=</span> <span class="s2">"ddb-interface"</span><span class="p">,</span> <span class="nx">security_group_ingress_rules</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"team-a-vpc-443"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">443</span><span class="p">,</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.1.0/24"</span><span class="p">],</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span><span class="p">,</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow https vpc traffic in "</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">## nested for loop for sg-rules</span> <span class="c1">## not that sg_key_ref is used to reference the sg which is created based on the key-values of local.endpoint_services</span> <span class="nx">endpoint_sg_ingress_rules</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">([</span><span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">endpoint_services</span> <span class="err">:</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">ingressKey</span><span class="p">,</span> <span class="nx">ingressValue</span> <span class="nx">in</span> <span class="nx">v</span><span class="p">.</span><span class="nx">security_group_ingress_rules</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="nx">k</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="nx">ingressKey</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">merge</span><span class="p">({</span> <span class="nx">sg_key_ref</span> <span class="p">=</span> <span class="nx">k</span> <span class="p">},</span> <span class="nx">ingressValue</span><span class="p">)</span> <span class="p">}]...)</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"endpoint_services"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">endpoint_services</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">default_vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">subnet_ids</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">service_name</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">this</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">id</span><span class="p">,</span> <span class="p">]</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">private_dns_enabled</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">vpce_name_tag</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">endpoint_services</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">default_vpc_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">vpce_name_tag</span><span class="k">}</span><span class="s2">-sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"sg for endpoint service: </span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">service_name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">vpce_name_tag</span><span class="k">}</span><span class="s2">-sg"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"ingress"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">endpoint_sg_ingress_rules</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">port</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_blocks</span> <span class="c1">## referencing the parent ( security group) from which the rule is composed into</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">this</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">sg_key_ref</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>The cool thing is: when you need to create another endpoint , all you do is add another object into the map that meets the interface thats defined by the variable(yes I didn't create a variable for this example).</p> <h2> Alternatives/Anti-pattern </h2> <p>I think the alternative to this pattern is to rather create a module for the logic that needs to composed and a for_each on the module by passing the respective properties/input variables into the module. The module would be responsible for handling the logic.</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">module</span> <span class="s2">"endpoints"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">endpoint_services</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../"</span> <span class="nx">default_vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-id"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"subnet-1-id"</span><span class="p">,</span> <span class="s2">"subnet-2-id"</span><span class="p">]</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">service_name</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">private_dns_enabled</span> <span class="nx">vpce_name_tag</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">vpce_name_tag</span> <span class="nx">security_group_ingress_rules</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">security_group_ingress_rules</span> <span class="p">}</span> </code></pre> </div> <p>Thanks for taking the time read this article , hopefully it will become useful for you. Lastly, comment below how you would implement this sort of pattern !</p> terraform cloud aws advanced terraform conditionals Darren Horwitz Sun, 15 Jan 2023 18:23:41 +0000 https://dev.to/darrenhorwitz1/advanced-terraform-conditionals-2a69 https://dev.to/darrenhorwitz1/advanced-terraform-conditionals-2a69 <p>Recently, I had found a new sort of pattern of being able to work around the fact that terraform does not have any method of creating your own functions in configuration files, which resulted in this pattern that I am about to present to you.</p> <p>Disclaimer, this is a bit overkill normal configurations and this came from the need in our team to create a module that is composed of submodules(which need to be conditionally deployed based on the variable inputs of the parent module). Now I know this post is not about why you should or shouldn't compose submodules into a parent module, that's up to you and your team . And obviously there are tradeoffs for that sort of decision.</p> <p>Anyway.</p> <h2> Simple conditional deployments </h2> <p>You may skip to 'conditional deployments using objects' if you already know this stuff.</p> <p>Typically when you want to conditionally deploy a resource/module, you would make use of a count in the resource/module.</p> <p>such as below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"create_vpc"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">value</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">create_vpc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> </code></pre> </div> <p>This will create the vpc , if the create_vpc variable is true (by creating one instance of the aws_vpc.main resource) ; else it will not create the vpc resource i.e. 0.