Invalid for_each argument when passing a IAM policy resource #34
Description
Description
When making an IAM policy in the terraform to be included as an additional role policy, it fails with an error.
- [+] ✋ I have searched the open/closed issues and my issue is not listed.
Versions
-
Module version [Required]:v2.0.1 (issue is also present with v2.1.0)
-
Terraform version:
1.6.5 -
Provider version(s):
hashicorp/aws v5.65.0
Reproduction Code [Required]
code in module
module "batch" {
source = "terraform-aws-modules/batch/aws"
[...]
instance_iam_role_additional_policies = [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
]
[...]
in rootmodule (main.tf)
module "aws_batch" {
source = "./modules/batch"
...
depends_on = [
some_module,
]
}
Expected behavior
I expect it to not error.
Actual behavior
Error: Invalid for_each argument
│
│ on .terraform/modules/aws_batch.aws_batch/main.tf line 175, in resource "aws_iam_role_policy_attachment" "service":
│ 175: for_each = var.create && var.create_service_iam_role ? toset(compact(distinct(concat([
│ 176: "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSBatchServiceRole"
│ 177: ], var.service_iam_role_additional_policies)))) : toset([])
│ ├────────────────
│ │ data.aws_partition.current.partition is a string, known only after apply
│ │ var.create is true
│ │ var.create_service_iam_role is true
│ │ var.service_iam_role_additional_policies is empty list of string
│
Terminal Output Screenshot(s)
│ The "for_each" set includes values derived from resource attributes that
│ cannot be determined until apply, and so Terraform cannot determine the
│ full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to use a map
│ value where the keys are defined statically in your configuration and where
│ only the values contain apply-time results.
│
│ Alternatively, you could use the -target planning option to first apply
│ only the resources that the for_each value depends on, and then apply a
│ second time to fully converge.
Additional context
This problem was also occurring in the EKS module and they solved it by making the additional policies a map
terraform-aws-modules/terraform-aws-eks#1766
There is a similar issue : #15 but this is with dynamic extra policies. This issue is about the partition
Only workaround we found is to disable the depends_on in the main.tf, but then the terraform apply works in an existing environment (updating existing) but not in a new environment (create from scratch)