azureterraformterraform-provider-azureazure-rm

Using list(string) from KeyVault through json loaded in dynamic block terraform

I'm loading json from Azure KeyVault and convert with jsondecode(). While raw string is working, when I load the same string from KeyVault I cannot use it in dynamic Block.

Error: Invalid dynamic for_each value Cannot use a tuple value in for_each. An iterable collection is required.

Working

resource "azurerm_monitor_action_group" "SIDevelopment" {
  name                = "Test"
  resource_group_name = "kv-test"
  short_name          = "Test"

  dynamic "email_receiver" {
    for_each = jsondecode("[\"example1@email.com\",\"example2@email.com\"]")
    content {
      name                    = email_receiver.value
      email_address           = email_receiver.value
      use_common_alert_schema = false
    }
  }
}

Not Working

data "azurerm_key_vault" "this" {
  name                = var.key_vault_name
  resource_group_name = var.resource_group_name
}

data "azurerm_key_vault_secret" "secret" {
  name         = var.secret_name
  key_vault_id = data.azurerm_key_vault.this.id
}

resource "azurerm_monitor_action_group" "SIDevelopment" {
  name                = "Test"
  resource_group_name = "kv-test"
  short_name          = "Test"

  dynamic "email_receiver" {
    for_each = jsondecode(data.azurerm_key_vault_secret.secret.value)
    content {
      name                    = email_receiver.value
      email_address           = email_receiver.value
      use_common_alert_schema = false
    }
  }
}

When I try to compare results they are looks equal

output "kv"{
  value = jsondecode(data.azurerm_key_vault_secret.secret.value)
  sensitive = true
}

output "string"{
  value = jsondecode("[\"example1@email.com\",\"example2@email.com\"]")
  sensitive = true
}

after read output as json

{
  "kv": {
    "sensitive": true,
    "type": [
      "tuple",
      [
        "string",
        "string"
      ]
    ],
    "value": [
      "example1@email.com",
      "example2@email.com"
    ]
  },
  "string": {
    "sensitive": true,
    "type": [
      "tuple",
      [
        "string",
        "string"
      ]
    ],
    "value": [
      "example1@email.com",
      "example2@email.com"
    ]
  }
}

I've try toset, tolist, etc. And still can't figure out why string from KeyVault behave differently.

Solution

  • It's was just a missing nonsensitive function

    for_each = jsondecode(nonsensitive(data.azurerm_key_vault_secret.secret.value))

    So to make it work it I've replace code to be like this

    resource "azurerm_monitor_action_group" "SIDevelopment" {
  name                = "Test"
  resource_group_name = "kv-test"
  short_name          = "Test"

  dynamic "email_receiver" {
    for_each = jsondecode(nonsensitive(data.azurerm_key_vault_secret.secret.value))
    content {
      name                    = email_receiver.value
      email_address           = email_receiver.value
      use_common_alert_schema = false
    }
  }