Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug report-Role mapping failing due to Kubernetes role which is not part of current architecture #1966

Open
1 task done
vijayshankersingh opened this issue Apr 19, 2024 · 0 comments
Open
1 task done

Bug report-Role mapping failing due to Kubernetes role which is not part of current architecture #1966

vijayshankersingh opened this issue Apr 19, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@vijayshankersingh
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

.

Version of the module you are using

5.5.0

Rover Version

aztfmod/azurecaf v1.2.28

Terraform Version

1.8.1 x64

AzureRM Provider Version

5.7.10

Affected Resource(s)/Data Source(s)

azurerm_role_assignment

Terraform Configuration Files

We are using CAF , following format of the tfvar is used in our config:

Ref: https://github.com/aztfmod/terraform-azurerm-caf/blob/main/examples/role_mapping/100-simple-role-mapping/configuration.tfvars

The values look like : 

role_mapping = {
  built_in_role_mapping = {

    storage_accounts = {
      saevmk = {
        # lz_key = "" to be defined when the keyvault is created in a different lz

        "Storage Blob Data Owner" = {
          managed_identities = {
            #lz_key = "remote"  #to be defined when the msi is created in a different lz
            keys = ["evmk_sor", "evmk_pvm", "evmk_bgp"]
          }
        }
        "Storage Blob Data Contributor" = {
          managed_identities = {
            #lz_key = "remote"  #to be defined when the msi is created in a different lz
            keys = ["evmk_sor", "evmk_pvm", "evmk_bgp"]
          }
        }
      }

Expected Behaviour

Expect the terraform apply to run fine.

Actual Behaviour

The terraform plan is failing with below error:

2024-04-18T23:51:50.4263690Z A value of type string cannot be used as the collection in a 'for'
2024-04-18T23:51:50.4264120Z expression.
2024-04-18T23:51:50.4264252Z
2024-04-18T23:51:50.4264604Z Error: Iteration over non-iterable value
2024-04-18T23:51:50.4264861Z
2024-04-18T23:51:50.4265116Z on .terraform/modules/caf/roles.tf line 216, in locals:
2024-04-18T23:51:50.4265803Z 215: for role_definition_name, resources in role_mapping : [ # "Azure Kubernetes Service Cluster Admin Role" = {
2024-04-18T23:51:50.4266657Z 216: for object_id_key, object_resources in resources : [ # azuread_group_keys = {
2024-04-18T23:51:50.4268099Z 217: for object_id_key_resource in object_resources.keys : # keys = [ "aks_admins" ] ----End of variable
2024-04-18T23:51:50.4268898Z 218: { # "seacluster_Azure_Kubernetes_Service_Cluster_Admin_Role_aks_admins" = {
2024-04-18T23:51:50.4269517Z 219: mode = key_mode # "mode" = "built_in_role_mapping"
2024-04-18T23:51:50.4269983Z 220: scope_resource_key = key
2024-04-18T23:51:50.4270468Z 221: scope_lz_key = try(role_mapping.lz_key, null)
2024-04-18T23:51:50.4271035Z 222: scope_key_resource = scope_key_resource
2024-04-18T23:51:50.4271465Z 223: role_definition_name = role_definition_name
2024-04-18T23:51:50.4271903Z 224: object_id_resource_type = object_id_key
2024-04-18T23:51:50.4272499Z 225: object_id_key_resource = object_id_key_resource # "object_id_key_resource" = "aks_admins"
2024-04-18T23:51:50.4273145Z 226: object_id_lz_key = try(object_resources.lz_key, null)
2024-04-18T23:51:50.4273567Z 227: }
2024-04-18T23:51:50.4273801Z 228: ]
2024-04-18T23:51:50.4274086Z 229: ] if role_definition_name != "lz_key"
2024-04-18T23:51:50.4274363Z
2024-04-18T23:51:50.4274801Z A value of type string cannot be used as the collection in a 'for'
2024-04-18T23:51:50.4275234Z expression.
2024-04-18T23:51:50.4275366Z
2024-04-18T23:51:50.4275558Z Error: Unsupported attribute
2024-04-18T23:51:50.4275825Z
2024-04-18T23:51:50.4276077Z on .terraform/modules/caf/roles.tf line 217, in locals:
2024-04-18T23:51:50.4276982Z 217: for object_id_key_resource in object_resources.keys : # keys = [ "aks_admins" ] ----End of variable
2024-04-18T23:51:50.4277513Z

Steps to Reproduce

terraform plan:

fails with error :

2024-04-18T23:51:50.4263690Z A value of type string cannot be used as the collection in a 'for'
2024-04-18T23:51:50.4264120Z expression.
2024-04-18T23:51:50.4264252Z
2024-04-18T23:51:50.4264604Z Error: Iteration over non-iterable value
2024-04-18T23:51:50.4264861Z
2024-04-18T23:51:50.4265116Z on .terraform/modules/caf/roles.tf line 216, in locals:
2024-04-18T23:51:50.4265803Z 215: for role_definition_name, resources in role_mapping : [ # "Azure Kubernetes Service Cluster Admin Role" = {
2024-04-18T23:51:50.4266657Z 216: for object_id_key, object_resources in resources : [ # azuread_group_keys = {
2024-04-18T23:51:50.4268099Z 217: for object_id_key_resource in object_resources.keys : # keys = [ "aks_admins" ] ----End of variable
2024-04-18T23:51:50.4268898Z 218: { # "seacluster_Azure_Kubernetes_Service_Cluster_Admin_Role_aks_admins" = {
2024-04-18T23:51:50.4269517Z 219: mode = key_mode # "mode" = "built_in_role_mapping"
2024-04-18T23:51:50.4269983Z 220: scope_resource_key = key
2024-04-18T23:51:50.4270468Z 221: scope_lz_key = try(role_mapping.lz_key, null)
2024-04-18T23:51:50.4271035Z 222: scope_key_resource = scope_key_resource
2024-04-18T23:51:50.4271465Z 223: role_definition_name = role_definition_name
2024-04-18T23:51:50.4271903Z 224: object_id_resource_type = object_id_key
2024-04-18T23:51:50.4272499Z 225: object_id_key_resource = object_id_key_resource # "object_id_key_resource" = "aks_admins"
2024-04-18T23:51:50.4273145Z 226: object_id_lz_key = try(object_resources.lz_key, null)
2024-04-18T23:51:50.4273567Z 227: }
2024-04-18T23:51:50.4273801Z 228: ]
2024-04-18T23:51:50.4274086Z 229: ] if role_definition_name != "lz_key"
2024-04-18T23:51:50.4274363Z
2024-04-18T23:51:50.4274801Z A value of type string cannot be used as the collection in a 'for'
2024-04-18T23:51:50.4275234Z expression.
2024-04-18T23:51:50.4275366Z
2024-04-18T23:51:50.4275558Z Error: Unsupported attribute
2024-04-18T23:51:50.4275825Z
2024-04-18T23:51:50.4276077Z on .terraform/modules/caf/roles.tf line 217, in locals:
2024-04-18T23:51:50.4276982Z 217: for object_id_key_resource in object_resources.keys : # keys = [ "aks_admins" ] ----End of variable
2024-04-18T23:51:50.4277513Z

Important Factoids

No response

References

Using following tfvar format :

https://github.com/aztfmod/terraform-azurerm-caf/blob/main/examples/role_mapping/100-simple-role-mapping/configuration.tfvars
@vijayshankersingh vijayshankersingh added the bug Something isn't working label Apr 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vijayshankersingh