╷
│ Error: Invalid for_each argument
│
│ on .terraform\modules\data_science_lambda.data_science_lambda\iam-role.tf line 89, in resource "aws_iam_role_policy_attachment" "custom":
│ 89: for_each = local.enabled ? local.custom_iam_policy_arns_map : {}
│ ├────────────────
│ │ local.custom_iam_policy_arns_map will be known only after apply
│ │ local.enabled is true
│
│ The "for_each" map includes keys derived from resource attributes that
│ cannot be determined until apply, and so Terraform cannot determine the
│ full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to define the map
│ keys statically in your configuration and place apply-time results only in
│ the map values.
│
│ Alternatively, you could use the -target planning option to first apply
│ only the resources that the for_each value depends on, and then apply a
│ second time to fully converge.
╵
Describe the Bug
Getting below mentioned error:
╷ │ Error: Invalid for_each argument │ │ on .terraform\modules\data_science_lambda.data_science_lambda\iam-role.tf line 89, in resource "aws_iam_role_policy_attachment" "custom": │ 89: for_each = local.enabled ? local.custom_iam_policy_arns_map : {} │ ├──────────────── │ │ local.custom_iam_policy_arns_map will be known only after apply │ │ local.enabled is true │ │ The "for_each" map includes keys derived from resource attributes that │ cannot be determined until apply, and so Terraform cannot determine the │ full set of keys that will identify the instances of this resource. │ │ When working with unknown values in for_each, it's better to define the map │ keys statically in your configuration and place apply-time results only in │ the map values. │ │ Alternatively, you could use the -target planning option to first apply │ only the resources that the for_each value depends on, and then apply a │ second time to fully converge. ╵
=====================================================
Expected Behavior
Policy should be created and alingned with Lambda role at runtime along with AWS Lambda function
Steps to Reproduce
Sample Code:
locals { enabled = module.this.enabled custom_iam_policy_arns = [ aws_iam_policy.custom_s3_policy.arn ] s3_lambda_environment = var.abc_lambda_env == null ? null : { variables = var.abc_lambda_env } }
data "aws_iam_policy_document" "custom_s3_policy" { version = "2012-10-17"
statement { actions = [ "s3:ListBucket" ] resources = [ "arn:aws:s3:::${data.terraform_remote_state.abc_bucket_id.outputs.bucket_id}" ] }
statement { actions = [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:ListSecrets", "secretsmanager:ListSecretVersionIds" ] resources = [ "*" ] } }
resource "aws_iam_policy" "custom_s3_policy" { name = "${module.this.id}-access-policy" description = "Custom policy to allow access to one S3 bucket only." policy = data.aws_iam_policy_document.custom_s3_policy.json tags = module.this.tags }
data "terraform_remote_state" "abc_bucket_id" { backend = "s3"
config = { bucket = var.abc_tfstate_bucket_name key = var.abc_s3_bucket_key region = "XXX" } }
module "abc_lambda" { source = "cloudposse/lambda-function/aws" version = "0.5.5"
enabled = true function_name = "${module.this.id}" description = "Lambda test." s3_bucket = var.s3_lambda_s3_bucket s3_key = var.s3_lambda_s3_key runtime = var.s3_lambda_runtime handler = var.s3_lambda_handler lambda_environment = local.s3_lambda_environment architectures = ["x86_64"] memory_size = var.s3_lambda_memory_size ephemeral_storage_size = var.s3_lambda_storage_size timeout = var.s3_lambda_timeout custom_iam_policy_arns = local.custom_iam_policy_arns context = module.this.context vpc_config = var.abc_lambda_vpc_config }
resource "aws_lambda_permission" "allow_s3" { statement_id = "AllowExecutionFromS3" action = "lambda:InvokeFunction" function_name = module.abc_lambda.function_name principal = "s3.amazonaws.com" source_arn = data.terraform_remote_state.abc_bucket_id.outputs.bucket_arn }
Screenshots
No response
Environment
No response
Additional Context
No response