Dependency Cycle error

[KalenWessel]

Description

I'm attempting to follow the example using multiple providers to create certificates in one account and DNS validation in another account.

• [X] ✋ I have searched the open/closed issues and my issue is not listed. I did find the following issue with the same error: https://github.com/terraform-aws-modules/terraform-aws-acm/issues/121

Versions

• Module version [Required]: terraform-aws-modules/acm/aws 4.3.2

• Terraform version: Terraform v1.5.1

• Provider version(s): registry.terraform.io/hashicorp/aws v5.5.0

Reproduction Code [Required]

locals {
  ingress_fqdn = ["example-domain1.com"]
}

module "additional_ingress_acm" {
  for_each = toset(local.ingress_fqdn)
  source   = "terraform-aws-modules/acm/aws"
  version  = "~> v4.3.2"

  domain_name = each.value

  subject_alternative_names = [
    "*.k8s.${each.value}",
    "*.${each.value}",
  ]

  create_route53_records  = false
  validation_record_fqdns = module.additional_ingress_acm_route53_records[each.value].validation_route53_record_fqdns
}

module "additional_ingress_acm_route53_records" {
  for_each = toset(local.ingress_fqdn)
  source   = "terraform-aws-modules/acm/aws"
  version  = "~> 4.3.2"

  providers = {
    aws = aws.parent_dns_account
  }

  create_certificate          = false
  create_route53_records_only = true

  distinct_domain_names = module.additional_ingress_acm[each.value].distinct_domain_names
  zone_id               = "Z266PL4W4W6MSG" # hardcoded for testing

  acm_certificate_domain_validation_options = module.additional_ingress_acm[each.value].acm_certificate_domain_validation_options
}

Steps to reproduce the behavior:

terraform init terraform plan

Expected behavior

I would expect to see ACM certs in the default AWS provider account and Route53 txt records for validation in my AWS parent dns account.

Actual behavior

│ Error: Cycle: module.additional_ingress_acm_route53_records.output.acm_certificate_arn (expand), module.additional_ingress_acm_route53_records (close), module.additional_ingress_acm (close), module.additional_ingress_acm_route53_records.var.acm_certificate_domain_validation_options (expand), module.additional_ingress_acm_route53_records.local.validation_domains (expand), module.additional_ingress_acm_route53_records.output.validation_domains (expand), module.additional_ingress_acm_route53_records.output.distinct_domain_names (expand), module.additional_ingress_acm_route53_records.output.validation_route53_record_fqdns (expand), module.additional_ingress_acm.var.validation_record_fqdns (expand), module.additional_ingress_acm.aws_acm_certificate_validation.this, module.additional_ingress_acm.output.acm_certificate_arn (expand), module.additional_ingress_acm_route53_records.var.distinct_domain_names (expand), module.additional_ingress_acm_route53_records.local.distinct_domain_names (expand), module.additional_ingress_acm_route53_records.aws_route53_record.validation, module.additional_ingress_acm_route53_records.aws_acm_certificate_validation.this

[antonbabenko]

I don't see the issue immediately. Could you try simplifying it by removing for_each from both?

If it still doesn't work, try running example 2 as-is - https://github.com/terraform-aws-modules/terraform-aws-acm/blob/27e32f53cd6cbe84287185a37124b24bd7664e03/examples/complete-dns-validation/main.tf#L54-L101

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.