Invalid for_each argument when passing a IAM policy resource

[thatarchguy]

Description

When making an IAM policy in the terraform to be included as an additional role policy, it fails with an error.

• [+] ✋ I have searched the open/closed issues and my issue is not listed.

  Versions

• Module version [Required]: v1.2.2

• Terraform version:

  
  Terraform v1.3.4
  on linux_amd64

• provider registry.terraform.admin.8labs.io/secureworks/taegis v0.3.3

• provider registry.terraform.io/hashicorp/aws v4.55.0

• provider registry.terraform.io/hashicorp/consul v2.17.0

  
  ## Reproduction Code [Required]

Steps to reproduce the behavior:

module "batch" {
  source = "terraform-aws-modules/batch/aws"
[...]
  instance_iam_role_additional_policies = [
      "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
      aws_iam_policy.bucket.arn
    ]
[...]

resource "aws_iam_policy" "bucket" {
  name   = "bucket"
  path   = "/"
  policy = data.aws_iam_policy_document.bucket.json
}

data "aws_iam_policy_document" "bucket" {
  statement {
    effect = "Allow"

    actions = [
      "s3:ListBucket",
    ]
    resources = arn:aws:s3:::mybucket
  }
}

Expected behavior

I expect it to not error.

Actual behavior

│ Error: Invalid for_each argument
│ 
│   on .terraform/modules/batch/main.tf line 101, in resource "aws_iam_role_policy_attachment" "instance":
│  101:   for_each = var.create && var.create_instance_iam_role ? toset(compact(distinct(concat([
│  102:     "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
│  103:   ], var.instance_iam_role_additional_policies)))) : toset([])
│     ├────────────────
│     │ data.aws_partition.current.partition is "aws"
│     │ var.create is true
│     │ var.create_instance_iam_role is true
│     │ var.instance_iam_role_additional_policies is list of string with 2 elements
│ 
│ The "for_each" set includes values derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set
│ of keys that will identify the instances of this resource.
│ 

I managed to get it to work by specify the policy directly, but I shouldn't have to:

module "batch" {
  source = "terraform-aws-modules/batch/aws"
[...]
  instance_iam_role_additional_policies = [
      "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
      "arn:aws:iam::11111111111:policy/bucket"
    ]
[...]

Additional context

This problem was occurring in the EKS module and they solved it by making the additional policies a map https://github.com/terraform-aws-modules/terraform-aws-eks/pull/1766

iam_role_additional_policies = {
      ssm      = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
      registry = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
}

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.