additive mode fails for sensitive values

[Shaked]

TL;DR

Cannot use additive mode as it fails for sensitive values:

│ Error: Invalid for_each argument
│
│   on .terraform/modules/projects_iam_bindings/modules/projects_iam/main.tf line 52, in resource "google_project_iam_member" "project_iam_additive":
│   52:   for_each = module.helper.set_additive
│     ├────────────────
│     │ module.helper.set_additive has a sensitive value
│
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.
╵

Expected behavior

Should plan and apply succesfullysuccessfully

Observed behavior

Plan failed due to sensitive values:

│ Error: Invalid for_each argument
│
│   on .terraform/modules/projects_iam_bindings/modules/projects_iam/main.tf line 52, in resource "google_project_iam_member" "project_iam_additive":
│   52:   for_each = module.helper.set_additive
│     ├────────────────
│     │ module.helper.set_additive has a sensitive value
│
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.
╵

Terraform Configuration

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "4.41.0"
    }
  }
}

provider "google" {
  credentials = data.azurerm_key_vault_secret.sa.value
  project     = var.project_id
}

locals {
  group_roles = {
    for role_name, groups in var.gcp_groups_roles : role_name => [
      for group in groups : "group:${group}@${var.google_domain}"
    ]
  }

  service_account_roles = {
    for role_name, service_accounts in var.gcp_service_accounts_roles : role_name => [
      for service_account in service_accounts : "serviceAccount:${service_account}@${local.project_id}.iam.gserviceaccount.com"
    ]
  }

  roles = distinct(concat(keys(local.group_roles), keys(local.service_account_roles)))
  gcp_roles = {
    for role in local.roles : role => distinct(flatten([
      try(local.group_roles[role], []),
      try(local.service_account_roles[role], [])
    ]))
  }
}

module "projects_iam_bindings" { source = "terraform-google-modules/iam/google//modules/projects_iam" version = "7.4.1" projects = ["${var.project_id}"] bindings = local.gcp_roles mode = "additive" }

Terraform Version

╰─$ tf version
Terraform v1.3.4
on darwin_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.32.0
+ provider registry.terraform.io/hashicorp/google v4.41.0

Your version of Terraform is out of date! The latest version
is 1.3.6. You can update by downloading from https://www.terraform.io/downloads.html

### Additional information

I created a test to generate the role structure so some details might be useful for constructing the data structure:

locals { g1 = { "roles/owner" = [ "test1", "test2" ] "roles/viewer" = [ "test3", "test2" ] "roles/random" = [ "test3", "test2" ] } g2 = { "roles/owner" = [ "abc", "def" ] "roles/viewer" = [ "gec", "ccc" ] "roles/viewer1" = [ "gecb", "caa" ] }

sa = { for role_name, sas in local.g2 : role_name => [ for sa in sas : "serviceAccount:${sa}@project_id.iam.gserviceaccount.com" ] } groups = { for role_name, groups in local.g1 : role_name => [ for group in groups : "group:${group}@test.com" ] } roles = distinct(concat(keys(local.g1), keys(local.g2)))

all = { for role in local.roles : role => distinct(flatten([ try(local.sa[role], []), try(local.groups[role], []) ])) } } output "sa" { value = local.sa }

output "groups" { value = local.groups }

output "all" { value = local.all }

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[eric-sailfish]

Frustrating to see Google being bad at support here. But, alas...they're a cloud provider and they provided poor code.