How to use array as input in terragrunt which accepts only as string in terraform

[Ashraf1991]

f## Describe the bug

we have terraform code for key vault (Azure) in which object Id is string for access policies . but wanted to give as array i.e multiple user id (object id) in single object id.

Steps To Reproduce

Steps to reproduce the behavior, code snippets and examples which can be used to reproduce the issue.

main.tf :

resource "azurerm_key_vault" "example" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false

sku_name = "standard"

dynamic "access_policy" {
for_each = var.access_policies
content {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = access_policy.value["object_id"]
secret_permissions = access_policy.value["secret_permissions"]
key_permissions = access_policy.value["key_permissions"]
}
}

variables.tf:

variable "access_policies" {
type = set(
object({
object_id = string,
secret_permissions = set(string),
key_permissions = set(string)
})
)
}

keyvault > terragrunt.hcl :

input ={
access_policies = [

{ object_id = "xyz", secret_permissions = ["Get","Set"], key_permissions = ["Get"] },
{ object_id = "abc", secret_permissions = ["Get"], key_permissions = ["Get"] } ]

above code is working fine

Expected behavior

i want to keep object id as array and secret permission and key permission in 1 line ...somthing like below which is not working even if keep object_id = set(string) in variables.tf

{ object_id = "xyz","abc" , secret_permissions = ["Get","Set"], key_permissions = ["Get"] },

in fact i wanted to keep this object ids as common in global_var.hcl file so that all environment can use have same object_id rather than local terragrunt file.

[denis256]

Hi,
it is not clear from the description what is required to be achieved

for example block:

input ={
access_policies = [

{ object_id = "xyz", secret_permissions = ["Get","Set"], key_permissions = ["Get"] },
{ object_id = "abc", secret_permissions = ["Get"], key_permissions = ["Get"] } ]

above code is working fine

don't have input block finished

[Ashraf1991]

i just gave example snippet of keyvault > terragrunt.hcl file .... i want object id to be in array something like below.

{ object_id = ["xyz","abc"] , secret_permissions = ["Get","Set"], key_permissions = ["Get"] },

Not multiple object id in different line as in keyvault > terragrunt.hcl file.

i tried with set(string) for object id in varaibles.tf file as below , but still issue exist.

error - object_id must be string

variables.tf:

variable "access_policies" {
type = set(
object({
object_id = set(string),
secret_permissions = set(string),
key_permissions = set(string)
})
)
}

[denis256]

Hi,
most probably can be a preprocessed object through local block, I don't have azure account configured so I did small example on plain objects:

# main.tf
variable "access_policies" {
  type = list(
    object({
      object_id = list(string),
      secret_permissions = list(string),
      key_permissions = list(string)
    })
  )
}

locals {
  processed_access_policies = [
    for policy in var.access_policies : {
      object_ids = [for id in policy.object_id : id]
      secret_permissions = policy.secret_permissions
      key_permissions = policy.key_permissions
    }
  ]
}

output "processed_access_policies" {
  value = local.processed_access_policies
}

# terragrunt.hcl
inputs = {
  access_policies = [
    {
      object_id = ["xyz", "abc"],
      secret_permissions = ["Get", "Set"],
      key_permissions = ["Get"]
    }
  ]
}

Reference:
https://github.com/denis256/terragrunt-tests/tree/master/issue-3205

[yhakbar]

Hey @Ashraf1991 , did you leverage @denis256 's advice? If so, did it help?

[Ashraf1991]

@denis256 @yhakbar - I am still facing the same issue.

[denis256]

Hi,
can you share example repo where this issue happens and what is expected, from the previous messages is not fully clear what is expected

[Ashraf1991]

Using the below code, I was able to achieve the required result, but I have the following error .. any idea?
Main.tf:
dynamic "access_policy" {
for_each = toset(flatten([
for policy in var.access_policies : [
for object_id in policy.object_id : {
object_id = object_id
secret_permissions = policy.secret_permissions
key_permissions = policy.key_permissions
}
]
]))

content {
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id          = access_policy.value.object_id
  secret_permissions = access_policy.value.secret_permissions
  key_permissions    = access_policy.value.key_permissions
}

}
variable "access_policies" {
type = set(object({
object_id = set(string),
secret_permissions = set(string),
key_permissions = set(string)
}))

terragrunt.hcl

inputs = {
access_policies = [
{ object_id = ["xyz", "abc"], secret_permissions = ["Get", "Set"], key_permissions = ["Get"] }
{ object_id = ["3cm"], secret_permissions = ["Get"], key_permissions = ["Get"] }
]
}
current error:
Planning failed. Terraform encountered an error while generating this plan.
350│ Error: Invalid value for input variable
351│
352│ on variables.tf line 28:
353│ 28: variable "access_policies" {
354│
355│ Unsuitable value for var.access_policies set using the
356│ TF_VAR_access_policies environment variable: element 0: attribute
357│ "object_id": string required.

I have not defined TF_VAR_access_policies anywhere in my code..