Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Encoding - Add a Base36Encode function #32130

Closed

Conversation

jphuynh
Copy link

@jphuynh jphuynh commented Nov 1, 2022

The goal of this PR is to provide a Base36Encode function to encode a string to a base36 sequence.

This is particularly useful for places like the trust policy generation in AWS IAM Roles when using EMR on EKS. The current implementation requires an external call to aws emr-containers update-role-trust-policy outside of Terraform which creates a perpetual diff when managing IAM Roles via Terraform.

See: https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.html

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "OIDC_PROVIDER:sub": "system:serviceaccount:NAMESPACE:emr-containers-sa-*-*-AWS_ACCOUNT_ID-BASE36_ENCODED_ROLE_NAME"
        }
      }
    }
  ]
}

The goal of this PR is to provide a Base36Encode function to encode a string to a base36 sequence.

This is particularly useful for places like the trust policy generation in AWS IAM Roles when using EMR on EKS.
The current implementation requires an external call to `aws emr-containers update-role-trust-policy` outside of Terraform which creates a perpetual diff when managing IAM Roles via Terraform.

See: https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.html

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "OIDC_PROVIDER:sub": "system:serviceaccount:NAMESPACE:emr-containers-sa-*-*-AWS_ACCOUNT_ID-BASE36_ENCODED_ROLE_NAME"
        }
      }
    }
  ]
}
```
@crw
Copy link
Contributor

crw commented Nov 1, 2022

Thanks for this submission. This function would need to be built as a plugin function provider, as opposed to a function built into Terraform. As such it is waiting for the implementation of plugin function providers. Please see:

I will leave this PR open in case the team decides to review it. Other "baseN" type functions have been put on hold pending the above. Thanks for your submission and for your patience!

@justenwalker
Copy link

@jphuynh until such a time where those features are added to Terraform, I created a provider to make this encoding available as a Data Source:

terraform {
  required_providers {
    encode = {
      version = "0.1"
      source  = "registry.terraform.io/justenwalker/encode"
    }
  }
}

provider "encode" {}

data "encode_base36" "something" {
  value     = "hello"
  lowercase = true
}

output "encoded" {
  value = data.encode_base36.something.result
}

Result:

$ terraform apply
data.encode_base36.something: Reading...
data.encode_base36.something: Read complete after 0s [id=2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824]

Changes to Outputs:
  + encoded = "5pzcszu7"

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

encoded = "5pzcszu7"

It's sort of a hack, but a useful one for now.

@crw
Copy link
Contributor

crw commented Mar 7, 2024

Thank you for your continued interest in this issue.

Terraform version 1.8 launches with support of provider-defined functions. It is now possible to implement your own functions! We would love to see this implemented as a provider-defined function.

Please see the provider-defined functions documentation to learn how to implement functions in your providers. If you are new to provider development, learn how to create a new provider with the Terraform Plugin Framework. If you have any questions, please visit the Terraform Plugin Development category in our official forum.

We hope this feature unblocks future function development and provides more flexibility for the Terraform community. Thank you for your continued support of Terraform!

@crw crw closed this Mar 7, 2024
@justenwalker
Copy link

FYI @jphuynh - Just wanted to mention that I added an base36 function to that provider as a beta release to support Terraform 1.8:

https://registry.terraform.io/providers/justenwalker/encode/0.3.0-beta.1/docs/functions/base36

Copy link
Contributor

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 19, 2024
@jphuynh jphuynh deleted the feat-base36-encoding-function branch July 8, 2024 10:33
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants