count logic does not work, bug or docs issue?
flypenguin opened this issue · comments
Terraform Version
Terraform v0.11.7
+ provider.aws v1.17.0
Terraform Configuration Files
Attached as ZIP file. The relevant files are:
team-groups-policies.tf
helpers/group-role-with-policies/main.tf
The most relevant parts are:
# "main" tf file
module "team_ci_group" {
source = "helpers/group-role-with-policies"
create_group = 1
team = "team"
name = "ci"
policies = [
"arn:aws:iam::aws:policy/AWSBatchFullAccess",
"${aws_iam_policy.gen_get_ecr_token.arn}",
]
}
... and ...
# module
resource "aws_iam_group" "group" {
count = "${var.create_group}"
name = "${var.prefix}-${var.team}-${var.name}"
path = "/groups/${var.team}/"
}
resource "aws_iam_group_policy_attachment" "group_policy" {
count = "${length(var.policies) * var.create_group }"
group = "${aws_iam_group.group.name}"
policy_arn = "${element(var.policies, count.index)}"
}
Debug Output
In ZIP archive, a file called "TRACE"
Crash Output
No crash.
Expected Behavior
It should have created a group with two policy attachments.
Actual Behavior
Error message: * [...]: value of 'count' cannot be computed
Steps to Reproduce
- Unzip
terraform init
terraform plan
Additional Context
N/A
References
N/A
by the way, I am using the exact same code in an existing larger TF folder, and it works.
Well, sometimes.
That works
module "language_batch" {
source = "helpers/group-role-with-policies"
create_role = 1
team = "language"
name = "batch"
policies = [
#"${aws_iam_policy.language_batch_evaluation.arn}",
"1234",
]
assume_role_policy = "${data.aws_iam_policy_document.gen_assume_role_default.json}"
}
That does not
module "language_batch" {
source = "helpers/group-role-with-policies"
create_role = 1
team = "language"
name = "batch"
# THIS CHANGED ....
policies = [
"${aws_iam_policy.language_batch_evaluation.arn}",
#"1234",
]
assume_role_policy = "${data.aws_iam_policy_document.gen_assume_role_default.json}"
}
final remark
It is not the policy definition. Cause if I remove the "language_batch
" defintion from the file, the TF would create the policy just fine.
I am seriously confused and pretty annoyed, cause this super-weird and completely intransparent behavior cost me at least 2 hours, in which I could have reorganized our IAM permissions, etc.
Hi @flypenguin,
Sorry this is causing you trouble. The count issue here can be somewhat hard to decipher if you don't know what's going on.
The value for count
needs to be known at apply time in order to determine the full list of dependencies. While in this case the the value is actually statically known (the list has a known number of elements), because the value at index 0 is not known, the value of the list is also considered unknown (or to be "computed" later). If this is the case when count needs to be resolved, you get the resulting value of 'count' cannot be computed
error.
This is a known shortcoming of the current HCL libraries, which we intend to handle in the next major release. We're tracking this in a number of open issues already, with #16712 being the most similar.
edit I guess I understand now if I read #16712 ... that is so weird.
I hope this is being fixed soon. it makes terraform so unpredictable.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.