Terraform error with dynamic block in for_each

3
votes

I'm trying to instantiate an azure storage_share map using the azuremrm resource storage_share. By design, I need to be able to instantiate more than one storage share with the same block; each of those shares may or may not have an "acl" section.

I was thinking of solving this issue using a for_each in conjuction with a dynamic block, as in the related SE question:

Main.tf

resource "azurerm_storage_share" "storage_share" {
  for_each             = var.storage_share_map
  name                 = each.key
  storage_account_name = azurerm_storage_account.sa.name
  quota                = each.value.quota

  dynamic "acl" {
    for_each = each.value.acl
    content {
      id = acl.value.id

      access_policy {
        permissions = acl.value.access_policy.permissions
        start       = acl.value.access_policy.start
        expiry      = acl.value.access_policy.expiry
      }
    }
  }

The variable would be defined as:

variable "storage_share_map" {
  type = map(object({
    quota = number,
    acl = object({
      id = string,
      access_policy = object({
        expiry      = string,
        permissions = string,
        start       = string
      })
    }),
  }))
  default     = {}
}

and later parametrized in my tests as:

storage_share_map = { 
  my-share-2 = {
    quota = 123,
    acl = {
      id = "a-id",
      access_policy = {
        expiry      = "ISO8061 UTC TIME"
        permissions = "rwdl"
        start       = "ISO8601 UTC TIME"
      },
    },
  }

However, when testing, terraform returns the following output:

Error: Unsupported attribute

  on .terraform\modules\sa\main.tf line 83, in resource "azurerm_storage_share" "storage_share":
  83:       id = acl.value.id
    |----------------
    | acl.value is object with 3 attributes

This object does not have an attribute named "id".


Error: Unsupported attribute

  on .terraform\modules\sa\main.tf line 83, in resource "azurerm_storage_share" "storage_share":
  83:       id = acl.value.id
    |----------------
    | acl.value is "a-id"

This value does not have any attributes.


Error: Unsupported attribute

  on .terraform\modules\sa\main.tf line 86, in resource "azurerm_storage_share" "storage_share":
  86:         permissions = acl.value.access_policy.permissions
    |----------------
    | acl.value is object with 3 attributes

This object does not have an attribute named "access_policy".


Error: Unsupported attribute

  on .terraform\modules\sa\main.tf line 86, in resource "azurerm_storage_share" "storage_share":
  86:         permissions = acl.value.access_policy.permissions
    |----------------
    | acl.value is "a-id"

This value does not have any attributes.

As I understand it, the issue here is that the for_each inside the dynamic block is either malformed or misbehaving: acl.value appears to be both valued as the string "a-id" and carrying three attribute (?).

Terraform version 0.12.26 Azurerm version 2.26.0

Any insight would be appreciated.

Related question: Dynamic block with for_each inside a resource created with a for_each

2
terraformterraform-provider-azure

2 Answers

4
votes

By iterating in the dynamic block with for_each = each.value.acl, you are iterating over the values in the object type. It appears you really want to iterate over the acl themselves. You would need to adjust your type to:

variable "storage_share_map" {
  type = map(object({
    quota = number,
    acl = list(object({
      ...
    }))
  })),
}

You can tell from the error messages that currently it is iterating over id and then access_policy, and failing to find the two requested attributes for each, which is why you have 2*2=4 errors.

You can adjust your input correspondingly to:

storage_share_map = { 
  my-share-2 = {
    quota = 123,
    acl = [{
      id = "a-id",
      access_policy = {
        expiry      = "ISO8061 UTC TIME"
        permissions = "rwdl"
        start       = "ISO8601 UTC TIME"
      },
    }],
  }

and this will achieve the behavior you desire.

Note that Terraform 0.12 has issues sometimes with nested object type specifications, so omitting the acl with [] may result in crashing under certain circumstances.

3
votes

Please use square brackets for each.value.acl.

Azure storage share block should look like:

resource "azurerm_storage_share" "storage_share" {
  for_each             = var.storage_share_map
  name                 = each.key
  storage_account_name = azurerm_storage_account.sa.name
  quota                = each.value.quota

  dynamic "acl" {
    for_each = [each.value.acl]
    content {
      id = acl.value.id

      access_policy {
        permissions = acl.value.access_policy.permissions
        start       = acl.value.access_policy.start
        expiry      = acl.value.access_policy.expiry
      }
    }
  }
}