v0.11.0
Use `list(string)` for iam policy document @nitrocode (#23)
what
- Use
list(string)for iam policy document
why
This module runs into the dreaded for_each error
│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform
│ cannot predict how many instances will be created. To work around this, use the -target argument to
│ first apply only the resources that the for_each depends on.
The way it is triggered is if the var.aws_iam_policy_document supplied contains a JSON document that requires another submodule to be applied.
This was seen in a teleport cluster component which provisioned
teleport-backendsubmodule which returns DynamoDB and S3 resource arns- Raw policy document json is constructed with the DynamoDB and S3 resource arns
- helm-release module takes input of the policy document
iam-policymodule takes statements from the policy documenteks-iam-rolemodule takes input from iam-module and throws an error because (1) isn't applied
This fix was tested locally using a forked module of terraform-aws-helm-release which uses this feature branch
references
- https://github.com/cloudposse/terraform-aws-iam-policy
- https://github.com/cloudposse/terraform-aws-helm-release
- The list(string) method is used in the new version of the Security Group module to avoid this same situation
commands
# Use current tests where the iam policy doc is a string
terraform plan -var-file=fixtures.us-east-2.tfvars > stdout.string.plan 2>&1
# Modify test inputs where the iam policy doc is a list(string)
terraform plan -var-file=fixtures.us-east-2.tfvars > stdout.list.plan 2>&1
# no diff between
diff stdout.string.plan stdout.list.plan
Contributors
nitrocode