### Terraform Version ```shell Terraform v1.3.3 on linux_amd64 ``` ### Terraform Configuration Files main.tf ````terraform ... module "vpc" { source = "./vpc" ... } module "management_host" { source = "./managementhost" ... private_subnets = module.vpc.private_subnets } ... resource "aws_route53_zone" "platformdomain" { name = var.platform_dns_domain force_destroy = false lifecycle { prevent_destroy = true } } ... ```` managmenthost/main.tf ```terraform ... variable "private_subnets" { type = map(any) } data "aws_subnet" "private_subnets" { for_each = var.private_subnets id = var.private_subnets[each.key].id } ... ``` Test example: https://github.com/MartinEmrich/tf-import-test-example ### Debug Output https://gist.github.com/MartinEmrich/6ff2c5dc77ea1cbc6dd02fb0345c080e ### Expected Behavior I try to import a resource (`aws_route53_zone.platformdomain`) before issuing `terraform apply` etc.): ``` ./terraform import aws_route53_zone.platformdomain AHOSTEDZONEID ``` With terraform up to 1.2.9, this worked. Starting with terraform 1.3.0, it no longer works. ### Actual Behavior As of terraform 1.3.0, I receive this error message: ```` ╷ │ Error: Invalid for_each argument │ │ on managementhost/main.tf line 34, in data "aws_subnet" "private_subnets": │ 34: for_each = var.private_subnets │ ├──────────────── │ │ var.private_subnets is a map of dynamic, known only after apply │ │ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource. │ │ When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place apply-time results only in the map values. │ │ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge. ╵ ```` ### Steps to Reproduce 1. `./terraform init` 2. `./terraform import aws_route53_zone.platformdomain AHOSTEDZONEID` ### Additional Context With any of terraform 1.2.9, 1.3.0 or 1.3.3, I can issue `terraform plan` or `terraform apply` with no issues. Indeed, as that `managementhost` module/subdirectory depends on the `vpc` module anyways, applying this in one go is no problem, so I see no dependency issues. Apparently starting with 1.3.0, terraform tries to "calculate" more information during import, and without that `vpc` module already rolled out, that `data` element cannot be calculated. But as these resources are unrelated to the resource I try to import, I consider this a bug, I expect `terraform import` to just write the ID into the state store. I hope the debug log alone and the pseudocode is helpful. If absolutely necessary, I still can try to condense the project into a publishable git repository for reproduction. ### References - Might relate to #31283, which is mentioned in #30706 (which in turn feels similar to my issue) as a fix, but it is not explained why.