tfparse icon indicating copy to clipboard operation
tfparse copied to clipboard

Published 20 hours ago verified publisher icon cloud-custodian

Resource references don't seem to work when combined with `for_each`

Open ajkerrigan opened this issue 1 year ago • 2 comments

In https://github.com/orgs/cloud-custodian/discussions/9181 there is a question about checking S3 server-side encryption settings that are defined in separate resources. That works fine for individual buckets:

resource "aws_s3_bucket" "sse_enabled_separately" {
  bucket = "sse_enabled_separately"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "sse_enabled_separately" {
  bucket = aws_s3_bucket.sse_enabled_separately.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

But if we add a for_each the resulting graph doesn't seem to include references, so the c7n-left traverse filter can't do its magic.

locals {
  sse_separate = toset(["mybucket"])
}

resource "aws_s3_bucket" "sse_separate_for_each" {
  for_each            = local.sse_separate
  bucket              = each.key
  object_lock_enabled = true
}

resource "aws_s3_bucket_server_side_encryption_configuration" "sse_separate_for_each" {
  for_each = aws_s3_bucket.sse_separate_for_each
  bucket   = local.sse_separate

  # References are also missing for these variations:
  # bucket = each.key
  # bucket = each.value.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

ajkerrigan avatar Dec 04 '23 04:12 ajkerrigan

any updates?

enutrofff avatar Jan 09 '24 15:01 enutrofff

this might be addressed with the fixes for #193 as it didn't appear toset was being evaluated properly

kapilt avatar May 20 '24 08:05 kapilt

confirmed it was resolved, re running c7n-left dump

{
  "input_vars": {},
  "graph": {
    "aws_s3_bucket": [
      {
        "__tfmeta": {
          "filename": "main.tf",
          "label": "aws_s3_bucket",
          "line_end": 9,
          "line_start": 5,
          "path": "aws_s3_bucket.sse_separate_for_each[\"mybucket\"]",
          "type": "resource"
        },
        "bucket": "mybucket",
        "for_each": [
          "mybucket"
        ],
        "id": "e7212cfa-ee44-4365-9e43-85ba2b487d87",
        "object_lock_enabled": true
      }
    ],
    "aws_s3_bucket_server_side_encryption_configuration": [
      {
        "__tfmeta": {
          "filename": "main.tf",
          "label": "aws_s3_bucket_server_side_encryption_configuration",
          "line_end": 24,
          "line_start": 11,
          "path": "aws_s3_bucket_server_side_encryption_configuration.sse_separate_for_each[\"mybucket\"]",
          "type": "resource"
        },
        "bucket": [
          "mybucket"
        ],
        "for_each": {
          "__attribute__": "aws_s3_bucket.sse_separate_for_each",
          "__name__": "sse_separate_for_each[\"mybucket\"]",
          "__ref__": "e7212cfa-ee44-4365-9e43-85ba2b487d87",
          "__type__": "aws_s3_bucket"
        },
        "id": "af563c92-82b0-4651-a66b-9ab001ac4274",
        "rule": {
          "__tfmeta": {
            "filename": "main.tf",
            "line_end": 23,
            "line_start": 19
          },
          "apply_server_side_encryption_by_default": {
            "__tfmeta": {
              "filename": "main.tf",
              "line_end": 22,
              "line_start": 20
            },
            "id": "d38ed691-99e4-48ee-8966-0bb9e2aad8a4",
            "sse_algorithm": "AES256"
          },
          "id": "82337b6f-30a1-451f-935a-066762cf52bc"
        }
      }
    ],
    "locals": [
      {
        "__tfmeta": {
          "filename": "main.tf",
          "line_end": 3,
          "line_start": 1,
          "path": "locals"
        },
        "id": "b256eaa8-2348-4fef-8110-bed54198208d",
        "sse_separate": [
          "mybucket"
        ]
      }
    ]
  }
}

kapilt avatar Jun 07 '24 11:06 kapilt