search

cloudposse / terraform-aws-lambda-function

A module for launching Lambda Fuctions
https://cloudposse.com/accelerate
Apache License 2.0
30 stars 40 forks source link

fix: Allow for custom_iam_policy_arns that are unknown at apply #46

Closed natemccurdy closed 11 months ago

natemccurdy commented 11 months ago

what

Replace the toset() in the aws_iam_role_policy_attachment resource's for_each attribute with a map of name:ARN pairs.

why

Prior to this patch, specifying custom_iam_policy_arns for IAM Policies that do not exist yet and would be created in the same Terraform run that creates the Lambda Execution Role would cause the following error:

│ Error: Invalid for_each argument
│
│   on .terraform/modules/foo.test_lambda/iam-role.tf line 81, in resource "aws_iam_role_policy_attachment" "custom":
│   81:   for_each = local.enabled && length(var.custom_iam_policy_arns) > 0 ? var.custom_iam_policy_arns : toset([])
│     ├────────────────
│     │ local.enabled is true
│     │ var.custom_iam_policy_arns is set of string with 3 elements
│
│ The "for_each" set includes values derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to use a map value where the keys are defined statically in your configuration and where only the values contain apply-time results.
│
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge.

This is due to the ARN's of those policies not being known at apply time and the usage of toset() in the aws_iam_role_policy_attachment resource's for_each parameter. As the set's values are unknown at apply time, Terraform can't create a dependency graph.

references

Similar issues with similar fixes in other CloudPosse modules:

Gowiem commented 11 months ago

@natemccurdy this looks great. Suggested a simple whitespace change. I just pinged at Cloud Posse again on getting an approval on the README issues you're running into in your other PRs, so we'll get those merged first, you can rebase this PR, and then we'll get it merged. Thanks for the patience!

aknysh commented 11 months ago

@natemccurdy thank you

can you please run the following commands and commit the changes

make init
make github/init
make readme
natemccurdy commented 11 months ago

@natemccurdy thank you

can you please run the following commands and commit the changes

Hi @aknysh, thanks for looking. I've got 3 other PR's with the exact same issue of the boilerplate and readmes being out of sync. I fixed that in one of those PR's, https://github.com/cloudposse/terraform-aws-lambda-function/pull/45 , so I was hoping that rather than do the same thing 3 times (one for each PR), I can just rebase after merging https://github.com/cloudposse/terraform-aws-lambda-function/pull/45 and only have to do it once.

aknysh commented 11 months ago

@natemccurdy thank you can you please run the following commands and commit the changes

Hi @aknysh, thanks for looking. I've got 3 other PR's with the exact same issue of the boilerplate and readmes being out of sync. I fixed that in one of those PR's, #45 , so I was hoping that rather than do the same thing 3 times (one for each PR), I can just rebase after merging #45 and only have to do it once.

https://github.com/cloudposse/terraform-aws-lambda-function/pull/45 is approved and merged, thank you. Please rebase the other PRs

natemccurdy commented 11 months ago

Done. Thanks for your help @aknysh !

milldr commented 11 months ago

/terratest

natemccurdy commented 11 months ago

Thanks @milldr 🍻