I am trying to use Terraform’s public modules and I created a lot of IAM users like so:
module "iam_finance_users" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
version = "5.9.1"
for_each = var.finance_users
name = each.value
force_destroy = true
create_iam_access_key = false
password_reset_required = true
}
My variables.tf file has the following:
variable "finance_users" {
type = set(string)
default = ["[email protected]","[email protected]"....]
}
Now I am trying to add these users to a group like so
module "iam_group_finance" {
source = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"
version = "5.9.1"
name = "finance"
group_users = ["${module.iam_finance_users.iam_user_name}"]
attach_iam_self_management_policy = true
custom_group_policy_arns = [
"${module.iam_read_write_policy.arn}",
]
}
But no matter what I try I still keep getting errors. I have a list of users in a variable and I want to add all those users created in that module to the group module. I know I’m close but I can’t quite seem to close this.
3
Answers
Since you used
for_each
in the module, you have to usevalues
to access elements of all instances of the module created:You could try something like below:
This is untested, so you might need to tweak a bit. Reference thread: https://discuss.hashicorp.com/t/for-each-objects-to-list/36609/2
It’s often helpful to know what the error is. In versions of Terraform v1.0 or newer, the errors become fairly explanatory. The error you were likely getting was something similar to:
The solutions, which both work, can be tested using the following example code:
Module 1:
modules/iam-user
Module 2:
modules/iam-group-with-policies
Root module (your code):
You can easily test each module along the way using
terraform console
.E.g.:
Here you can see why it didn’t work. The module doesn’t spit out a list in that way, so you have to iterate through the module to get your variable. This is why both the
for
method as well as thevalues
method works.Look at how differently a single module is handled:
Notice that when not inside a loop (
foreach
), that the singleiam_user_name
is accessible.