Can't iterate over certificate_validation_records attributes of aws_apprunner_custom_domain_association resource

[vmignot]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.3.0

Affected Resource(s)

• aws_apprunner_custom_domain_association

Terraform Configuration Files

resource "aws_apprunner_custom_domain_association" "main" {
  domain_name          = "${local.domain_name}.${data.aws_route53_zone.main.name}"
  service_arn          = aws_apprunner_service.main.arn
  enable_www_subdomain = true
}

resource "aws_route53_record" "main-www" {
  name           = local.domain_name
  set_identifier = local.domain_name

  type    = "CNAME"
  zone_id = data.aws_route53_zone.main.zone_id
  ttl     = 300
  records = [aws_apprunner_service.main.service_url]

  weighted_routing_policy {
    weight = 90
  }
}

resource "aws_route53_record" "main-cert" {
  for_each = {
    for entry in aws_apprunner_custom_domain_association.main.certificate_validation_records : entry.name => {
      name   = entry.name
      record = entry.value
      type   = entry.type
    }
  }

  allow_overwrite = true
  zone_id         = data.aws_route53_zone.main.zone_id
  type            = each.value.type
  ttl             = 300
  name            = each.key
  records         = [each.value.record]
}

Expected Behavior

The resource aws_route53_record.main-cert should be created properly. We should be able to iterate through aws_apprunner_custom_domain_association.main.certificate_validation_records dynamically.

Actual Behavior

│ Error: Invalid for_each argument
│ 
│   on modules/app_runner/main.tf line 94, in resource "aws_route53_record" "main-cert":
│   94:   for_each = {
│   95:     for entry in aws_apprunner_custom_domain_association.main.certificate_validation_records : entry.name => {
│   96:       name   = entry.name
│   97:       record = entry.value
│   98:       type   = entry.type
│   99:     }
│  100:   }
│     ├────────────────
│     │ aws_apprunner_custom_domain_association.main.certificate_validation_records is a set of object, known only after apply
│ 
│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the
│ for_each depends on.

Steps to Reproduce

1. terraform apply

[justinretzolk]

Hey @vmignot 👋 Thank you for taking the time to raise this. Based on the error, a targeted apply may be needed in order to work around this due to the values not being known at plan time. This is mentioned as a limitation in the for_each documentation as well, with a note about the possible need for a targeted apply.

After a targeted apply, I suspect this would probably work (though I haven't set up a reproduction, and am not entirely familiar with the structure of this resource, so don't hold me to that). In case you need it, the documentation around targeting resources may be found here.

[vmignot]

Hi,
thanks for your reply.

To be maybe more precise, I can't figure why this resource can't work the way acm_certificate_validation works, as it is described here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#dns-validation-with-route-53

Regards,

[justinretzolk]

Hey @vmignot 👋 Thank you for following up, and for pointing that out. Looking at the schema for these two resources, I'd think that a similar for_each approach could be used. Perhaps this is due to the aws_acm_certificate resource having Set: defined. I'm going to mark this as a bug so that we can look into it and determine whether this should be possible.

[jritsema]

I was able to reproduce this bug. In case it helps, I noticed that if you remove the aws_route53_record.main-cert resource then run apply, then re-add it, it works as expected.

[jritsema]

Perhaps this is due to the aws_acm_certificate resource having Set: defined.

I tried implementing Set locally and it still didn't work.

I also compared aws_acm_certificate.domain_validation_options with aws_apprunner_custom_domain_association.certificate_validation_records and the only other notable difference is that the one that works implements CustomizeDiffFunc, however, this implementation doesn't seem to do anything that would affect this behavior.

[jritsema]

We may have incorrectly assumed that the aws_acm_certificate.domain_validation_options works in a single apply. I believe I have gotten this to work in the past, however, it appears that it no longer works? see #14447

[anilmujagic]

Using the learnings from here I'm using this workaround:

resource "aws_route53_record" "api_certificate_validation" {
    count = length(aws_apprunner_custom_domain_association.api.certificate_validation_records)

    name = aws_apprunner_custom_domain_association.api.certificate_validation_records.*.name[count.index]
    type = aws_apprunner_custom_domain_association.api.certificate_validation_records.*.type[count.index]
    ttl = 300
    zone_id = data.aws_route53_zone.api.id

    records = [aws_apprunner_custom_domain_association.api.certificate_validation_records.*.value[count.index]]
}

[mwaaas]

@anilmujagic

That will still result on the same error

The "count" value depends on resource attributes that cannot be determined
│ until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only
│ the resources that the count depends on