I have a local var called “clusters”:
locals {
clusters = {
for cluster_identifier, cluster in var.clusters :
cluster_identifier => {
client_authentication = try(cluster.client_authentication, var.client_authentication)
}
}
I need create scram user & pass and associate it with a cluster. Not all my clusters need scram, only a few. I want the following resources to be created only if a cluster in “clusters” contains “scram” in client_authentication.
resource "aws_secretsmanager_secret" "msk" {
count = length([for cluster in local.clusters : cluster.client_authentication if contains("scram", cluster.client_authentication)])
name = "AmazonMSK_${each.value.name}"
kms_key_id = aws_kms_key.msk.key_id
}
resource "aws_secretsmanager_secret_version" "msk" {
count = length([for cluster in local.clusters : cluster.client_authentication if contains("scram", cluster.client_authentication)])
secret_id = aws_secretsmanager_secret.msk[each.key].id
secret_string = jsonencode({ username = "user", password = "pass" })
}
resource "aws_kms_key" "msk" {
count = length([for cluster in local.clusters : cluster.client_authentication if contains("scram", cluster.client_authentication)])
description = "Key for MSK Cluster Scram Secret Association"
}
This is the input: (inputs is via terragrunt)
inputs = {
clusters = {
cluster1 = {
name = "cluster1"
client_authentication = ["iam"]
}
cluster2 = {
name = "cluster2"
client_authentication = ["iam","scram"]
}
cluster3 = {
name = "external-${local.common_vars.env}"
client_authentication = ["iam"]
}
}
}
In this example, the resources aws_msk_scram_secret_association, aws_secretsmanager_secret, aws_secretsmanager_secret_version, aws_kms_key should be created only for cluster2.
When running plan, I get:
Error: Missing resource instance key
on main.tf line 77, in resource "aws_secretsmanager_secret" "msk":
77: kms_key_id = aws_kms_key.msk.key_id
Because aws_kms_key.msk has "count" set, its attributes must be accessed on
specific instances.