Trouble with output from a module creating aws_iam_access_key

[kwach]

Hi there,

I have an issue with fixing a module that creates aws_iam_access_key and tries to output keys depending on whether gpg key was passed as an input or not.

Terraform Version

$ terraform version
Terraform v0.11.0
+ provider.aws v1.3.0

Terraform Configuration Files

variable "gpg_key" {
  default = "true"
} 

module "test" {
  source = "./modules/test_module"
  ami = "${data.aws_ami.ubuntu.id}"
  key = "${var.gpg_key ? file("./gpg.pub") : ""}"
} 
  
output "out" {
  value = "${module.test.out}"
} 

output "out_key" {
  value = "${module.test.key_id}"
}

output "out_key_finger" {
  value = "${module.test.key_finger}"
}

output "out_key_secret" {
  value = "${module.test.key_secret}"
}
  
output "out_key_encrypted_secret" {
  value = "${module.test.key_encrypted_secret}"
}

//

and a module:

resource "aws_iam_user" "u" {
  name = "delme"
  path = "/"

  count = 0
} 
  
resource "aws_iam_access_key" "k" {
  user = "${aws_iam_user.u.name}"
  pgp_key = "${var.key}"

  count = 0
} 

output "key_id" {
  value = "${element(concat( aws_iam_access_key.k.*.id, list("")), 0)}"
}

output "key_finger" {
  value = "${element(concat( aws_iam_access_key.k.*.key_fingerprint, list("")), 0)}"
}
output "key_secret" {
  value = "${element(concat( aws_iam_access_key.k.*.secret, list("")), 0)}"
} 
output "key_encrypted_secret" {
  value = "${element(concat( aws_iam_access_key.k.*.encrypted_secret, list("")), 0)}"
}

Expected Behavior

No error

Actual Behavior

Error: Error applying plan:

3 error(s) occurred:

* module.test.output.key_finger: Resource 'aws_iam_access_key.k' does not have attribute 'key_fingerprint' for variable 'aws_iam_access_key.k.*.key_fingerprint'
* module.test.output.key_id: Resource 'aws_iam_access_key.k' does not have attribute 'id' for variable 'aws_iam_access_key.k.*.id'
* module.test.output.key_secret: Resource 'aws_iam_access_key.k' does not have attribute 'secret' for variable 'aws_iam_access_key.k.*.secret'

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

1. terraform init
2. terraform apply

Important Factoids

There is more to it.
When I change count=0 to count=1 the issue persists.
Error like this is displayed:

* module.test.output.key_secret: Resource 'aws_iam_access_key.k' does not have attribute 'secret' for variable 'aws_iam_access_key.k.*.secret'

It seems I can't find a way to make it working unless only one branch of if is evaluated.

Funnies thing is that with i.e. aws_instance I can make it work just OK. There are no properties I can't use the idiom on.

References

A bit related to:

• Output variable causes error about "Resource 'x' not found for variable 'y'" when resource ends up with count=0 #16681
• Interpolation should only evaluate one branch of a condition #15605

[apparentlymart]

Hi @kwach! Sorry for this weird behavior.

From reading the AWS provider code for the aws_iam_access_key resource, it seems like it selectively only populates the relevant attributes depending on the presence of pgp_key.

Terraform is, therefore, correctly reporting that there is no value assigned, but indeed that makes it impossible to write a conditional expression using these attributes. This will get resolved by #15605 once it's fixed, but perhaps in the mean time it could be mitigated by having that resource populate empty values for the unused attributes so that they can be resolved when not relevant. That would be a change to the AWS provider itself, which has its own repository, but a localized change there is probably easier to get done than the internal refactoring required for #15605.

[kwach]

Possibly related: hashicorp/terraform-provider-aws#2350

[apparentlymart]

Along with the change in #15605 that would cause the error to be hidden, handling of this should be smoother once we've finished integrating the new version of the configuration language since Terraform Core will have access to the resource schema so it will know that these attributes exist even if the provider doesn't actually set them, and so they will be treated as a null value instead of as the attribute missing altogether, and thus there will be no error at all.

The new configuration language integration is already in progress, but it'll take a few iterations before Terraform Core is totally aware of the new model and can make use of the schema in this particular location. The new language version will also be the fix for #15605, so this issue should be fixed (by allowing the use of the conditional operator to select the appropriate attribute) when either one of those changes is made.

[apparentlymart]

Hi @kwach!

I'm pleased to report that the various fixes I discussed here have now landed in master, ready for inclusion in the forthcoming v0.12.0 release. The conditional operator no longer reports errors in the unchosen result expression (#15605) and also any declared attribute that the provider doesn't populate with a value will now evaluate to null rather than producing an error. (It's still an error to access an attribute that isn't defined at all, though.)

Thanks for reporting this!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.