Terraform using flatten with nested objects
Here is my situation, I am trying to deploy a legacy Azure Frontdoor instance to the new version of AFD and do it via Terraform.
Here is an excerpt from my locals block for the Firewall policy:
firewall_policy = {
policy = {
name = "policy"
sku_name = "AzureSKU"
mode = "prevention"
managed_rules_list = [
{
type = "Microsoft_DefaultRuleSet"
version = "1.1"
action = "Block"
exclusion = [
{
match_variable = "QueryStringArgNames"
operator = "Contains"
selector = "string1"
},
{
match_variable = "RequestBodyPostArgNames"
operator = "StartsWith"
selector = "string2"
},
{
match_variable = "RequestCookieNames"
operator = "EqualsAny"
selector = "string3"
},
{
match_variable = "RequestBodyPostArgNames"
operator = "Contains"
selector = "string4"
}
]
override = [
{
rule_group_name = "RFI"
rule = [
{
rule_id = "931130"
action = "Block"
exclusion = [
{
match_variable = "RequestBodyPostArgNames"
operator = "Equals"
selector = "string1"
},
{
match_variable = "QueryStringArgNames"
operator = "Contains"
selector = "string2"
},
{
match_variable = "QueryStringArgNames"
operator = "Contains"
selector = "string3"
},
{
match_variable = "QueryStringArgNames"
operator = "Contains"
selector = "string4"
}
]
}
]
},
{
rule_group_name = "PHP"
rule = [
{
rule_id = "933100"
enabled = false
action = "Block"
},
{
rule_id = "933110"
enabled = false
action = "Block"
},
{
rule_id = "933120"
enabled = false
action = "Block"
}
]
}
]
}
]
}
}
As you can see, there are lots of nested objects.
In my main.tf file, I call the following:
module "Azure_FW_Policy_module" {
for_each = local.firewall_policy
source = "./frontdoorFirewallPolicy"
cdn_frontdoor_firewall_policy_name = each.value.name
resource_group_name = var.resource_group_name
sku_name = each.value.sku_name
mode = each.value.mode
managed_rules_list = each.value.managed_rules_list
managed_rules_exclusion_list = each.value.managed_rules_list.exclusion
managed_rules_overide_list = each.value.managed_rules_list.override
managed_rules_overide_rule_list = each.value.managed_rules_list.override.rule
managed_rules_overide_rule_exclusion_list = each.value.managed_rules_list.override.rule.exclusion
managed_rules_overide_rule_group_exclusion_list = each.value.managed_rules_list.override.exclusion
custom_rules_list = each.value.custom_rules_list
tags = var.tags
}
The Module itself has a bunch of dynamic blocks in it, to accomodate the various configurations and looks like this:
resource "azurerm_cdn_frontdoor_firewall_policy" "cdn_frontdoor_firewall_policy" {
name = var.cdn_frontdoor_firewall_policy_name
resource_group_name = var.resource_group_name
sku_name = var.sku_name
enabled = var.enabled
mode = var.mode
custom_block_response_status_code = var.custom_block_response_status_code
custom_block_response_body = var.custom_block_response_body
request_body_check_enabled = var.request_body_check_enabled
tags = var.tags
dynamic "managed_rule" {
for_each = toset(var.managed_rules_list)
content {
type = managed_rule.value["type"]
version = managed_rule.value["version"]
action = managed_rule.value["action"]
dynamic "exclusion" {
for_each = toset(var.managed_rules_exclusion_list)
content {
match_variable = exclusion.value["match_variable"]
operator = exclusion.value["operator"]
selector = exclusion.value["selector"]
}
}
dynamic "override" {
for_each = toset(var.managed_rules_overide_list)
content {
rule_group_name = override.value["rule_group_name"]
dynamic "rule" {
for_each = toset(var.managed_rules_overide_rule_list)
content {
rule_id = rule.value["rule_id"]
action = rule.value["action"]
dynamic "exclusion" {
for_each = toset(var.managed_rules_overide_rule_exclusion_list)
content {
match_variable = exclusion.value["match_variable"]
operator = exclusion.value["operator"]
selector = exclusion.value["selector"]
}
}
}
}
dynamic "exclusion" {
for_each = toset(var.managed_rules_overide_rule_group_exclusion_list)
content {
match_variable = exclusion.value["match_variable"]
operator = exclusion.value["operator"]
selector = exclusion.value["selector"]
}
}
}
}
}
}
dynamic "custom_rule" {
for_each = toset(var.custom_rules_list)
content {
name = custom_rule.value["name"]
enabled = custom_rule.value["enabled"]
priority = custom_rule.value["priority"]
type = custom_rule.value["type"]
action = custom_rule.value["action"]
rate_limit_duration_in_minutes = custom_rule.value["rate_limit_duration_in_minutes"]
rate_limit_threshold = custom_rule.value["rate_limit_threshold"]
match_condition {
match_variable = custom_rule.value["match_variable"]
operator = custom_rule.value["operator"]
negation_condition = custom_rule.value["negation_condition"]
match_values = custom_rule.value["match_values"]
}
}
}
}
My issue is that when I run this - I get the following error:
"each.value.managed_rules_list is tuple with 1 element This value does not have any attributes."
