Error: Invalid for_each argument when Terraform knows exactly how many items in the list

[Kikimora]

Terraform Version

Terraform v1.1.2
on darwin_amd64

Your version of Terraform is out of date! The latest version
is 1.1.3. You can update by downloading from https://www.terraform.io/downloads.html

Terraform Configuration Files

# Root module
locals {
#Bunch of stuff omitted for brevity
  exchanges         = ["AAA"]
  members           = [
    { sso_role = "Developer", policies = [local._admin_policy, local._view_only], ssm_run_as = "exchange_developer" },
    { sso_role = "Admin", policies = [local._developer_policy, local._view_only], ssm_run_as = "exchange_admin" }
  ]
}

module "team" {
  source   = "./modules/app_role"
  for_each = {for em in setproduct(local.exchanges, local.members) : "${em[0]}_${em[1].sso_role}" => em}
  path     = "XYZ"
  app      = each.value[0]
  sso_role = each.value[1].sso_role
  policies = each.value[1].policies          #<!--- here I pass object which has known number of items at plan time
  tags     = {
    "SSMSessionRunAs" = each.value[1].ssm_run_as
    "XYZ_App"       = each.value[0]
  }
}

#Module app_role

resource "aws_iam_role_policy_attachment" "policies" {
  for_each   = toset(var.policies[*].arn)    # This line triggers errors.
  policy_arn = each.value
  role       = aws_iam_role.role.arn
}

Expected Behavior

It works since terraform knows how many resources will be created.

Actual Behavior

│ Error: Invalid for_each argument
│ 
│   on modules/app_role/main.tf line 36, in resource "aws_iam_role_policy_attachment" "policies":
│   36:   for_each   = toset(var.policies[*].arn)
│     ├────────────────
│     │ var.policies is list of object with 2 elements
│ 
│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the
│ resources that the for_each depends on.
╵

Note how Terraform cannot predict how many instances will be created right after var.policies is list of object with 2 elements. So terrafrom knows exactly how many objects will be created yet it fails to plan.

Steps to Reproduce

terraform plan

Additional Context

This is large configuration and it is hard to extract minimal set of resources that trigger this.

[jbardin]

Hi @Kikimora,

Sorry about the confusing error message here. The wording was taken from the count error and wasn't entirely clear. While it's true that terraform knows the number of instances it needs to create, it does not know the actual values of the for_each keys, and would have no way to address the individual instances without those values.

We recently updated this error to be a bit more descriptive in #30327

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.