MaxymVlasov/1_tf12.tf

## 1_tf12.tf
variable "account_names" {
  default = ["prod", "dev", "sb"]
}

variable "aws_accounts_ids" {
  type        = "map"

  default = {
    dev  = "xxxxxxxxxxxx"
    prod = "yyyyyyyyyyyy"
    sb   = "zzzzzzzzzzzz"
  }
}

variable "role_name" {
  description = "Role name. arn:aws:iam::ACCOUNT_ID:role/ACCOUNT_NAME-iam-ROLE_NAME"
  type        = "string"
  default     = "role_name"
}

data "null_data_source" "arn_list" {
  count = "${length(var.account_names)}"

  inputs = {
    e = "${format("arn:aws:iam::%s:role/%s-iam-role-%s",
                      var.aws_accounts_ids[element(var.account_names, count.index)],
                      element(var.account_names, count.index),
                      var.role_name)}"
  }
}

# 1. data.null_data_source - list of maps
# 2. jsonencode() - transform list of maps to string
# 3. substr() - remove "list" from "list of maps" in string.
#               Also, remove useless `{"e":"` on start and `"}` in end of string
# 4. split() - make list of string from "flat maps", use as delemiter `"},{"e":`
#
# Note: magic numbers in substr() and delemiter of split() fully depend on key name in null_data_source.

locals {
  arn_list = "${
    split(
      "\"},{\"e\":\"",
      substr(
        jsonencode(data.null_data_source.arn_list.*.outputs),
        7,
        length(jsonencode(data.null_data_source.arn_list.*.outputs)) - 10
        )
      )
    }"
}

output "o1__null_data_source" {
  value = "${data.null_data_source.arn_list.*.outputs}"
}

output "o2__json_encode" {
  value = "${jsonencode(data.null_data_source.arn_list.*.outputs)}"
}

output "o3__substr" {
  value = "${substr(
        jsonencode(data.null_data_source.arn_list.*.outputs),
        7,
        length(jsonencode(data.null_data_source.arn_list.*.outputs)) - 10
        )
      }"
}

output "o4__locals_arn_list" {
  value = "${local.arn_list}"
}

# data aws_iam_policy_document "cross_role" {
#   statement {
#     effect = "Allow"

#     resources = "${local.arn_list}"

#     actions = [
#       "sts:AssumeRole",
#     ]

#     condition {
#       test     = "BoolIfExists"
#       variable = "aws:MultiFactorAuthPresent"

#       values = [
#         "true",
#       ]
#     }
#   }
# }

# output "policy" {
#   description = "IAM policy in JSON"
#   value       = "${join(",", data.aws_iam_policy_document.cross_role.*.json)}"
# }

## 2_output.sh
 t12 plan && t12 apply
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.null_data_source.arn_list[0]: Refreshing state...
data.null_data_source.arn_list[1]: Refreshing state...
data.null_data_source.arn_list[2]: Refreshing state...

------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.
data.null_data_source.arn_list[1]: Refreshing state...
data.null_data_source.arn_list[0]: Refreshing state...
data.null_data_source.arn_list[2]: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

o1__null_data_source = [
  {
    "e" = "arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"
  },
  {
    "e" = "arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"
  },
  {
    "e" = "arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name"
  },
]
o2__json_encode = [{"e":"arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"},{"e":"arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"},{"e":"arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name"}]
o3__substr = arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"},{"e":"arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"},{"e":"arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name
o4__locals_arn_list = [
  "arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name",
  "arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name",
  "arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name",
]
	variable "account_names" {
	default = ["prod", "dev", "sb"]
	}

	variable "aws_accounts_ids" {
	type = "map"

	default = {
	dev = "xxxxxxxxxxxx"
	prod = "yyyyyyyyyyyy"
	sb = "zzzzzzzzzzzz"
	}
	}

	variable "role_name" {
	description = "Role name. arn:aws:iam::ACCOUNT_ID:role/ACCOUNT_NAME-iam-ROLE_NAME"
	type = "string"
	default = "role_name"
	}

	data "null_data_source" "arn_list" {
	count = "${length(var.account_names)}"

	inputs = {
	e = "${format("arn:aws:iam::%s:role/%s-iam-role-%s",
	var.aws_accounts_ids[element(var.account_names, count.index)],
	element(var.account_names, count.index),
	var.role_name)}"
	}
	}

	# 1. data.null_data_source - list of maps
	# 2. jsonencode() - transform list of maps to string
	# 3. substr() - remove "list" from "list of maps" in string.
	# Also, remove useless `{"e":"` on start and `"}` in end of string
	# 4. split() - make list of string from "flat maps", use as delemiter `"},{"e":`
	#
	# Note: magic numbers in substr() and delemiter of split() fully depend on key name in null_data_source.

	locals {
	arn_list = "${
	split(
	"\"},{\"e\":\"",
	substr(
	jsonencode(data.null_data_source.arn_list.*.outputs),
	7,
	length(jsonencode(data.null_data_source.arn_list.*.outputs)) - 10
	)
	)
	}"
	}

	output "o1__null_data_source" {
	value = "${data.null_data_source.arn_list.*.outputs}"
	}

	output "o2__json_encode" {
	value = "${jsonencode(data.null_data_source.arn_list.*.outputs)}"
	}

	output "o3__substr" {
	value = "${substr(
	jsonencode(data.null_data_source.arn_list.*.outputs),
	7,
	length(jsonencode(data.null_data_source.arn_list.*.outputs)) - 10
	)
	}"
	}

	output "o4__locals_arn_list" {
	value = "${local.arn_list}"
	}

	# data aws_iam_policy_document "cross_role" {
	# statement {
	# effect = "Allow"

	# resources = "${local.arn_list}"

	# actions = [
	# "sts:AssumeRole",
	# ]

	# condition {
	# test = "BoolIfExists"
	# variable = "aws:MultiFactorAuthPresent"

	# values = [
	# "true",
	# ]
	# }
	# }
	# }

	# output "policy" {
	# description = "IAM policy in JSON"
	# value = "${join(",", data.aws_iam_policy_document.cross_role.*.json)}"
	# }
	t12 plan && t12 apply
	Refreshing Terraform state in-memory prior to plan...
	The refreshed state will be used to calculate this plan, but will not be
	persisted to local or remote state storage.

	data.null_data_source.arn_list[0]: Refreshing state...
	data.null_data_source.arn_list[1]: Refreshing state...
	data.null_data_source.arn_list[2]: Refreshing state...

	------------------------------------------------------------------------

	No changes. Infrastructure is up-to-date.

	This means that Terraform did not detect any differences between your
	configuration and real physical resources that exist. As a result, no
	actions need to be performed.
	data.null_data_source.arn_list[1]: Refreshing state...
	data.null_data_source.arn_list[0]: Refreshing state...
	data.null_data_source.arn_list[2]: Refreshing state...

	Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

	Outputs:

	o1__null_data_source = [
	{
	"e" = "arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"
	},
	{
	"e" = "arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"
	},
	{
	"e" = "arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name"
	},
	]
	o2__json_encode = [{"e":"arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"},{"e":"arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"},{"e":"arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name"}]
	o3__substr = arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name"},{"e":"arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name"},{"e":"arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name
	o4__locals_arn_list = [
	"arn:aws:iam::yyyyyyyyyyyy:role/prod-iam-role-role_name",
	"arn:aws:iam::xxxxxxxxxxxx:role/dev-iam-role-role_name",
	"arn:aws:iam::zzzzzzzzzzzz:role/sb-iam-role-role_name",
	]