Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid for_each argument regarding create_role #188

Closed
awanaut opened this issue Feb 17, 2022 · 6 comments · Fixed by #189
Closed

Invalid for_each argument regarding create_role #188

awanaut opened this issue Feb 17, 2022 · 6 comments · Fixed by #189

Comments

@awanaut
Copy link

awanaut commented Feb 17, 2022

Description

Create_role doesn't seem to be functioning. If I leave the default or explicitly say it = true then I receive an Invalid for_each argument error when applying. Using latest module version from yesterdays merge.

│ Error: Invalid for_each argument

│ on .terraform/modules/iam-eks-role/modules/iam-eks-role/main.tf line 76, in resource "aws_iam_role_policy_attachment" "custom":
│ 76: for_each = var.create_role ? toset(var.role_policy_arns) : []
│ ├────────────────
│ │ var.create_role is true
│ │ var.role_policy_arns is list of string with 1 element

│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot
│ predict how many instances will be created. To work around this, use the -target argument to first apply only
│ the resources that the for_each depends on.

Versions

Terraform v1.1.3
├── provider[registry.terraform.io/hashicorp/tls]
├── provider[registry.terraform.io/hashicorp/null]
├── provider[registry.terraform.io/hashicorp/aws] >= 3.64.0
├── provider[registry.terraform.io/hashicorp/helm] 2.4.1
├── module.eks
│ ├── provider[registry.terraform.io/hashicorp/tls] >= 2.2.0
│ ├── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0
│ ├── module.eks_managed_node_group
│ │ ├── provider[registry.terraform.io/hashicorp/cloudinit] >= 2.0.0
│ │ ├── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0
│ │ └── module.user_data
│ │ └── provider[registry.terraform.io/hashicorp/cloudinit] >= 2.0.0
│ ├── module.fargate_profile
│ │ └── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0
│ └── module.self_managed_node_group
│ ├── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0
│ ├── provider[registry.terraform.io/hashicorp/cloudinit] >= 2.0.0
│ └── module.user_data
│ └── provider[registry.terraform.io/hashicorp/cloudinit] >= 2.0.0
├── module.iam-eks-role
│ └── provider[registry.terraform.io/hashicorp/aws] >= 2.23.0
└── module.vpc
└── provider[registry.terraform.io/hashicorp/aws] >= 3.63.0

Reproduction

Steps to reproduce the behavior:
No workspaces. Cleared cache. Error occurs when using the iam-eks-role module and create_role is set to true.

Attempted to use depends_on to attempt to force the correct creation order, but to no avail.

If I create the iam policy first and then perform a 2nd apply with module uncommented then the creation is successful. In short, works for creating the resources one at a time, but not if defined together.

Code Snippet to Reproduce

resource "aws_iam_policy" "alb_controller" {
name = "alb_controller"
path = "/"
description = "IAM Policy that allows it to make calls to AWS APIs on your behalf"
policy = file("iam_policy.json")
}

module "iam-eks-role" {
source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
version = "~> 4"
role_name = "alb_controller"
cluster_service_accounts = {
(local.name) = ["default:alb_controller"]
}
provider_url_sa_pairs = { (module.eks.cluster_oidc_issuer_url) = ["default:alb_controller"] }
force_detach_policies = true
role_policy_arns = [aws_iam_policy.alb_controller.arn]
}

Expected behavior

if create_role is set to true or default is true, then the roles gets created in IAM.

Actual behavior

Apply fails with error listed above.
@bryantbiggs
Copy link
Member

you're most likely facing this issue hashicorp/terraform#4149

@antonbabenko
Copy link
Member

@bryantbiggs Probably, yes. I think we can rewrite line 76 like this to make it work:

for_each = toset([for v in var.role_policy_arns: v if var.create_role])

@bryantbiggs bryantbiggs mentioned this issue Feb 17, 2022
Merged
1 task
@antonbabenko
Copy link
Member

This issue has been resolved in version 4.13.0 🎉

@MadsRC
Copy link

MadsRC commented Mar 17, 2022

This seems to still be an issue on 4.14.0

│ Error: Invalid for_each argument
│ 
│   on .terraform/modules/pl-echoserver.iam_role_for_service_account/modules/iam-role-for-service-accounts-eks/main.tf line 42, in resource "aws_iam_role_policy_attachment" "this":
│   42:   for_each = toset([for arn in var.role_policy_arns : arn if var.create_role])
│     ├────────────────
│     │ var.create_role is true
│     │ var.role_policy_arns is list of string with 1 element
│ 
│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first
│ apply only the resources that the for_each depends on.

@monisnap-jason
Copy link

Hi I'm having the exact same issue, is there any workaround for this ?

Thanks

@github-actions
Copy link

github-actions bot commented Nov 8, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@antonbabenko @MadsRC @bryantbiggs @awanaut @monisnap-jason