### Terraform Version ```shell Terraform v1.12.2 on linux_amd64 + provider registry.terraform.io/hashicorp/azuread v3.3.0 + provider registry.terraform.io/hashicorp/azurerm v3.116.0 ``` ### Terraform Configuration Files ```terraform locals { aks_functions = merge( { function1 = { aks_project = "proj", type = "instance" } }, { function2 = { aks_project = "proj" } }, { function3 = { aks_project = "proj", type = "regional" } }, { function4 = { use_org_name = true, aks_project = "proj", type = "instance", enable_mi = true, mi_access_types = ["sql"] } }, { function5 = { use_org_name = true, aks_project = "proj", type = "instance", enable_mi = true, mi_access_types = ["sql"] } } ) aks_service = merge( { app1 = { aks_project = "proj", type = "instance" } }, ) mi_service_client_id = { for k, v in local.aks_service : "mi_client_id_${k}" => { value = azurerm_user_assigned_identity.api[k].client_id } if try(v.enable_mi, false) == true } mi_function_client_id = { for k, v in local.aks_functions : "mi_function_client_id_${k}" => { value = azurerm_user_assigned_identity.function[k].client_id } if try(v.enable_mi, false) == true } variable_group = merge( try(local.mi_service_client_id, {}), try(local.mi_function_client_id, {}) ) org_name = "org1" env = "dev" } resource "azurerm_resource_group" "platform" { name = "rgp-dl-test-01" location = "uksouth" } # Managed identity created for each function that has the option enabled resource "azurerm_user_assigned_identity" "function" { for_each = { for k, v in local.aks_functions : k => v if try(v.enable_mi, false) } resource_group_name = azurerm_resource_group.platform.name location = azurerm_resource_group.platform.location name = "mi-func-${try(each.value.aks_project, local.org_name)}-${each.key}-${local.env}" } # Managed identity created for each app that has the option enabled resource "azurerm_user_assigned_identity" "api" { for_each = { for k, v in local.aks_service : k => v if try(v.enable_mi, false) } resource_group_name = azurerm_resource_group.platform.name location = azurerm_resource_group.platform.location name = "mi-${each.value.aks_project}-${each.key}-${local.env}" } # Fake resource to show the issue resource "terraform_data" "fake" { for_each = local.variable_group } ``` ### Debug Output https://gist.github.com/danlumb01/6a742af954ff87fc3e2cb447c23662ef ### Expected Behavior Initial plan/apply using the example code works without issue. Amending the `local.aks_functions` object to create an additional `azurerm_user_assigned_identity.function` resource, for example adding `enable_mi = true` to `function3`: ```terraform aks_functions = merge( { function1 = { aks_project = "proj", type = "instance" } }, { function2 = { aks_project = "proj" } }, { function3 = { aks_project = "proj", type = "regional", enable_mi = true } }, { function4 = { use_org_name = true, aks_project = "proj", type = "instance", enable_mi = true, mi_access_types = ["sql"] } }, { function5 = { use_org_name = true, aks_project = "proj", type = "instance", enable_mi = true, mi_access_types = ["sql"] } } ) ``` Results in the error below. Expected it to work, as the initial apply did. (Or at least, would expect to see the same issue on the first apply) ### Actual Behavior `terraform plan` gives: ``` │ Error: Invalid for_each argument │ │ on main.tf line 48, in resource "terraform_data" "fake": │ 48: for_each = local.variable_group │ ├──────────────── │ │ local.variable_group will be known only after apply │ │ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this │ resource. │ │ When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place apply-time results only in the map values. │ │ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge. ``` `terraform console` gives: ``` ╷ │ Error: Invalid index │ │ on main.tf line 15, in locals: │ 15: mi_function_client_id = { for k, v in local.aks_functions : "mi_function_client_id_${k}" => { value = azurerm_user_assigned_identity.function[k].client_id } if try(v.enable_mi, false) == true } │ ├──────────────── │ │ azurerm_user_assigned_identity.function is object with 2 attributes │ │ The given key does not identify an element in this collection value. ╵ ╷ │ Warning: Due to the problems above, some expressions may produce unexpected results. │ │ ╵ > ``` Printing contents of `local.variable_group` in the console crashes Terraform with this: ``` > local.variable_group !!