terraform-google-iam icon indicating copy to clipboard operation
terraform-google-iam copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Error upgrading the module version.

Open mikhail-khodorovskiy opened this issue 5 years ago • 7 comments 

terraform --version
Terraform v0.12.19
+ provider.external v1.2.0
+ provider.google v3.5.0
+ provider.google-beta v3.5.0
+ provider.null v2.1.2
+ provider.random v2.2.1

the mentioned bucket does exist.

module "storage_buckets_iam_bindings" {
  source  = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
  version = "5.1" # used to be ~ 4.0

  storage_buckets = [google_storage_bucket.staging_bucket_tools.id]

  mode = "additive"

  bindings = {
    "roles/storage.legacyBucketReader" = [
      module.external_service_accounts.janus_deploy_service_account,
    ]

    "roles/storage.objectAdmin" = [
      module.external_service_accounts.janus_deploy_service_account,
    ]

    "roles/storage.objectViewer" = [
      module.external_service_accounts.janus_deploy_service_account,
      module.data_pipeline_project.cloud_functions_service_account,
      "serviceAccount:${module.data_pipeline_project.project_number}@cloudservices.gserviceaccount.com",
    ]
  }

terraform apply

causes

Error: Invalid for_each argument

  on .terraform/modules/hsq-dev.storage_buckets_iam_bindings/terraform-google-modules-terraform-google-iam-01965a1/modules/storage_buckets_iam/main.tf line 41, in resource "google_storage_bucket_iam_member" "storage_bucket_iam_additive":
  41:   for_each = module.helper.set_additive

The "for_each" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the for_each depends on.

mikhail-khodorovskiy avatar Jan 30 '20 21:01 mikhail-khodorovskiy

Fixing this issue is very important to us and if it's not addressed soon, we will have to switch to using the primitive equivalent resources such as google_storage_bucket_iam_member in order to achieve the same thing as the module

mikhail-khodorovskiy avatar Jan 30 '20 21:01 mikhail-khodorovskiy

Is there an update for this? Or even a workaround? I just ran into it too

robbieheywood avatar Apr 09 '20 14:04 robbieheywood

This should be working in 6.0.

@robbieheywood Do you mind sharing a configuration where this is breaking?

morgante avatar Apr 09 '20 17:04 morgante

I'm also encountering this issue, and, What I found is that, in this instance, calling for_each, does not seem to be recursing down the resource dependency chain.

For example,

If I am wanting to apply IAM bindings to a folder in the same sweep (in the same call) where the folder is being created, and I reference the list of folders by their resource name, the resources are not being computed and I am getting that same error.

For example;

resource "google_folder" "csi" {
  display_name = "Core Services Infra"
  parent       = data.terraform_remote_state.gcp_org_core.outputs.organization.name
}

module "folder-iam-bindings" {
  source        = "terraform-google-modules/iam/google//modules/folders_iam"
  mode          = "additive"
  version       = "~> 6.0.0"

  folders = [ "${google_folder.csi.id}"]

  bindings = {
    "roles/owner" = [
      "user:${var.user_email}",
    ]

  }

}

^^ This doesn't work because the resource recursive computation is not happening.

However, this works:


module "folder-iam-bindings" {
  source        = "terraform-google-modules/iam/google//modules/folders_iam"
  mode          = "additive"
  version       = "~> 6.0.0"

  folders = ["284803016041"]

  bindings = {
    "roles/owner" = [
      "user:${var.user_email}",
    ]

  }

}

And also this works,


module "folder-iam-bindings" {
  source        = "terraform-google-modules/iam/google//modules/folders_iam"
  mode          = "additive"
  version       = "~> 6.0.0"

  folders = [ data.terraform_remote_state.gcp_folders_core.outputs.dev_folder.id ]

  bindings = {
    "roles/owner" = [
      "user:${var.user_email}",
    ]

  }

}

I didn't have time to dive deeper for now, but I HTH!

emalloy avatar Apr 10 '20 03:04 emalloy

@morgante This for_each error currently happens on all modules in this repo, when passing a list of ${module.XXX} or ${resource_name.XXX} as projects/folders/etc.

Something we are doing in the set_additive and set_authoritative is causing terraform to not know how many elements are being past.

It's probably the toset( an distinct( which would clearly make Terraform unable to determine how many elements are in the list until after it knows the values of the strings. Is there any way we can remove the need for those calls?

This issue makes these modules effectively useless in thier current state.

thesuperzapper avatar Apr 23 '20 01:04 thesuperzapper

@morgante To be precise, the issue tends to occur when you have ${module.XXX} or ${resource_name.XXX} in bindings

thesuperzapper avatar Apr 23 '20 02:04 thesuperzapper

I get this error with mode = "additive", but not with mode = "authoritative"

figadore avatar Jun 29 '21 16:06 figadore