for_each depends on resource attributes that cannot be determined until apply

[kyeotic]

Description

When deploying this module for the first time I encounter the same error for two places.

Error: Invalid for_each argument

  on .terraform/modules/region_us.appsync/iam.tf line 81, in resource "aws_iam_role" "service_role":
  81:   for_each = local.service_roles_with_specific_policies

The "for_each" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the for_each depends on.


Error: Invalid for_each argument

  on .terraform/modules/region_us.appsync/iam.tf line 97, in data "aws_iam_policy_document" "service_policy":
  97:   for_each = local.service_roles_with_specific_policies

The "for_each" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the for_each depends on.

⚠️ Note

Versions

• Terraform: 0.13.5
• Provider(s):

+ provider registry.terraform.io/hashicorp/aws v3.63.0
+ provider registry.terraform.io/hashicorp/external v2.1.0
+ provider registry.terraform.io/hashicorp/null v2.1.2
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/template v2.1.2
+ provider registry.terraform.io/newrelic/newrelic v2.9.0

• Module: latest

Reproduction

module "appsync" {
  source  = "terraform-aws-modules/appsync/aws"
  version = "v1.1.0"

  name = "${terraform.workspace}-appsync"

  schema = file(var.config.schema_file)

  authentication_type = "OPENID_CONNECT"
  openid_connect_config = {
    issuer    = var.config.oidc_issuer
    client_id = ""
  }

  datasources = {
    lambda_create_zip = {
      type             = "AWS_LAMBDA"
      function_arn     = aws_lambda_function.api.arn
      service_role_arn = aws_iam_role.appsync.arn
    }
  }

  resolvers = {
    for r in var.config.resolvers : "${r.type}.${r.field}" => {
      data_source       = r.datasource
      response_template = "$util.toJson($context.result)"
      request_template = jsonencode({
        "version"   = "2017-02-28"
        "operation" = "Invoke",
        "payload" = {
          "field"     = r.field,
          "arguments" = "$utils.toJson($context.arguments)",
          "headers"   = "$utils.toJson($context.request.headers)"
        }
      })
    }
  }
}

Expected behavior

terraform apply is able to deploy

Actual behavior

Error, see above

[antonbabenko]

Hi Tim,

Unfortunately, the issue you are experiencing is related to a limitation of Terraform which requires all dynamic references (such as aws_lambda_function.api and aws_iam_role.appsync) to be created in advance (before calling in this module) if they are being used in for_each or count (related issue - hashicorp/terraform#4149).

In the meanwhile, you can do this in two commands:

terraform apply -target=aws_lambda_function.api -target=aws_iam_role.appsync
terraform apply

[kyeotic]

Upgrading to terraform 1.0 fixed this issue, for any future readers

[antonbabenko]

It's good that it has fixed the problem in your case but there are several other cases when an upgrade does not help (unfortunately).

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.