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!! Terraform crashed! This is always indicative of a bug within Terraform. Please report the crash with Terraform[1] so that we can fix this. When reporting bugs, please include your terraform version, the stack trace shown below, and any additional information which may help replicate the issue. [1]: https://github.com/hashicorp/terraform/issues !!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!! panic: value for local.variable_group was requested before it was provided goroutine 1 [running]: runtime/debug.Stack() runtime/debug/stack.go:26 +0x5e github.com/hashicorp/terraform/internal/logging.PanicHandler() github.com/hashicorp/terraform/internal/logging/panic.go:84 +0x16a panic({0x31be1a0?, 0xc002489ce0?}) runtime/panic.go:792 +0x132 github.com/hashicorp/terraform/internal/namedvals.(*values[...]).GetExactResult(0x408c640, {{0x0, 0x0, 0x0}, {{}, {0xc0023b1c10, 0xe}}}) github.com/hashicorp/terraform/internal/namedvals/values.go:88 +0x1ed github.com/hashicorp/terraform/internal/namedvals.(*State).GetLocalValue(0x4012fb8?, {{0x0, 0x0, 0x0}, {{}, {0xc0023b1c10, 0xe}}}) github.com/hashicorp/terraform/internal/namedvals/state.go:77 +0xe5 github.com/hashicorp/terraform/internal/terraform.(*evaluationStateData).GetLocalValue(0xc001160ab0, {{}, {0xc0023b1c10?, 0xc00087cfc9?}}, {{0x394bcf4, 0xf}, {0x1, 0x1, 0x0}, {0x1, ...}}) github.com/hashicorp/terraform/internal/terraform/evaluate.go:339 +0x1b2 github.com/hashicorp/terraform/internal/lang.(*Scope).evalContext(0xc001160b40, {0xc00049cc58, 0x1, 0x1}, {0x0, 0x0}) github.com/hashicorp/terraform/internal/lang/eval.go:397 +0x1943 github.com/hashicorp/terraform/internal/lang.(*Scope).EvalContext(...) github.com/hashicorp/terraform/internal/lang/eval.go:248 github.com/hashicorp/terraform/internal/lang.(*Scope).EvalExpr(0xc001160b40, {0x40684a0, 0xc0009898c0}, {{0x4068958?, 0x5d7b7c0?}}) github.com/hashicorp/terraform/internal/lang/eval.go:173 +0x8c github.com/hashicorp/terraform/internal/repl.(*Session).handleEval(0xc000bbb950, {0xc000bbb720?, 0x1?}) github.com/hashicorp/terraform/internal/repl/session.go:58 +0x14e github.com/hashicorp/terraform/internal/repl.(*Session).Handle(0xc000bbb950, {0xc000bbb720, 0x15}) github.com/hashicorp/terraform/internal/repl/session.go:43 +0xbc github.com/hashicorp/terraform/internal/command.(*ConsoleCommand).modeInteractive(0xc000504c40, 0xc000bbb950, {0x4070c30, 0xc0007a17a0}) github.com/hashicorp/terraform/internal/command/console_interactive.go:91 +0x4ab github.com/hashicorp/terraform/internal/command.(*ConsoleCommand).Run(0xc000504c40, {0xc00011c090?, 0x0?, 0x0?}) github.com/hashicorp/terraform/internal/command/console.go:184 +0x10bc github.com/hashicorp/cli.(*CLI).Run(0xc00057e280) github.com/hashicorp/cli@v1.1.7/cli.go:265 +0x4de main.realMain() github.com/hashicorp/terraform/main.go:339 +0x1deb main.main() github.com/hashicorp/terraform/main.go:64 +0x13 ``` ### Steps to Reproduce As above: `terraform init` `terraform apply` `terraform console` ### Additional Context It's more unusual that this doesn't present in the initial plan and apply, so we've had this in our code base quite a while before we came to enable another managed identity in our local object, and encountered this. ### References _No response_ ### Generative AI / LLM assisted development? _No response_