Creating a new EKS cluster plan fails with error - cluster.tf line 94, in resource "aws_security_group_rule" "cluster_private_access_cidrs_source"

[nielsvz]

Description

When creating a new EKS cluster, Terraform plan fails with the following error:

Error: Invalid for_each argument

  on .terraform/modules/mdt-eks.eks/cluster.tf line 94, in resource "aws_security_group_rule" "cluster_private_access_cidrs_source":
  94:   for_each    = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access && var.cluster_endpoint_private_access_cidrs != null ? toset(var.cluster_endpoint_private_access_cidrs) : []
    │────────────────
    │ var.cluster_create_endpoint_private_access_sg_rule is true
    │ var.cluster_endpoint_private_access is true
    │ var.cluster_endpoint_private_access_cidrs is list of string with 1 element
    │ var.create_eks is true

Sensitive values, or values derived from sensitive values, cannot be used
as for_each arguments. If used, the sensitive value could be exposed as a
resource instance key.

Versions

• Terraform: 1.0.3
• Provider(s):

+ provider registry.terraform.io/gavinbunney/kubectl v1.11.3
+ provider registry.terraform.io/gitlabhq/gitlab v3.7.0
+ provider registry.terraform.io/hashicorp/aws v3.57.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.4.1
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/tls v3.1.0
+ provider registry.terraform.io/terraform-aws-modules/http v2.4.1

• Module:
  eks v17.14.0

Reproduction

Steps to reproduce the behaviour:
Not using workspaces, tried creating a new EKS cluster without any existing state/cache

Expected behavior

terraform plan succeeds without errors as with the previous module version we were using (eks v17.8.0)

Actual behavior

terraform plan fails with the error indicated in the description

Additional context

Possibly related to #1549 and release v17.14.0

[daroga0002]

could you paste terraform module config, especially how you setting cluster_endpoint_private_access_cidrs ?

[daroga0002]

suspecting that values are incoming from other module which contains sensitive output what is causing this error.

@nielsvz can you try mark input value as nonsensitive(var.value) on code and check does this helping

here are also docs from terraform showing how to make it:
https://www.terraform.io/docs/language/functions/nonsensitive.html

[nielsvz]

The CIDRs are being pulled from SSM:

data "aws_ssm_parameter" "vpc_cidr" {
  name = "/redacted/vpc/cidr"
}

Marking the variable as nonsensitive works, terraform plan is now successful.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.