</p> <p>There are other ways of utilising this pattern such as doing a count using the length of some string variable, a list, or using a for_each for a map/set . </p> <h3> length of string </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">variable</span> <span class="s2">"some_string"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">""</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">some_string</span><span class="p">)</span> <span class="err">!</span><span class="p">=</span><span class="mi">0</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> </code></pre> </div> <h3> length of list </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">variable</span> <span class="s2">"some_list"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">any</span><span class="p">)</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">some_list</span><span class="p">)</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> </code></pre> </div> <p>this one can potentially create n vpcs depending on how many elements are provided in the list.</p> <h3> using a map </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">variable</span> <span class="s2">"some_map"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">any</span><span class="p">)</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">some_map</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> </code></pre> </div> <p>this one can potentially create n vpcs depending on how many key pairs are provided in the map.</p> <h2> conditional deployments using objects and locals </h2> <p>Now we are going to step it up a notch by using nested turnery statements with objects.</p> <h3> nested twice </h3> <p>So say you have some object like such:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"foo"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">bar</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">bool</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> <span class="p">})</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"single"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">foo</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"nested"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">foo</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="kd">var</span><span class="p">.</span><span class="nx">foo</span><span class="p">.</span><span class="nx">bar</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> </code></pre> </div> <p>In this example, if foo is not being passed a value then it will result in null. Which means, both the aws_vpc.nested and aws_vpc.single resources will not get deployed as the variable (foo) is null.</p> <p>If we pass an object , aws_vpc.single will get deployed as it not null.</p> <p>This next explanation of the aws_vpc.nested resource will assume you know how optional functions work but if not I'll explain by means of a short example:</p> <p>if you passed an empty object to the variable "foo" as such <code>foo = {}</code> , this would result property bar in foo taking the default value of true like such: 'foo = { bar = true}' . You can override this default value , when passing in a object with the respective properties. The docs probably do a better explanation that this so you can read it over here : <a href="https://dev.tooptionals">https://developer.hashicorp.com/terraform/language/expressions/type-constraints#optional-object-type-attributes</a></p> <p>So given that foo is not null then we can do an additional turnery expression on a property of the object, in this case bar.</p> <p>What the count statement is saying , given that foo is not null and bar is true , then create one instance of this vpc resource.</p> <p>you can view it like such<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"nested"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">foo</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="kd">var</span><span class="p">.</span><span class="nx">foo</span><span class="p">.</span><span class="nx">bar</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> </code></pre> </div> <p>*I know this is not legit terraform syntax</p> <p>or like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">function</span> <span class="nf">deployVpc</span><span class="p">(</span><span class="nx">foo</span><span class="p">){</span> <span class="k">if </span><span class="p">(</span><span class="nx">foo</span> <span class="o">!=</span> <span class="kc">null</span><span class="p">){</span> <span class="k">if</span><span class="p">(</span><span class="nx">foo</span><span class="p">.</span><span class="nx">bar</span><span class="p">){</span> <span class="k">return</span> <span class="mi">1</span> <span class="p">}</span><span class="k">else</span><span class="p">{</span> <span class="k">return</span> <span class="mi">0</span> <span class="p">}</span> <span class="p">}</span><span class="k">else</span><span class="p">{</span> <span class="k">return</span> <span class="mi">0</span> <span class="p">{</span> <span class="p">}</span> </code></pre> </div> <p>The reason we can't use <code>&amp;&amp;</code> logic expressions ( <code>var.foo != null &amp;&amp; var.foo.bar ? 1 : 0</code> ) is because it will fail at deployment time because you can't access a property on null variable. This is, of course, if the foo variable is null.</p> <h3> nested three times </h3> <p>the same sort of logic can apply to below<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">variable</span> <span class="s2">"foo"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">bar</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">baz</span><span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">bool</span><span class="p">,</span><span class="kc">true</span><span class="p">)</span> <span class="p">}),</span><span class="kc">null</span><span class="p">)</span> <span class="p">})</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"nested"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">foo</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="kd">var</span><span class="p">.</span><span class="nx">foo</span><span class="p">.