Terraform build failed on gitlab agent only : Invalid for_each argument

Infrastructure as Code & Cloud Native
1

Problem to solve

Terraform plan failed when I use gitlab agent but work locally with terraform command.
This happened after adding the quite famous module terraform-aws-eks .


Error: 
Invalid for_each argument

  on .terraform/modules/eks.eks/main.tf line 117, in resource "aws_ec2_tag" "cluster_primary_security_group":

 117:   for_each = 
{ for k, v in merge(var.tags, var.cluster_tags) :
 118:     k => v if local.create && k != "Name" && var.create_cluster_primary_security_group_tags && v != null
 119:   }
 
local.create
 is true
var.cluster_tags
 is map of string with 1 element
var.create_cluster_primary_security_group_tags
 is true
var.tags
 is map of string with 6 elements

' The "for_each" map includes keys derived from resource attributes that
cannot be determined until apply, and so Terraform cannot determine the
full set of keys that will identify the instances of this resource.
When working with unknown values in for_each, it s better to define the map
keys statically in your configuration and place apply-time results only in
the map values.

Alternatively, you could use the -target planning option to first apply
only the resources that the for_each value depends on, and then apply a
second time to fully converge.

Steps to reproduce

Which troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?

To reproduce, I think you have to declare a module eks with tags and cluster_tags

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.11"
...
cluster_tags = {
    label = "cluster"
  }
tags = merge(var.tags, {
    "karpenter.sh/discovery" = var.cluster_name
  })
}

The part of the module which seems to be the problem is
terraform-aws-eks/main.tf at master ยท terraform-aws-modules/terraform-aws-eks (github.com)

resource "aws_ec2_tag" "cluster_primary_security_group" {
  # This should not affect the name of the cluster primary security group
  # Ref: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2006
  # Ref: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2008
  for_each = { for k, v in merge(var.tags, var.cluster_tags) :
    k => v if local.create && k != "Name" && var.create_cluster_primary_security_group_tags && v != null
  }

  resource_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
  key         = each.key
  value       = each.value
}

Versions

Please select whether options apply, and add the version information.

  • Self-managed
  • GitLab.com SaaS
  • Self-hosted Runners

Versions
gitlab-runner 17.0.0~pre.88.g761ae5dd (761ae5dd)
green-5.saas-linux-small-amd64.runners-manager.gitlab.com/default xS6Vzpvo

Aws Eks module 20.11
Gitlab Terraform image "$CI_TEMPLATE_REGISTRY_HOST/gitlab-org/terraform-images/stable:latest ( v1.8.0)