search

avlcloudtechnologies / terraform-aws-sso

Terraform module to manage AWS Single Sign-On (SSO) resources.
Apache License 2.0
37 stars 33 forks source link

account_assignments variable fails to be parsed #10

Open saidmasoud opened 1 year ago

saidmasoud commented 1 year ago

Problem

The following HCL snippet:

module "sso" {
  source = "avlcloudtechnologies/sso/aws"

  permission_sets = {
    developers = {
      description      = "Developer permissions",
      session_duration = "PT12H",
      managed_policies = [
        "arn:aws:iam::aws:policy/1",
        "arn:aws:iam::aws:policy/2",
        "arn:aws:iam::aws:policy/3",
        .................................................................
      inline_policy = data.aws_iam_policy_document.additional-dev-perms.json
    },
  }
  account_assignments = [
    {
      principal_name = "developers"
      principal_type = "GROUP"
      permission_set = "developers"
      account_ids    = ["1234567890", "2345678901"]
    },
  ]
}

Fails with the following reason specifically when running terraform import on an unrelated resource:

Error: Invalid for_each argument
│ 
│   on .terraform/modules/sso/main.tf line 96, in resource "aws_ssoadmin_account_assignment" "this":
│   96:   for_each = { for assignment in local.account_assignments : "${assignment.principal_name}.${assignment.permission_set.name}.${assignment.account_id}" => assignment }
│     ├────────────────
│     │ local.account_assignments is tuple with 2 elements
│ 
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot
│ determine the full set of keys that will identify the instances of this resource.
│ 
│ When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place
│ apply-time results only in the map values.
│ 
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and
│ then apply a second time to fully converge.

Workaround

Comment out the module, run terraform import, then uncomment the module.

purduemike commented 1 year ago

Could someone apply a fix here? This also happens when you're trying to create a new iam-policy and add it to permissions set in the same TF apply run.