</span><span class="nx">bar</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="kd">var</span><span class="p">.</span><span class="nx">foo</span><span class="p">.</span><span class="nx">bar</span><span class="p">.</span><span class="nx">baz</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> </code></pre> </div> <p>Now doing this is overkill, and you should only resort to it as an anti pattern. Rather, keep the conditional logic as simple as possible.</p> <h2> the actual advanced implementation </h2> <p>So, the real reason why we have this sort of pattern is because our team typically works with a multi account setup in aws particularly. So we need to deploy a whole bunch of baseline resources that should be part of each account by default.</p> <p>We found this pattern emerging with our network baseline implementation of the baseline module where we have transit gateway present and it is used for spoke vpcs' in another account and spoke vpcs' that may be present in the networking account.</p> <p>So how this pattern would look like in practice would be as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">variable</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">tgw</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">create_tgw</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">exisiting_transit_gateway_id</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span> <span class="p">}))</span> <span class="nx">vpc</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">azs</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">tgw_subnet_cidrs</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}))</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">deploy_vpc</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">network</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="kd">var</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="kc">true</span> <span class="err">:</span> <span class="kc">false</span> <span class="err">:</span> <span class="kc">false</span> <span class="nx">tgw_not_null</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">network</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="kd">var</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">tgw</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="kc">true</span> <span class="err">:</span> <span class="kc">false</span> <span class="err">:</span> <span class="kc">false</span> <span class="nx">deploy_tgw</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">tgw_not_null</span> <span class="err">?</span> <span class="kd">var</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">tgw</span><span class="p">.</span><span class="nx">create_tgw</span> <span class="err">?</span> <span class="kc">true</span> <span class="err">:</span> <span class="kc">false</span> <span class="err">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">deploy_tgw</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="c1"># ... other vars</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_vpc_attachment"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">deploy_vpc</span> <span class="err">&amp;&amp;</span> <span class="kd">local</span><span class="p">.</span><span class="nx">tgw_not_null</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">tgw</span> <span class="err">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">deploy_tgw</span> <span class="err">?</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">this</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="err">:</span> <span class="kd">var</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">tgw</span><span class="p">.</span><span class="nx">exisiting_transit_gateway_id</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">this</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"tgw"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">deploy_vpc</span> <span class="err">&amp;&amp;</span> <span class="kd">local</span><span class="p">.</span><span class="nx">tgw_not_null</span> <span class="err">?</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">azs</span><span class="p">)</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">tgw_subnet_cidrs</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">deploy_vpc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="c1"># ... other vars</span> <span class="p">}</span> </code></pre> </div> <p>Setting aside implementation of the above resources and the fact that there are plenty of resources that missing to make this complete.</p> <p>This will deploy a vpc based on the vpc property in the network variable. Similarly, a transit gateway will be deployed if it is present and create_tgw is true. </p> <p>Inside of the transit gateway attachment resource, one can see that its only dependent on the fact that a vpc is being deployed and that the tgw object in the network object is not null. This means that, one is either passing in an existing tgw id or using the one that has been created. </p> <p>If the tgw object is null and the vpc object is not null then only a standalone vpc will be deployed based on the current logic.</p> <h3> Pseudo Functions </h3> <p>I Like to think of locals as pseudo functions because they return a value, based on the variables/resources that have been configured.</p> <p>You can see how nifty they are when trying to separate messy logic that can make your file extend horizontally, which in turn makes it less readable. </p> <p>I think a good use case of using the pseudo functions are for scenarios that are quite deterministic i.e. the true/false scenarios, but they can be used to further separate the logic complex turnery statements. Or even build up some strings or separate for logic.</p> <h2> Closing thoughts </h2> <p>Try to avoid this sort complexity, but if you do need something to do a bit of heavy lifting for you: look to use 'psuedo functions' to make your code a little bit more readable.</p> <p>I hope you enjoyed reading this post as much as I did writing it.</p> <p>Cheers.</p> documentation learning productivity Aws Resource Tags Darren Horwitz Fri, 24 Jun 2022 08:53:44 +0000 https://dev.to/darrenhorwitz1/aws-resource-tags-34pd https://dev.to/darrenhorwitz1/aws-resource-tags-34pd <p>Anyone would like to share their thoughts on some resource tagging strategies and commonly used tags?</p> <p>As well as the average amount of tags used on resources ?</p> <p>Thanks a lot 🙏 </p> aws iac discuss