count logic does not work, bug or docs issue?

[flypenguin]

Terraform Version

Terraform v0.11.7
+ provider.aws v1.17.0

Terraform Configuration Files

Attached as ZIP file. The relevant files are:

• team-groups-policies.tf
• helpers/group-role-with-policies/main.tf

The most relevant parts are:

# "main" tf file
module "team_ci_group" {
  source = "helpers/group-role-with-policies"

  create_group = 1
  team         = "team"
  name         = "ci"

  policies = [
    "arn:aws:iam::aws:policy/AWSBatchFullAccess",
    "${aws_iam_policy.gen_get_ecr_token.arn}",
  ]
}

... and ...

# module
resource "aws_iam_group" "group" {
  count = "${var.create_group}"
  name  = "${var.prefix}-${var.team}-${var.name}"
  path  = "/groups/${var.team}/"
}

resource "aws_iam_group_policy_attachment" "group_policy" {
  count = "${length(var.policies) * var.create_group }"

  group      = "${aws_iam_group.group.name}"
  policy_arn = "${element(var.policies, count.index)}"
}

Debug Output

In ZIP archive, a file called "TRACE"

Crash Output

No crash.

Expected Behavior

It should have created a group with two policy attachments.

Actual Behavior

Error message: * [...]: value of 'count' cannot be computed

Steps to Reproduce

• Unzip
• terraform init
• terraform plan

Additional Context

N/A

References

N/A

[flypenguin]

by the way, I am using the exact same code in an existing larger TF folder, and it works.

Well, sometimes.

That works

module "language_batch" {
  source = "helpers/group-role-with-policies"

  create_role = 1
  team        = "language"
  name        = "batch"

  policies = [
    #"${aws_iam_policy.language_batch_evaluation.arn}",
    "1234",
  ]

  assume_role_policy = "${data.aws_iam_policy_document.gen_assume_role_default.json}"
}

That does not

module "language_batch" {
  source = "helpers/group-role-with-policies"

  create_role = 1
  team        = "language"
  name        = "batch"

  # THIS CHANGED ....
  policies = [
    "${aws_iam_policy.language_batch_evaluation.arn}",
    #"1234",
  ]

  assume_role_policy = "${data.aws_iam_policy_document.gen_assume_role_default.json}"
}

final remark

It is not the policy definition. Cause if I remove the "language_batch" defintion from the file, the TF would create the policy just fine.

I am seriously confused and pretty annoyed, cause this super-weird and completely intransparent behavior cost me at least 2 hours, in which I could have reorganized our IAM permissions, etc.

[jbardin]

Hi @flypenguin,

Sorry this is causing you trouble. The count issue here can be somewhat hard to decipher if you don't know what's going on.

The value for count needs to be known at apply time in order to determine the full list of dependencies. While in this case the the value is actually statically known (the list has a known number of elements), because the value at index 0 is not known, the value of the list is also considered unknown (or to be "computed" later). If this is the case when count needs to be resolved, you get the resulting value of 'count' cannot be computed error.

This is a known shortcoming of the current HCL libraries, which we intend to handle in the next major release. We're tracking this in a number of open issues already, with #16712 being the most similar.

[flypenguin]

edit I guess I understand now if I read #16712 ... that is so weird.

I hope this is being fixed soon. it makes terraform so unpredictable.

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.