Natively handling "object" values between resources

[thejosephstevens]

Hi there! I have two modules, representing a multi-cloud identity provider, and a multi-cloud identity. The design is, any time a k8s cluster is registered, it gets Identity Providers created so that OIDC can be used to authenticate its workloads. Each Service Account workload can then be assigned an identity across clouds (this results in many identities being associated with the identity provider resources). In order to drive this, I want to keep the integration points clean, so I constructed an output object that contained all of the relevant details for the provider:

output identity_provider {
  description = "Identity provider details"
  value = {
    issuer = var.issuer
    issuer_hash = local.issuer_hash
    name = var.name
    mutable_display_name = local.mutable_display_name
    aws = {
      oidc_provider_arn = aws_iam_openid_connect_provider.this.arn
      iss_base = trimprefix(var.issuer, "https://")
    }
    gcp = {
      workload_identity_pool_provider_id = google_iam_workload_identity_pool_provider.this.id
      workload_identity_pool_aud = "https://iam.googleapis.com/${google_iam_workload_identity_pool_provider.this.id}"
    }
  }
}

This then gets written to a secret:

  writeOutputsToSecret:
    name: test-identity-provider-with-custom-backend-output

Which is then picked up by the identity:

  varsFrom:
  - name: test-identity-provider-with-custom-backend-output
    kind: Secret

In order to fulfill the variable for the identity:

variable identity_provider {
  type = object({
    issuer = string
    issuer_hash = string
    name = string
    mutable_display_name = string
    aws = object({
      oidc_provider_arn = string
      iss_base = string
    })
    gcp = object({
      workload_identity_pool_provider_id = string
      workload_identity_pool_aud = string
    })
  })
  description = "Identity provider details"
}

Composing it this way keeps the interfaces super clean. The trouble I'm running into is that it looks like the handling from the TF-Controller is interpreting the output JSON as a string when it interpolates it into the identity resource (see the extra quoting on the identity_provider value below). As you can see, the __type key from the output secret is also being imported, and has the correct type data for the output value.:

$ cat terraform/identity/generated.auto.tfvars.json
{"identity_provider":"{\n      \"aws\": {\n        \"iss_base\": \"REDACTED",\n        \"oidc_provider_arn\": \"REDACTED\"\n      },\n      \"gcp\": {\n        \"workload_identity_pool_aud\": \"REDACTED\",\n        \"workload_identity_pool_provider_id\": \"REDACTED\"\n      },\n      \"issuer\": \"REDACTED",\n      \"issuer_hash\": \"REDACTED\",\n      \"mutable_display_name\": \"test-with-ops\",\n      \"name\": \"test-with-ops\"\n    }","identity_provider__type":"[\n      \"object\",\n      {\n        \"aws\": [\n          \"object\",\n          {\n            \"iss_base\": \"string\",\n            \"oidc_provider_arn\": \"string\"\n          }\n        ],\n        \"gcp\": [\n          \"object\",\n          {\n            \"workload_identity_pool_aud\": \"string\",\n            \"workload_identity_pool_provider_id\": \"string\"\n          }\n        ],\n        \"issuer\": \"string\",\n        \"issuer_hash\": \"string\",\n        \"mutable_display_name\": \"string\",\n        \"name\": \"string\"\n      }\n    ]","namespace":"flux-system","service_account_name":"test-sa"}

The stored output data itself looks like it is structured in a way I would expect:

❯ kubectl get secret -n flux-system test-identity-provider-with-custom-backend-output -o yaml | yq '.data.identity_provider' | base64 -D
{
      "aws": {
        "iss_base": "REDACTED",
        "oidc_provider_arn": "REDACTED"
      },
      "gcp": {
        "workload_identity_pool_aud": "REDACTED",
        "workload_identity_pool_provider_id": "REDACTED"
      },
      "issuer": "REDACTED",
      "issuer_hash": "REDACTED",
      "mutable_display_name": "test-with-ops",
      "name": "test-with-ops"
    }

I'm confident that I can do full mapping to get past this issue (output everything as a primitive and then perform key-mapping to get them into the identity resource object in YAML), but I wanted to check whether this is expected to work or not. I found this discussion, which was similar, but not quite the same thing I was encountering. I'm running 0.16.0-rc.4 from Helm.

My assumption is there's some guard here to keep from inferring object type on inputs that look like JSON, but it would be really fantastic if this could work natively without additional handling in the middle (when the objects are identical on the output and input side).

Thanks for the help!

[ilithanos]

It's an interesting case, and is something I think we should handle better.

I know there has been some work done on this related to correctly mappen tf objects correctly, but it seems like we are not completely there yet.

A workaround I'm currently using at my day job is outputting everything as a Json encoded string when creating outputs, and then when a module uses that output do a jsondecode inside the Terraform module. It's a hacky workaround, but it works.

It's definitely something that we still need to work on.