can't provide secrets to service #260
Description
Description
I want to provision a new ecs cluster with services and secrets, but it's impossible to do this in a single apply.
- ✋ I have searched the open/closed issues and my issue is not listed.
Versions
- Module version [Required]: 5.12.0
- Terraform version: "1.10.5"
- Provider version(s): "5.88.0"
Reproduction Code [Required]
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.88.0"
}
}
required_version = "1.10.5"
}
provider "aws" {
region = "us-east-2"
}
locals {
container_name = "api"
container_port = 8080
}
data "aws_availability_zones" "available" {}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.19.0"
name = "vpc"
cidr = "10.0.0.0/16"
azs = data.aws_availability_zones.available.names
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
}
resource "aws_secretsmanager_secret" "secret" {
name = "secret"
}
module "ecs" {
source = "terraform-aws-modules/ecs/aws"
version = "5.12.0"
cluster_name = "ecs"
services = {
api = {
cpu = 1024
memory = 2048
subnet_ids = module.vpc.private_subnets
container_definitions = {
(local.container_name) = {
image = "9320392032.dkr.ecr.us-east-2.amazonaws.com/hello"
port_mappings = [
{
name = local.container_name
containerPort = local.container_port
hostPort = local.container_port
protocol = "tcp"
}
]
secrets = [
{
name = "SECRET"
valueFrom = aws_secretsmanager_secret.secret.arn
}
]
task_exec_secret_arns = [
aws_secretsmanager_secret.secret.arn
]
}
}
}
}
}
Steps to reproduce the behavior:
terraform init
terraform applyExpected behavior
An ecs service is created with secrets.
Actual behavior
│ Error: Invalid for_each argument
│
│ on .terraform/modules/ecs/modules/service/main.tf line 531, in module "container_definition":
│ 531: for_each = { for k, v in var.container_definitions : k => v if local.create_task_definition && try(v.create, true) }
│ ├────────────────
│ │ local.create_task_definition is true
│ │ var.container_definitions will be known only after apply
│
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until
│ apply, and so Terraform cannot determine the full set of keys that will identify the instances of
│ this resource.
│
│ When working with unknown values in for_each, it's better to define the map keys statically in
│ your configuration and place apply-time results only in the map values.
│
│ Alternatively, you could use the -target planning option to first apply only the resources that
│ the for_each value depends on, and then apply a second time to fully converge.
Terminal Output Screenshot(s)
Additional context
By looking at main.tf I see that some variables definitions uses lookup and some try call. eg: load_balancer is also not known at plan time, but because it is defined as:
load_balancer = lookup(each.value, "load_balancer", {})The resource can be created. For other derived keys with try it is impossible. What's the recommend workaournd in this case?