Develop Reference

Terraform key does not identify an element in this collection

I'm following a terraform tutorial on using variables in AWS.
It defines AMI variables like:
variable "amis" {
type = "map"
default = {
"us-east-1" = "ami-b374d5a5"
"us-west-2" = "ami-fc0b939c"
}
}
And then assigns the AMI variable like this:
resource "aws_instance" "example" {
ami = var.amis[var.region]
instance_type = "t2.micro"
}
If I try the example that way I get an error:
Error: Invalid index
on main.tf line 17, in resource "aws_instance" "example":
17: ami = var.amis[var.region]
The given key does not identify an element in this collection value: string
required.
However I can set the variable by hard coding it:
var.amis["us-west-2"] # <-- this works
What can I do to set the variable correctly with ami = var.amis[var.region] ?

you need to define variable var.region or you can pass the value to variable during plan / apply as terraform plan -var 'region=us-west-2' and terraform apply -var 'region=us-west-2'

Unable to create azurerm_cosmosdb_sql_container with indexing_policy block

According to the documentation on Terraform.io for azurerm_cosmosdb_sql_container, it says I can include an indexing_policy block. However, when I run terraform plan I get errors:
Error: Unsupported block type
on main.tf line 912, in resource "azurerm_cosmosdb_sql_container"
"AccountActivity": 912: indexing_policy {
Blocks of type "indexing_policy" are not expected here.
main.tf
resource "azurerm_cosmosdb_sql_container" "AccountActivity" {
name = "AccountActivity"
resource_group_name = azurerm_resource_group.backendResourceGroup.name
account_name = azurerm_cosmosdb_account.AzureCosmosAccount.name
database_name = azurerm_cosmosdb_sql_database.AzureCosmosDbCache.name
default_ttl = 2592000
throughput = 2500
indexing_policy {
indexing_mode = "Consistent"
included_path {
path = "/*"
}
excluded_path {
path = "/\"_etag\"/?"
}
}
}
Here is my terraform version output:
terraform version
Terraform v0.13.4
+ provider registry.terraform.io/-/azurerm v2.30.0
+ provider registry.terraform.io/hashicorp/azurerm v2.20.0
+ provider registry.terraform.io/hashicorp/random v2.3.0

After searching GitHub, I finally found that support for the indexing_policy block was added in this commit 26 days ago. The documentation doesn't mention this, nor does the release notes for azurerm v2.31.1. After updating my main.tf file with the latest version for azurerm and running terraform init the terraform plan command worked without issue.
provider "azurerm" {
version = "~>2.31.1"
features {}
}

Terraform 0.13 - Modules, for_each and providers

UPDATED
I am trying to provision multiple SQL databases in Azure using Terraform.
My child module has the following code that provisions a SQL database:
providers.tf
// default provider
provider "azurerm" {
alias = "main"
features {}
}
// The provider that can access the storage account to store diagnostics
provider "azurerm" {
alias = "storage_account"
features {}
}
sql_db.tf
resource "azurerm_mssql_database" "default" {
name = var.name
base_name = var.base_name
...
tags = var.tags
provider = azurerm.main
}
data.tf
data "azurerm_storage_account" "storage" {
name = var.storage_account_name
resource_group_name = var.storage_account_rg
provider = azurerm.storage_account
}
I am calling this module in my main.tf file as follows where I want to provision multiple SQL databases using a for_each:
module "sql_db" {
for_each = var.sql_db
source = "...../sql_db.git"
base_name = each.value.base_name
name = each.value.name
providers = {
azurerm.main = azurerm.main
azurerm.storage_account = azurerm.storage_account
}
}
provider "azurerm" {
features {}
version = "=2.20.0"
}
// default provider
provider "azurerm" {
alias = "main"
features {}
}
provider "azurerm" {
alias = "storage_account"
features {}
}
When I run plan, I get the following error:
Error: Module does not support for_each
on main.tf line 35, in module "sql_db":
35: for_each = var.sql_db
Module "sql_db" cannot be used with for_each because it contains a nested
provider configuration for "azurerm.main", at
.terraform\modules\sql_db\providers.tf:2,10-19.
This module can be made compatible with for_each by changing it to receive all
of its provider configurations from the calling module, by using the
"providers" argument in the calling module block.
Error: Module does not support for_each
on main.tf line 35, in module "sql_db":
35: for_each = var.sql_db
Module "sql_db" cannot be used with for_each because it contains a nested
provider configuration for "azurerm.storage_account", at
.terraform\modules\sql_db\providers.tf:8,10-19.
This module can be made compatible with for_each by changing it to receive all
of its provider configurations from the calling module, by using the
"providers" argument in the calling module block.

The simple answer is, it's not supported. From the Terraform documentation:
A module containing its own provider configurations is not compatible with the for_each, count, and depends_on arguments that were introduced in Terraform v0.13.
HashiCorp has been absolutely adamant that providers can never be declared dynamically, which is why they allow neither a for_each/count within a provider block, nor a for_each/count on a module that contains a provider block.

