data.template_file.map_roles: value of 'count' cannot be computed

[opsline-radek]

I have issues

I created an IAM role and want to pass it to map_roles as a list of maps. This causes an error

* module.eks.data.template_file.map_roles: data.template_file.map_roles: value of 'count' cannot be computed

I'm submitting a...

• bug report
• feature request
• support request
• kudos, thank you, warm fuzzy

What is the current behavior?

I can only pass the list of maps to map_roles as documented in an example. Passing a list created in code does not work and causes an error.

If this is a bug, how to reproduce? Please include a code sample if relevant.

locals {
  cluster_name = "cluster1"

  worker_groups = [
    {
      asg_desired_capacity          = 4
      asg_max_size                  = 10 
      asg_min_size                  = 3
      instance_type                 = "m5.2xlarge"
      spot_price                    = "0.38"
      name                          = "cluster1_main"
      subnets                       = "${join(",", module.infra.private_subnets)}"
      root_volume_size              = 50
      root_volume_type              = "gp2"
    }
  ]
  worker_group_count = "${length(local.worker_groups)}"

  tags = {
    Environment = "test"
  }

  map_roles = [
    {
      role_arn = "${aws_iam_role.admins.arn}"
      username = "AdminsRole"
      group    = "system:masters"
    },
  ]
}

resource "aws_iam_role" "admins" {
  name_prefix = "eks-${local.cluster_name}-admins-"
  description = "eks-${local.cluster_name}-admins"
  path = "/"
  assume_role_policy = <<EOF
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::...:root"},"Action":"sts:AssumeRole"}]}
EOF
}

module "eks" {
  source             = "../aws-eks"
  cluster_name       = "${local.cluster_name}"
  subnets            = "${module.infra.public_subnets}"
  tags               = "${local.tags}"
  vpc_id             = "${module.infra.vpc_id}"
  worker_groups      = "${local.worker_groups}"
  worker_group_count = "${local.worker_group_count}"
  map_roles          = "${local.map_roles}"

  kubeconfig_aws_authenticator_additional_args = ["-r", "${aws_iam_role.admins.arn}"]
}

What's the expected behavior?

I should be able to pass a list of map, not only using variables like in an example. Maybe count variables should be added like worker_group_count.

Are you able to fix this problem and submit a PR? Link here if you have already.

Environment details

• Affected module version: 1.6.0
• OS: MacOS
• Terraform version: v0.11.8

Any other relevant info

[max-rocket-internet]

Hey @opsline-radek
Yeah I'm aware of this issue. It's a really annoying Terraform quirk. I would call it a bug but it was intentional. I think they are going to fix it soon: hashicorp/terraform#12570

Adding count arguments is possible but such a crappy solution. Personally I just created the role first like terraform apply -target=aws_iam_role.admins and then then applied to the eks cluster. I know this is also a crappy workaround.

If you want to make a PR to add map_roles_count then go for it.

[max-rocket-internet]

I'm gonna close this now. Feel free to reopen if it's still an issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.