Terraform 1.3.7 fails to destroy due dynamic variables output

[murakest]

Terraform Version

Terraform v1.3.7
on linux_amd64

Terraform Configuration Files

Keyvault module output

locals {
  secret_map = {
    for item in keys(var.secrets[0]) :
    item => var.secrets[0][item].result
  }
}

data "azurerm_key_vault" "keyvault" {
  name                = var.keyvault_name
  resource_group_name = var.resource_group_name
}

resource "azurerm_key_vault_secret" "secret" {
  for_each     = local.secret_map
  name         = each.key
  value        = each.value
  key_vault_id = data.azurerm_key_vault.keyvault.id
  tags         = var.key_tags
}

output "keyvault_secrets" {
    value = azurerm_key_vault_secret.secret[*]
    description = "Outpus all object for further processing"
}

Main terraform file part code

terraform {
  backend "azurerm" {}

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.40.0"
    }

    vcd = {
      source  = "vmware/vcd"
      version = "3.6.0"
    }

    fortios = {
      source  = "fortinetdev/fortios"
      version = "~> 1.14.1"
    }

    random = {
      source = "hashicorp/random"
    }

    local = {
      source = "hashicorp/local"
    }
  }
}

provider "azurerm" {
  alias                      = "keyvault"
  subscription_id            = var.keyvault_subscription_id
  client_id                  = var.keyvault_client_id
  client_secret              = var.keyvault_client_secret
  tenant_id                  = var.keyvault_tenant_id
  skip_provider_registration = true
  features {
    key_vault {
      purge_soft_deleted_secrets_on_destroy = true
      recover_soft_deleted_secrets          = true
    }
  }
}

# ommited code

module "vapp-tier1-vm-win" {
  source                       = "path to vm module"
  count                        = length(var.tier1_vm_win_count) > 0 ? 1 : 0
  org_name                     = var.org_name
  vdc_name                     = var.vdc_name
  vapp_name                    = module.vapp.vapp_name
  vm_network_name              = module.vapp-tier1-network[0].network_name
  client_name                  = var.client_name
  application                  = var.application
  tags                         = var.metadata
  enviroment                   = var.env_short
  os_type                      = "win"
  location                     = var.location
  vm_count                     = var.tier1_vm_win_count
  catalog_name                 = var.catalog_name
  template_name                = var.template_win_name
  customization_enabled        = true
  allow_local_admin_password   = false
  customization_admin_password = "" # ""
  change_sid                   = true
  join_domain                  = var.join_domain
  override_template_disk       = var.tier1_override_win_template_disk
  boot_disk_size_in_mb         = var.tier1_vm_win_boot_disk_size
  boot_disk_bus_type           = "sas"
  data_disk_sizes_in_mb        = var.tier1_vm_win_data_disk_sizes
  storage_profile              = var.tier1_vm_storage_profile
  depends_on = [
    module.vapp-tier1-network, module.vapp-tier2-network, module.vapp-tier3-network,
    module.vapp,
    module.vapp_fo_org_network, module.vapp_mo_org_network, module.vapp_bo_org_network,
    module.vapp-tier1-vm-linux
  ]
}

resource "random_password" "tier1_win_password" {
  for_each         = toset(keys(local.vapp-tier1-vm-win))
  length           = 16
  special          = true
  override_special = "~!@#$%^&*_-+=.?"
  min_special      = 1
  lower            = true
  min_lower        = 1
  numeric          = true
  min_numeric      = 1
  upper            = true
  min_upper        = 1
}

# ommited code

module "tier1_win_keyvault_secrets" {
  source = "path to keyvault module"
  providers = {
    azurerm = azurerm.keyvault
  }
  count               = length(var.tier1_vm_win_count) > 0 ? 1 : 0
  secrets             = random_password.tier1_win_password[*]
  keyvault_name       = var.keyvault_name
  resource_group_name = var.keyvault_resource_group_name
  depends_on          = [random_password.tier1_win_password]
}

# ommited code

locals {
# ommited code
vapp-tier1-vm-win = length(var.tier1_vm_win_count) > 0 ? module.vapp-tier1-vm-win[0].vm[0] : {}

  tier1_win_secrets = length(var.tier1_vm_win_count) > 0 ? {
    for item in keys(module.tier1_win_keyvault_secrets[0].keyvault_secrets[0]) :
    item => module.tier1_win_keyvault_secrets[0].keyvault_secrets[0][item].value
  } : {}
  
 }

Debug Output

destroy_debug_trace.zip

Expected Behavior

Terraform successfully destroy existing infrastructure.

Actual Behavior

terraform complains due to missing index
Object output exist in terraform state file and module returns index not empty one.
Terraform successfully destroy infrastructure after apply, but on destroy I get an error.

2023-01-25T09:44:01.0060900Z Error: Invalid index
2023-01-25T09:44:01.0061348Z 
2023-01-25T09:44:01.0062206Z   on main.tf line 565, in locals:
2023-01-25T09:44:01.0063291Z  565:     for item in keys(module.tier1_win_keyvault_secrets[0].keyvault_secrets[0]) :
2023-01-25T09:44:01.0064849Z     ├────────────────
2023-01-25T09:44:01.0066406Z     │ module.tier1_win_keyvault_secrets is empty tuple
2023-01-25T09:44:01.0066961Z 
2023-01-25T09:44:01.0067928Z The given key does not identify an element in this collection value: the
2023-01-25T09:44:01.0068933Z collection has no elements.

1.2.9 version works fine

Steps to Reproduce

1. terraform init
2. terraform apply
3. terraform destroy

Additional Context

No response

References

No response

[jbardin]

Hi @murakest,

Thanks for filing the issue. In order to proceed here we're going to need more information about the configuration and how it failed. If a minimal reproduction case is not possible, can you start with the TF_LOG_CORE=trace output in a gist showing the failure, and a more complete example of the root module?

Thanks!

[murakest]

Hi @jbardin, I have attached trace log with removed sensitive information and update main code part. I hope this will help to identify the issue we are facing with the newest terraform version

[jbardin]

Thanks @murakest,

The configuration still isn't complete enough to determine exactly what is going on, but coincidentally I had another reproducible issue in the same area! I think #32583 is going to take care of your problem as well, since I can replicate the same error condition which will be resolved.

[murakest]

1.3.8 version should have this fixed? Or we need to wait longer before testing?

[jbardin]

I think the linked PR is very likely going to resolve this issue (if you want to build from the v1.3 branch you can verify for yourself). Without a complete reproduction however I'm not certain, so I was waiting for confirmation after release.

[murakest]

I have build from v1.3 branch and the destroy still failed

Terraform v1.3.8-dev
on linux_amd64

commit 21024a4aca5f9d294fea857c1db7ce16543d544c (HEAD -> v1.3, origin/v1.3)

 Error: Invalid index
 
   on main.tf line 565, in locals:
  565:     for item in keys(module.tier1_win_keyvault_secrets[0].keyvault_secrets[0]) :
     ├────────────────
     │ module.tier1_win_keyvault_secrets is empty tuple
 
 The given key does not identify an element in this collection value: the
 collection has no elements.

[murakest]

I have sold the issue. It seems was manual dependency from resource that affected destroy part. Now everything is working fine with version 1.3.7

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.