Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

account_assignments variable fails to be parsed #10

Open
saidmasoud opened this issue Oct 10, 2022 · 1 comment
Open

account_assignments variable fails to be parsed #10

saidmasoud opened this issue Oct 10, 2022 · 1 comment
Assignees
@aurimasmick

Comments

@saidmasoud
Copy link

Problem

The following HCL snippet:

module "sso" {
  source = "avlcloudtechnologies/sso/aws"

  permission_sets = {
    developers = {
      description      = "Developer permissions",
      session_duration = "PT12H",
      managed_policies = [
        "arn:aws:iam::aws:policy/1",
        "arn:aws:iam::aws:policy/2",
        "arn:aws:iam::aws:policy/3",
        .................................................................
      inline_policy = data.aws_iam_policy_document.additional-dev-perms.json
    },
  }
  account_assignments = [
    {
      principal_name = "developers"
      principal_type = "GROUP"
      permission_set = "developers"
      account_ids    = ["1234567890", "2345678901"]
    },
  ]
}

Fails with the following reason specifically when running terraform import on an unrelated resource:

Error: Invalid for_each argument
│ 
│   on .terraform/modules/sso/main.tf line 96, in resource "aws_ssoadmin_account_assignment" "this":96:   for_each = { for assignment in local.account_assignments : "${assignment.principal_name}.${assignment.permission_set.name}.${assignment.account_id}" => assignment }
│     ├────────────────
│     │ local.account_assignments is tuple with 2 elements
│ 
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot
│ determine the full set of keys that will identify the instances of this resource.
│ 
│ When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place
│ apply-time results only in the map values.
│ 
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and
│ then apply a second time to fully converge.

Workaround

Comment out the module, run terraform import, then uncomment the module.
@aurimasmick aurimasmick self-assigned this Feb 26, 2023
@purduemike
Copy link

Could someone apply a fix here? This also happens when you're trying to create a new iam-policy and add it to permissions set in the same TF apply run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aurimasmick aurimasmick

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@purduemike @aurimasmick @saidmasoud