Terraform: Dynamic blocks with unknown for_each can fail MinItems validation

Created on 24 May 2019  ยท  3Comments  ยท  Source: hashicorp/terraform

Terraform Version

Terraform v0.12.0

Terraform Configuration Files

variable "inbound_vpc_subnets" {
  type = list(string)
}

resource "aws_route53_resolver_endpoint" "inbound_onprem_endpoint" {
  name      = lower(join("-", list(local.common_name_prefix, "inbound_onprem_endpoint")))
  direction = "INBOUND"

  security_group_ids = [
    aws_security_group.inbound_onprem_endpoint.id
  ]

  dynamic "ip_address" {
    for_each = var.inbound_vpc_subnets
    iterator = subnet_id
    content {
      subnet_id = subnet_id.value
    }
  }

  tags = merge(
    map("Name", lower(join("-", list(local.common_name_prefix, "inbound_onprem_endpoint")))),
    local.tags
  )
}

Expected Behavior

Pass validation and then create two ip_address blocks during planning.

Actual Behavior

Error: Insufficient ip_address blocks

  on  line 0:
  (source code not available)

At least 2 "ip_address" blocks are required.

Aside from the source location information apparently being missing from this error message, the bigger problem here is that it's failing validation.

Steps to Reproduce

Run terraform validate with two or more elements in inbound_vpc_subnets.

Additional Context

I suspect that this is because inbound_vpc_subnets is unknown during validation (as with all root input variables) and so Terraform Core can't predict how many ip_address blocks there will be. It represents that by sending over to the provider just one block with all of its attributes set to unknown, but probably the SDK isn't prepared to recognize that special representation and is treating it as a single concrete block and thus failing validation.

bug provider-sdk
Source
picture apparentlymart

Most helpful comment

The issue persists even with version 0.12.3, regardless how many fixes for #21555 are listed in the changelog. Any news when dynamic ip_address blocks for aws_route53_resolver_endpoint will finally work?

picture christianmeyer on 9 Jul 2019
👍2

All 3 comments

Since this issues is specifically about validation failure, I'm going to close this as part of #21443, since validation is no longer failing. The new proposed values for a dynamic block uses an unknown value for any configured fields, even if they are statically assigned, so #21443 will filter these blocks out of the initial validation altogether.

Once we merge #21555, there will be extra validation during plan that will verify the correct final number of elements, as well as all configured attributes.

jbardin picture jbardin on 3 Jun 2019

The issue persists even with version 0.12.3, regardless how many fixes for #21555 are listed in the changelog. Any news when dynamic ip_address blocks for aws_route53_resolver_endpoint will finally work?

christianmeyer picture christianmeyer on 9 Jul 2019
👍2

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 24 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cpoole picture cpoole  ยท  3Comments
franklinwise picture franklinwise  ยท  3Comments
carl-youngblood picture carl-youngblood  ยท  3Comments
rnowosielski picture rnowosielski  ยท  3Comments
jrnt30 picture jrnt30  ยท  3Comments