Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot create deployment principal and the CDN in the same terraform run #257

Open
abeluck opened this issue Feb 14, 2023 · 1 comment
Open

Cannot create deployment principal and the CDN in the same terraform run #257

abeluck opened this issue Feb 14, 2023 · 1 comment
Labels
bug 🐛 An issue with the system

Comments

@abeluck
Copy link

abeluck commented Feb 14, 2023
edited

Describe the Bug

I would like to create an IAM user and make it the deployment principal in the same terraform execution.

But this isn't possible due to the use of dynamic map keys.

This seems like a very simple and common use-case.

Expected Behavior

I expect to be able to create my deployment principal and the CDN in one go.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Run the tf module below
resource "aws_iam_user" "deploy_user" {
  name = module.this.id
  tags = module.this.tags
}

module "cdn" {
  source                              = "cloudposse/cloudfront-s3-cdn/aws"
  version                             = "0.86.0"
  context                             = module.this.context
  cloudfront_access_logging_enabled   = true
  cloudfront_access_log_create_bucket = true
  deployment_principal_arns = {
    (aws_iam_user.deploy_user.arn) = [""]
    # this also doesn't work
    # "${aws_iam_user.deploy_user.arn}" = [""]
  }
}

Result:

╷
│ Error: Invalid for_each argument
│ 
│   on .terraform/modules/cdn/main.tf line 191, in data "aws_iam_policy_document" "deployment":
│  191:   for_each = local.enabled ? var.deployment_principal_arns : {}
│     ├────────────────
│     │ local.enabled is true
│     │ var.deployment_principal_arns is a map of list of string, known only after apply
│ 
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
│ 
│ When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place apply-time results only in the map values.
│ 
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge.

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

  • TF version 1.3.8

Additional Info

Hashicorp recommends storing only known values in map keys, and leaving all dynamic/unknown values in the map values (source0, source1).

Fixing it I think will require deprecating the existing deployment_principal_arns variable, and adding a new one that uses a map of objects:

...
  deployment_principal_arns = {
    "deploy_user1" : {
      "arn" : aws_iam_user.deploy_user.arn,
      "path_prefix" : ""
    }
  }
...
@abeluck abeluck added the bug 🐛 An issue with the system label Feb 14, 2023
abeluck added a commit to abeluck/terraform-aws-cloudfront-s3-cdn that referenced this issue Feb 14, 2023
@abeluck
bugfix deprecate deployment_principal_arns (cloudposse#257)
4b0620c 
This patch refactors the passing of deployment principals, such that it
uses static/known map keys. This allows this module to be applied at the
same time as the deployment principal (e.g., an iam user) is is
deployed.

Hashicorp recommends storing only known values in map keys, and leaving
all dynamic/unknown values in the map values
([source0](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#limitations-on-values-used-in-for_each),
[source1](hashicorp/terraform#30838 (comment))).
@abeluck abeluck mentioned this issue Feb 14, 2023
Closed
@abeluck
Copy link
Author

abeluck commented Feb 14, 2023

Created a PR for this.

abeluck added a commit to abeluck/terraform-aws-cloudfront-s3-cdn that referenced this issue Aug 11, 2023
@abeluck
bugfix deprecate deployment_principal_arns (cloudposse#257)
ba0f445 
This patch refactors the passing of deployment principals, such that it
uses static/known map keys. This allows this module to be applied at the
same time as the deployment principal (e.g., an iam user) is is
deployed.

Hashicorp recommends storing only known values in map keys, and leaving
all dynamic/unknown values in the map values
([source0](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#limitations-on-values-used-in-for_each),
[source1](hashicorp/terraform#30838 (comment))).
abeluck added a commit to abeluck/terraform-aws-cloudfront-s3-cdn that referenced this issue Aug 11, 2023
@abeluck
bugfix deprecate deployment_principal_arns (cloudposse#257)
ac8c6ee 
This patch refactors the passing of deployment principals, such that it
uses static/known map keys. This allows this module to be applied at the
same time as the deployment principal (e.g., an iam user) is is
deployed.

Hashicorp recommends storing only known values in map keys, and leaving
all dynamic/unknown values in the map values
([source0](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#limitations-on-values-used-in-for_each),
[source1](hashicorp/terraform#30838 (comment))).
abeluck added a commit to abeluck/terraform-aws-cloudfront-s3-cdn that referenced this issue Aug 11, 2023
@abeluck
fix: Deprecate deployment_principal_arns (cloudposse#257)
7189837 
This patch refactors the passing of deployment principals, such that it
uses static/known map keys. This allows this module to be applied in the
same terraform run that the deployment principal (e.g., an iam user) is
applied.

Hashicorp recommends storing only known values in map keys, and leaving
all dynamic/unknown values in the map values
([source0](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#limitations-on-values-used-in-for_each),
[source1](hashicorp/terraform#30838 (comment))).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 An issue with the system
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bugfix deprecate deployment_principal_arns (#257) abeluck/terraform-aws-cloudfront-s3-cdn
1 participant
@abeluck