Based on my reading, I believe that this is because I need to use the flatten command in Terraform on the firewall_policy element in order to pass this to the module:
However - despite reading the above, I am not sure exactly how I need to call flatten to account for all the nested objects and then how I can pass them to my module, as I have not used this before.
Solution
Terraform using flatten with nested objects while provisioning forntdoor firewall policy.
In your main.tf, you're trying to fetch the attributes like each.value.managed_rules_list.exclusion, which assumes that managed_rules_list is a map. However, since managed_rules_list is defined as a list Terraform treats it as a tuple, and direct attribute access without specifying an index isn't valid.
To resolve this, you should ensure that you're fetching the elements of your lists correctly. This can be done using Terraform's flatten function. Which can help manage deeply nested structures by converting nested lists into a single flat list, making them easier to iterate over.
Demo configuration:
main.tf:
locals {
firewall_policy = {
name = "afdwafvkpolicy"
sku_name = "Premium_AzureFrontDoor"
mode = "Prevention"
managed_rules = [
{
type = "Microsoft_DefaultRuleSet"
version = "1.1"
action = "Block"
exclusions = [
{
match_variable = "QueryStringArgNames"
operator = "Contains"
selector = "string1"
},
{
match_variable = "RequestBodyPostArgNames"
operator = "StartsWith"
selector = "string2"
}
]
overrides = [
{
rule_group_name = "RFI"
rules = [
{
rule_id = "931130"
action = "Block"
exclusions = [
{
match_variable = "QueryStringArgNames"
operator = "Contains"
selector = "string3"
}
]
}
]
},
{
rule_group_name = "PHP"
rules = [
{
rule_id = "933100"
action = "Block"
enabled = false
},
{
rule_id = "933110"
action = "Block"
enabled = false
}
]
}
]
}
]
custom_rules = []
}
}
module "afd_waf" {
source = "./frontdoorFirewallPolicy"
firewall_policy_config = local.firewall_policy
resource_group_name = var.resource_group_name
}
frontdoorFirewallPolicy/main.tf
resource "azurerm_cdn_frontdoor_firewall_policy" "waf" {
name = var.firewall_policy_config.name
resource_group_name = var.resource_group_name
sku_name = var.firewall_policy_config.sku_name
mode = var.firewall_policy_config.mode
dynamic "managed_rule" {
for_each = var.firewall_policy_config.managed_rules
content {
type = managed_rule.value.type
version = managed_rule.value.version
action = managed_rule.value.action
dynamic "exclusion" {
for_each = lookup(managed_rule.value, "exclusions", [])
content {
match_variable = exclusion.value.match_variable
operator = exclusion.value.operator
selector = exclusion.value.selector
}
}
dynamic "override" {
for_each = lookup(managed_rule.value, "overrides", [])
content {
rule_group_name = override.value.rule_group_name
dynamic "rule" {
for_each = lookup(override.value, "rules", [])
content {
rule_id = rule.value.rule_id
action = rule.value.action
enabled = lookup(rule.value, "enabled", true)
dynamic "exclusion" {
for_each = lookup(rule.value, "exclusions", [])
content {
match_variable = exclusion.value.match_variable
operator = exclusion.value.operator
selector = exclusion.value.selector
}
}
}
}
}
}
}
}
}
Deployment:
Refer:
https://learn.microsoft.com/en-us/azure/frontdoor/create-front-door-terraform
https://library.tf/modules/T-Systems-MMS/cdn/azurerm/latest
https://developer.hashicorp.com/terraform/language/functions/flatten
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions