Terraform - Get a value from map output

Question

I have created AWS IAM groups using aws_iam_group and for_each loop

resource "aws_iam_group" "all" {
  for_each = toset(local.groups)
  name     = each.key
  path     = "/"
}

Then I am outputting all groups

output "groups" {
  value = aws_iam_group.all
}

This is the result after running terraform output groups

{
  "developer" = {
    "arn" = "arn:aws:iam::*********:group/developer"
    "id" = "developer"
    "name" = "developer"
    "path" = "/"
    "unique_id" = "**************"
  }
  "devops" = {
    "arn" = "arn:aws:iam::*********:group/devops"
    "id" = "devops"
    "name" = "devops"
    "path" = "/"
    "unique_id" = "**************"
  }
}

My question:

How to get single group from the output using terraform output command?

@MarkoE I want specific values from only one group. For example I want the `arn` of the developer group Something like `terraform output groups.developer.arn` — sam ben, Aug 09 '22 at 08:53
So you want to output all the groups but eventually fetch only one? — Marko E, Aug 09 '22 at 09:13

Marko E · Accepted Answer · 2022-08-09T12:46:54.837

1

If you want to get only one value for the group name, I don't think that is possible to achieve with output the way you have specified it. However, what you could do is define another output and do the following:

output "developer_group" {
  value = aws_iam_group.all["developer"].arn
}

On the other hand, if you don't want another output, what you could do is use the values built-in function [1] to get only the values for the key-value pairs that are created with the for_each loop. To do so, you would need to change the output to:

output "groups" {
  value = values(aws_iam_group.all)[*].arn
}

This will output all the ARNs for all the groups and that will be a list:

groups = [
  "arn:aws:iam::*********:group/developer",
  "arn:aws:iam::*********:group/devops",
]

One last option could be to use the values built-in function but instead of using the wildcard ([*]), you would specify only the index for which you want to output the value:

output "groups" {
  value = values(aws_iam_group.all)[0].arn
}

Bear in mind that if the order in the output changes in the last example, you will probably get the ARN of a wrong group. The last example is effectively the same as the first one.

EDIT: In the light of the comments, there would need to be a couple of adjustments. I will use groups as an example for the shell script but it should be applicable to users as well since they are created the same way. The first thing to do is use the jsonencode built-in function [2], and convert the output to JSON data. Then, it can be used with jq to fetch whatever you need. So, the groups outputs would then be:

output "groups" {
  value = jsonencode(aws_iam_group.all)
}

Then, in the shell script, you could do something like:

#!/bin/bash

GROUP=$1
GROUP_ARN=$(terraform output groups | jq -r . | jq ".${GROUP}.arn")

echo ${GROUP_ARN}

[1] https://www.terraform.io/language/functions/values

[2] https://www.terraform.io/language/functions/jsonencode

edited Aug 09 '22 at 12:46

answered Aug 09 '22 at 09:51

Marko E

13,362
2
19
28

Well, with the first one you are ought to get what you want. I was just giving an example on how to get all the ARNs if that is required. – Marko E Aug 09 '22 at 10:28
The first solution it does not work `value = aws_iam_group.all.developer.arn Because aws_iam_group.all has "for_each" set, its attributes must be accessed on specific instances.` But this works output "developer_group" { value = aws_iam_group.all["developer"].arn } – sam ben Aug 09 '22 at 10:33
Ah, yes, my bad. Fixed, was typing in a rush and didn't verify. – Marko E Aug 09 '22 at 10:33
Your answer was helpful. But what I am exactly looking for is outputting all groups then using terraform output command to get specific value. For example I want to get the ARN of developer group or devops `terraform output groups.developer.arn` – sam ben Aug 09 '22 at 10:39
I don't think that is possible. What you could do however is if that is a module output you could reference indexes of the output value. If I understand what the particular use case is, I might be able to come up with a solution. – Marko E Aug 09 '22 at 10:43
I am working on automating the management of AWS IAM users. After the users and groups are created I would like to send the welcome email to each user with the encrypted password using bash script. When running `send-welcome-email.sh ` The script will pull the users password using `terraform output users..password` then send the email. – sam ben Aug 09 '22 at 11:54
Oh, ok, that makes it a bit easier. Let me try to hack a shell script for this and add it to the answer. – Marko E Aug 09 '22 at 11:55
FYI: the users are also created using for_each loop – sam ben Aug 09 '22 at 12:27
Updated the answer with a shell script example. – Marko E Aug 09 '22 at 13:00

score 0 · Answer 2 · answered Aug 09 '22 at 10:25

0

@sam ben, This should work
aws_iam_group.all["developer"].arn

since "all" is a list, we are using a specific item from the list (developer in this case) and then referring to a specific item from the "developer" (arn in the given case).

answered Aug 09 '22 at 10:25

ketanvj

511
4
5

Terraform - Get a value from map output

2 Answers2