MaxymVlasov · July 9, 2019 15:01 · MaxymVlasov · Jul 9, 2019
diff --git a/1_tf12.tf b/1_tf12.tf
 variable "account_names" {
  default = ["prod", "dev", "sb"]
 }

 variable "aws_accounts_ids" {
  type        = "map"

  default = {
    dev  = "xxxxxxxxxxxx"
    prod = "yyyyyyyyyyyy"
    sb   = "zzzzzzzzzzzz"
  }
 }

 variable "role_name" {
  description = "Role name. arn:aws:iam::ACCOUNT_ID:role/ACCOUNT_NAME-iam-ROLE_NAME"
  type        = "string"
  default     = "role_name"
 }

 data "null_data_source" "arn_list" {
  count = "${length(var.account_names)}"

  inputs = {
    e = "${format("arn:aws:iam::%s:role/%s-iam-role-%s",
                      var.aws_accounts_ids[element(var.account_names, count.index)],
                      element(var.account_names, count.index),
                      var.role_name)}"
  }
 }

 # 1. data.null_data_source - list of maps
 # 2. jsonencode() - transform list of maps to string
 # 3. substr() - remove "list" from "list of maps" in string.
 #               Also, remove useless `{"e":"` on start and `"}` in end of string
 # 4. split() - make list of string from "flat maps", use as delemiter `"},{"e":`
 #
 # Note: magic numbers in substr() and delemiter of split() fully depend on key name in null_data_source.

 locals {
  arn_list = "${
    split(
      "\"},{\"e\":\"",
      substr(
        jsonencode(data.null_data_source.arn_list.*.outputs),
        7,
        length(jsonencode(data.null_data_source.arn_list.*.outputs)) - 10
        )
      )
    }"
 }

 output "o1__null_data_source" {
  value = "${data.null_data_source.arn_list.*.outputs}"
 }

 output "o2__json_encode" {
  value = "${jsonencode(data.null_data_source.arn_list.*.outputs)}"
 }

 output "o3__substr" {
  value = "${substr(
        jsonencode(data.null_data_source.arn_list.*.outputs),
        7,
        length(jsonencode(data.null_data_source.arn_list.*.outputs)) - 10
        )
      }"
 }

 output "o4__locals_arn_list" {
  value = "${local.arn_list}"
 }

 # data aws_iam_policy_document "cross_role" {
 #   statement {
 #     effect = "Allow"

 #     resources = "${local.arn_list}"

 #     actions = [
 #       "sts:AssumeRole",
 #     ]

 #     condition {
 #       test     = "BoolIfExists"
 #       variable = "aws:MultiFactorAuthPresent"

 #       values = [
 #         "true",
 #       ]
 #     }
 #   }
 # }

 # output "policy" {
 #   description = "IAM policy in JSON"
 #   value       = "${join(",", data.aws_iam_policy_document.cross_role.*.json)}"
 # }
diff --git a/2_output.sh b/2_output.sh
 t12 plan && t12 apply
 Refreshing Terraform state in-memory prior to plan...
 The refreshed state will be used to calculate this plan, but will not be
 persisted to local or remote state storage.

 data.null_data_source.arn_list[0]: Refreshing state...
 data.null_data_source.arn_list[1]: Refreshing state...
 data.null_data_source.arn_list[2]: Refreshing state...

 ------------------------------------------------------------------------

 No changes. Infrastructure is up-to-date.

 This means that Terraform did not detect any differences between your
 configuration and real physical resources that exist. As a result, no
 actions need to be performed.
 data.null_data_source.arn_list[1]: Refreshing state...
 data.null_data_source.arn_list[0]: Refreshing state...
 data.null_data_source.arn_list[2]: Refreshing state...

 Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

 Outputs:

 o1__null_data_source = [
  {
    "e" = "arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"
  },
  {
    "e" = "arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"
  },
  {
    "e" = "arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name"
  },
 ]
 o2__json_encode = [{"e":"arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"},{"e":"arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"},{"e":"arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name"}]
 o3__substr = arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"},{"e":"arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"},{"e":"arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name
 o4__locals_arn_list = [
  "arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name",
  "arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name",
  "arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name",
 ]
	variable "account_names" {
	default = ["prod", "dev", "sb"]
	}

	variable "aws_accounts_ids" {
	type = "map"

	default = {
	dev = "xxxxxxxxxxxx"
	prod = "yyyyyyyyyyyy"
	sb = "zzzzzzzzzzzz"
	}
	}

	variable "role_name" {
	description = "Role name. arn:aws:iam::ACCOUNT_ID:role/ACCOUNT_NAME-iam-ROLE_NAME"
	type = "string"
	default = "role_name"
	}

	data "null_data_source" "arn_list" {
	count = "${length(var.account_names)}"

	inputs = {
	e = "${format("arn:aws:iam::%s:role/%s-iam-role-%s",
	var.aws_accounts_ids[element(var.account_names, count.index)],
	element(var.account_names, count.index),
	var.role_name)}"
	}
	}

	# 1. data.null_data_source - list of maps
	# 2. jsonencode() - transform list of maps to string
	# 3. substr() - remove "list" from "list of maps" in string.
	# Also, remove useless `{"e":"` on start and `"}` in end of string
	# 4. split() - make list of string from "flat maps", use as delemiter `"},{"e":`
	#
	# Note: magic numbers in substr() and delemiter of split() fully depend on key name in null_data_source.

	locals {
	arn_list = "${
	split(
	"\"},{\"e\":\"",
	substr(
	jsonencode(data.null_data_source.arn_list.*.outputs),
	7,
	length(jsonencode(data.null_data_source.arn_list.*.outputs)) - 10
	)
	)
	}"
	}

	output "o1__null_data_source" {
	value = "${data.null_data_source.arn_list.*.outputs}"
	}

	output "o2__json_encode" {
	value = "${jsonencode(data.null_data_source.arn_list.*.outputs)}"
	}

	output "o3__substr" {
	value = "${substr(
	jsonencode(data.null_data_source.arn_list.*.outputs),
	7,
	length(jsonencode(data.null_data_source.arn_list.*.outputs)) - 10
	)
	}"
	}

	output "o4__locals_arn_list" {
	value = "${local.arn_list}"
	}

	# data aws_iam_policy_document "cross_role" {
	# statement {
	# effect = "Allow"

	# resources = "${local.arn_list}"

	# actions = [
	# "sts:AssumeRole",
	# ]

	# condition {
	# test = "BoolIfExists"
	# variable = "aws:MultiFactorAuthPresent"

	# values = [
	# "true",
	# ]
	# }
	# }
	# }

	# output "policy" {
	# description = "IAM policy in JSON"
	# value = "${join(",", data.aws_iam_policy_document.cross_role.*.json)}"
	# }
	t12 plan && t12 apply
	Refreshing Terraform state in-memory prior to plan...
	The refreshed state will be used to calculate this plan, but will not be
	persisted to local or remote state storage.

	data.null_data_source.arn_list[0]: Refreshing state...
	data.null_data_source.arn_list[1]: Refreshing state...
	data.null_data_source.arn_list[2]: Refreshing state...

	------------------------------------------------------------------------

	No changes. Infrastructure is up-to-date.

	This means that Terraform did not detect any differences between your
	configuration and real physical resources that exist. As a result, no
	actions need to be performed.
	data.null_data_source.arn_list[1]: Refreshing state...
	data.null_data_source.arn_list[0]: Refreshing state...
	data.null_data_source.arn_list[2]: Refreshing state...

	Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

	Outputs:

	o1__null_data_source = [
	{
	"e" = "arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"
	},
	{
	"e" = "arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"
	},
	{
	"e" = "arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name"
	},
	]
	o2__json_encode = [{"e":"arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"},{"e":"arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"},{"e":"arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name"}]
	o3__substr = arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"},{"e":"arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"},{"e":"arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name
	o4__locals_arn_list = [
	"arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name",
	"arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name",
	"arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name",
	]