Error: Invalid for_each argument

[mliner]

Description

Hey, I am using the step-functions module in my application and I am having this issue:

│ Error: Invalid for_each argument │ │ on .terraform/modules/state-machine/main.tf line 76, in data "aws_iam_policy_document" "service": │ 76: for_each = local.create_role && var.attach_policies_for_integrations ? try(tomap(var.service_integrations), var.service_integrations) : tomap({}) │ ├──────────────── │ │ local.create_role is true │ │ var.attach_policies_for_integrations is true │ │ var.service_integrations is object with 2 attributes │ │ The "for_each" value depends on resource attributes that cannot be │ determined until apply, so Terraform cannot predict how many instances will │ be created. To work around this, use the -target argument to first apply │ only the resources that the for_each depends on. ╵

I am not entirely sure why this happens because I am using only standard available service integrations.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Terraform: ~>0.14
• Provider(s): aws - v3.44.0
• Module: 2.3.0

Code Snippet to Reproduce

` service_integrations = {
lambda = {
lambda = [
module.lambda1.lambda_arn,
module.lambda2.lambda_arn,
module.lambda3.lambda_arn
]
}
ecs_Sync = {
ecs = [module.fargate.task_definition_arn]
events = ["arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForECSTaskRule"]
}
}

attach_policy_json = true
policy_json = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iam:PassRole",
"Resource": "*",
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY`

Actual behavior

Failing on:
╷ │ Error: Invalid for_each argument │ │ on .terraform/modules/state-machine/main.tf line 76, in data "aws_iam_policy_document" "service": │ 76: for_each = local.create_role && var.attach_policies_for_integrations ? try(tomap(var.service_integrations), var.service_integrations) : tomap({}) │ ├──────────────── │ │ local.create_role is true │ │ var.attach_policies_for_integrations is true │ │ var.service_integrations is object with 2 attributes │ │ The "for_each" value depends on resource attributes that cannot be │ determined until apply, so Terraform cannot predict how many instances will │ be created. To work around this, use the -target argument to first apply │ only the resources that the for_each depends on.

[antonbabenko]

Unfortunately, you hit a limitation of Terraform which is described here - hashicorp/terraform#4149

The solution is:

To work around this, use the -target argument to first apply only the resources that the for_each depends on.

[mliner]

@antonbabenko thanks, but it is not entirely clear for me why it happens now, because this issue is happening only when I am applying it via pipeline (bitbucket in this case). when I do a plan and apply localy everything works correctly. So it might be an issue of some library version or so?

[antonbabenko]

This issue was there since the early days of Terraform. The difference you experience can be related to the fact that different environments (on CI and when running locally) starting from different bases. One environment has Lambda function already created and it succeeds.

[mliner]

@antonbabenko I've applied all lambdas (that are part of the service_intergrations) - also tried to add depends_on statement in the step-functions in order to wait for lambdas to create but still getting the error:
`Error: Invalid for_each argument

on .terraform/modules/state-machine/main.tf line 76, in data "aws_iam_policy_document" "service":
76: for_each = local.create_role && var.attach_policies_for_integrations ? try(tomap(var.service_integrations), var.service_integrations) : tomap({})

The "for_each" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the for_each depends on.`

[antonbabenko]

Make sure that you apply all resources/modules mentioned in service_integrations (not just Lambdas). You also have module.fargate.task_definition_arn mentioned there. depends_on won't help unfortunately.

[Luk3rson]

I had the same issue.
Since I am running tf in CI/CD pipeline via GitLab my process is the same.
I am removing the .terraform as you do.

The only workaround I can see here is to:

1. Split the role creation based on input variable e.g, create_sagemaker_role = true (Example here: terraform-aws-modules/eventbridge/aws)
2. Create your own role using other module (Example here: terraform-aws-modules/iam/aws//modules/iam-assumable-role)

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[davidski]

Please keep this issue open. This is a major problem using this module.

[antonbabenko]

This issue has been resolved in version 2.5.2 🎉

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.