Pass IAM policy as JSON through vars?

[kamsz]

I'm trying to pass IAM policy JSON through terraformOptions.Vars, but without success (raw JSON results in syntax error). Any help?

[brikis98]

Can you share your code to provide some context?

[kamsz]

@brikis98 Sure thing. I'm trying to test creating IAM instance profile module. I'm trying to pass an IAM policy in JSON through Terraform variable:

resource "aws_iam_role_policy" "role_policy" {
  name   = "${lower("${var.instance_profile_name}-${var.environment_name}-role-policy")}"
  policy = "${var.role_policy}"
  role   = "${aws_iam_role.role.id}"
}

type RolePolicy struct {
	Version   string
	Statement []Statement
}

type Statement struct {
	Sid      string
	Action   string
	Effect   string
	Resource string
}
var rolePolicy = RolePolicy{
	Version: "2012-10-17",
	Statement: []Statement{
		Statement{
			Sid:      "Stmt1529588779128",
			Action:   "s3:*",
			Effect:   "Allow",
			Resource: "arn:aws:s3:::automatedtests/*",
		},
	},
}
var rolePolicyJSON, _ = json.Marshal(rolePolicy)

Vars: map[string]interface{}{
		"environment_name":      "automatedtests",
		"instance_profile_name": "test",
		"role_policy":           string(rolePolicyJSON),
},

[brikis98]

Ah, I gotcha. Can you share the error message you get? It's probably an issue with escaping quotes.

[ryanking]

I have run into the same problem and get this error–

TestTerraformBasicExample 2018-08-02T16:26:32-07:00 command.go:100: invalid value "policy=\"{\n\t\t\"Version\": \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t    {\n\t\t\t\"Effect\": \"Deny\",\n\t\t\t\"Action\": [\n\t\t\t    \"*\",\n\t\t\t],\n\t\t\t\"Resource\": [\n\t\t\t    \"*\"\n\t\t\t]\n\t\t    }\n\t\t]\n\t    }\"" for flag -var: Cannot parse value for variable ("\"{\n\t\t\"Version\": \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t    {\n\t\t\t\"Effect\": \"Deny\",\n\t\t\t\"Action\": [\n\t\t\t    \"*\",\n\t\t\t],\n\t\t\t\"Resource\": [\n\t\t\t    \"*\"\n\t\t\t]\n\t\t    }\n\t\t]\n\t    }\"") as valid HCL: At 2:12: illegal char

It appears that the json string is being interpreted as HCL.

[ryanking]

It looks like using an env variable rather than -var will force the the variable to be interpreted as a string.

Not sure if all variables could be handled this way, since some may depend on the hcl-parsing behavior.

[ryanking]

Also, given that terraform 0.12 is moving toward more complex variables, there may need to be a different strategy here.

[brikis98]

I suppose we could add a flag to generate a .tfvars file and pass that with a -var-file arg. I'd welcome something of that sort as a PR if anyone is up for it!

[berney]

I came across this after hitting this problem. The module I want to test has a variable that's a list and another variable that's a dictionary. With the CLI vars being strings this would cause errors. I found this bug and the talk of generating a .tfvars file.

Seeking a good, immediate, solution, I was looking at Azure examples and I noticed a neat trick they were doing in https://github.com/Azure/terraform-azurerm-loadbalancer. They have a fixture directory that is a terraform module.

terraform-azurerm-loadbalancer$ tree test
test
├── fixture
│   ├── main.tf
│   ├── outputs.tf
│   └── variables.tf
└── terrraform_loadbalancer_test.go

1 directory, 4 files

The test/fixture/main.tf is importing the module under test like this: -

module "mylb" {
  source              = "../../"

The terraform_loadbalancer_test.go is calling terraform.initAndApply with terraformOptions.TerraformDir set to ./fixture. The do not use any -var options as the fixture sets the input variables of the module under test.

It also sets up other necessary resources and randomises the name via interpolation. Doing so in Terraform is a another nice trick for testing on Azure since terratest does not have a azure helper module (#89 Add Support for Azure).

I like this solution as it means terratest doesn't need any changes such as a feature added to generate a .tfvars file as one is created by the programmer directly. I find a .tfvars file more succinct and complete than using golang (it allows all types, lists and maps, not just strings), and it allows for the creation of any other resources necessary for the module under test (e.g. fixtures). I think its a good solution.

[no-response]

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please feel free to reach out if you have or find the answers we need so that we can investigate further. Thank you!

[suckowbiz]

I have just hit this exact issue (Terratest added additional quotes to an attribute value that is part of a list of objects). The workaround with a tvfars file worked for me.