Switch terraform 0.12.6 to 0.13.0 gives me provider["registry.terraform.io/-/null"] is required, but it has been removed

I manage state in remote terraform-cloud
I have downloaded and installed the latest terraform 0.13 CLI
Then I removed the .terraform.
Then I ran terraform init and got no error
then I did
➜ terraform apply -var-file env.auto.tfvars
Error: Provider configuration not present
To work with
module.kubernetes.module.eks-cluster.data.null_data_source.node_groups[0] its
original provider configuration at provider["registry.terraform.io/-/null"] is
required, but it has been removed. This occurs when a provider configuration
is removed while objects created by that provider still exist in the state.
Re-add the provider configuration to destroy
module.kubernetes.module.eks-cluster.data.null_data_source.node_groups[0],
after which you can remove the provider configuration again.
Releasing state lock. This may take a few moments...
This is the content of the module/kubernetes/main.tf
###################################################################################
# EKS CLUSTER #
# #
# This module contains configuration for EKS cluster running various applications #
###################################################################################
module "eks_label" {
source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=master"
namespace = var.project
environment = var.environment
attributes = [var.component]
name = "eks"
}
#
# Local computed variables
#
locals {
names = {
secretmanage_policy = "secretmanager-${var.environment}-policy"
}
}
data "aws_eks_cluster" "cluster" {
name = module.eks-cluster.cluster_id
}
data "aws_eks_cluster_auth" "cluster" {
name = module.eks-cluster.cluster_id
}
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
version = "~> 1.9"
}
module "eks-cluster" {
source = "terraform-aws-modules/eks/aws"
cluster_name = module.eks_label.id
cluster_version = var.cluster_version
subnets = var.subnets
vpc_id = var.vpc_id
worker_groups = [
{
instance_type = var.cluster_node_type
asg_max_size = var.cluster_node_count
}
]
tags = var.tags
}
# Grant secretmanager access to all pods inside kubernetes cluster
# TODO:
# Adjust implementation so that the policy is template based and we only allow
# kubernetes access to a single key based on the environment.
# we should export key from modules/secrets and then grant only specific ARN access
# so that only production cluster is able to read production secrets but not dev or staging
# https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html#permissions_grant-get-secret-value-to-one-secret
resource "aws_iam_policy" "secretmanager-policy" {
name = local.names.secretmanage_policy
description = "allow to read secretmanager secrets ${var.environment}"
policy = file("modules/kubernetes/policies/secretmanager.json")
}
#
# Attache the policy to k8s worker role
#
resource "aws_iam_role_policy_attachment" "attach" {
role = module.eks-cluster.worker_iam_role_name
policy_arn = aws_iam_policy.secretmanager-policy.arn
}
#
# Attache the S3 Policy to Workers
# So we can use aws commands inside pods easily if/when needed
#
resource "aws_iam_role_policy_attachment" "attach-s3" {
role = module.eks-cluster.worker_iam_role_name
policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}

All credits for this fix go to the one mentioning this on the cloudposse slack channel:
terraform state replace-provider -auto-approve -- -/null registry.terraform.io/hashicorp/null
This fixed my issue with this error, on to the next error. All to upgrade a version on terraform.

For us we updated all the provider URLs which we were using in the code like below:
terraform state replace-provider 'registry.terraform.io/-/null' \
'registry.terraform.io/hashicorp/null'
terraform state replace-provider 'registry.terraform.io/-/archive' \
'registry.terraform.io/hashicorp/archive'
terraform state replace-provider 'registry.terraform.io/-/aws' \
'registry.terraform.io/hashicorp/aws'
I would like to be very specific with replacement so I used the broken URL while replacing the new one.
To be more specific this is only with terraform 13
https://www.terraform.io/docs/providers/index.html#providers-in-the-terraform-registry

This error arises when there’s an object in the latest Terraform state that is no longer in the configuration but Terraform can’t destroy it (as would normally be expected) because the provider configuration for doing so also isn’t present.
Solution:
This should arise only if you’ve recently removed object
"data.null_data_source" along with the provider "null" block. To
proceed with this you’ll need to temporarily restore that provider "null" block, run terraform apply to have Terraform destroy object data "null_data_source", and then you can remove the provider "null"
block because it’ll no longer be needed.

terraform.tfvars file: why variable block is required

I have created the following terraform.tfvars file:
ec2_image = "ami-00035f41c82244dab"
ec2_instance_type = "t2.micro"
And use it as follows in a main.tf file:
resource "aws_instance" "OneServer" {
ami = "${var.ec2_image}"
instance_type = "${var.ec2_instance_type}"
}
Then I execute the 'terraform plan' command and it complains with:
Error: resource 'aws_instance.OneServer' config: unknown variable
referenced: 'ec2_image'; define it with a 'variable' block
So I changed the main.tf file as follows:
variable "ec2_image" {}
variable "ec2_instance_type" {}
resource "aws_instance" "OneServer" {
ami = "${var.ec2_image}"
instance_type = "${var.ec2_instance_type}"
}
Then the command 'terraform plan' works OK.
I don't understand why these variable blocks are required. What's the point for it?

Are you actually using the -var-file command-line switch?
For example, I don't use that switch - I just define my overridable variables in a random tf file (named in my case variable.tf). If the -var-file switch is not used, that means the variable block is required to tell Terraform when a variable is being defined.