can't provide secrets to service

[krhubert]

Description

I want to provision a new ecs cluster with services and secrets, but it's impossible to do this in a single apply.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 5.12.0
• Terraform version: "1.10.5"
• Provider version(s): "5.88.0"

Reproduction Code [Required]

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.88.0"
    }
  }

  required_version = "1.10.5"
}

provider "aws" {
  region = "us-east-2"
}

locals {
  container_name = "api"
  container_port = 8080
}

data "aws_availability_zones" "available" {}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.19.0"

  name            = "vpc"
  cidr            = "10.0.0.0/16"
  azs             = data.aws_availability_zones.available.names
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
}

resource "aws_secretsmanager_secret" "secret" {
  name = "secret"
}

module "ecs" {
  source  = "terraform-aws-modules/ecs/aws"
  version = "5.12.0"

  cluster_name = "ecs"

  services = {
    api = {
      cpu        = 1024
      memory     = 2048
      subnet_ids = module.vpc.private_subnets

      container_definitions = {
        (local.container_name) = {
          image  = "9320392032.dkr.ecr.us-east-2.amazonaws.com/hello"
          port_mappings = [
            {
              name          = local.container_name
              containerPort = local.container_port
              hostPort      = local.container_port
              protocol      = "tcp"
            }
          ]

          secrets = [
            {
              name      = "SECRET"
              valueFrom = aws_secretsmanager_secret.secret.arn
            }
          ]
          task_exec_secret_arns = [
            aws_secretsmanager_secret.secret.arn
          ]
        }
      }
    }
  }
}

Steps to reproduce the behavior:

terraform init
terraform apply

Expected behavior

An ecs service is created with secrets.

Actual behavior

│ Error: Invalid for_each argument
│
│   on .terraform/modules/ecs/modules/service/main.tf line 531, in module "container_definition":
│  531:   for_each = { for k, v in var.container_definitions : k => v if local.create_task_definition && try(v.create, true) }
│     ├────────────────
│     │ local.create_task_definition is true
│     │ var.container_definitions will be known only after apply
│
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until
│ apply, and so Terraform cannot determine the full set of keys that will identify the instances of
│ this resource.
│
│ When working with unknown values in for_each, it's better to define the map keys statically in
│ your configuration and place apply-time results only in the map values.
│
│ Alternatively, you could use the -target planning option to first apply only the resources that
│ the for_each value depends on, and then apply a second time to fully converge.

Terminal Output Screenshot(s)

Additional context

By looking at main.tf I see that some variables definitions uses lookup and some try call. eg: load_balancer is also not known at plan time, but because it is defined as:

  load_balancer                      = lookup(each.value, "load_balancer", {})

The resource can be created. For other derived keys with try it is impossible. What's the recommend workaournd in this case?

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[warp10-michelzanini]

I have this exact same problem, any solutions?