terraform-aws-eks-ack-addons's Issues

ACK RDS IRSA role requires access to `alias/secretsmanager` KMS key or fails to create DB.


When using the ACK Controller for RDS, I encountered a problem using the Secrets Manager feature of RDS.

In my circumstance, I was using a custom KMS key and gave, to the IRSA role, permission to create the secret,
access the KMS key and allow the associated grants as documented in AWS documentation.

However the controller still failed citing insufficient permissions on the KMS key.

Upon using CloudTrail I discovered the controller was still performing kms:DescribeKey on the default KMS key (alias/secretsmanager), even though I had supplied a specific one for secret in the resource.

Once I permitted kms:DescribeKey on the default KMS key for secrets manager, everything started working properly.

I have three questions:

  1. Can we please update the documentation to ensure that this is reflected in the required IAM permissions for the controller to avoid others having the same issues if using SecretsManager facility.
  2. Is this a bug of the controller? should it only perform kms:DescribeKey on the key supplied in the CRD?
    If so, where should I report this?
  3. Should an additional policy be created as an example for one that can be attached to the IAM IRSA role to fix this?


  • Module version 2.0.1

Steps to reproduce the behavior:

Expected behavior

CRD for dummy single instance small RDS:

kind: DBInstance
  name: testdb
  allocatedStorage: 10
  autoMinorVersionUpgrade: true
  backupRetentionPeriod: 1
  dbInstanceClass: db.t4g.micro
  dbInstanceIdentifier: testdb
  dbSubnetGroupName: <pre-existing-group>
  deletionProtection: false
  engine: postgres
  engineVersion: "14"
  kmsKeyID: <alias or ARN of pre-existing KMS key>
  manageMasterUserPassword: true
  masterUserSecretKMSKeyID: <alias or ARN of pre-existing KMS key>
  masterUsername: "postgres"
  multiAZ: false
  networkType: IPV4
  publiclyAccessible: false
  storageEncrypted: true
  storageType: gp2
    - <pre-existing security group ID>

Extra IAM policy added to IRSA role:

data "aws_iam_policy_document" "this" {
  statement {
    sid = "AllowKMSUseByRDS"
    actions = [

    resources = local.kms_keys  # array of both custom KMS keys for EBS and secrets manager

    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"
      values   = local.rds_services

  statement {
    sid = "AllowKMSUseForSMByIRSA"
    actions = [

    resources = var.secretsmanager_kms_keys

  statement {
    sid = "AllowSMUseByIRSA"
    actions = [
    resources = [local.account_sm_arn]

Expects to create DB and create a secret with the postgres randomly generated password.

Actual behavior

Fails with insufficient permissions for KMS key (KMS key ARN for custom secrets manager KMS key)

Additional context

Further examination in CloudTrail sees the a failure on kms:DescribeKey but for the default KMS key alias for secrets manager (alias/secretsmanager)

Modifying the policy to allow access (full or just kms:DescribeKey) to the default KMS key results in success, an example such statement is below:

  # Must grant DescribeKey to all KMS keys or ACK controller fails, even if the default KMS key is not used
  statement {
    sid = "AllowKMSDescribeKeyForRDS"
    actions = [

    resources = ["arn:${local.partition}:kms:*:${local.account_id}:key/*"]

    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"
      values   = local.rds_services

Note 1: I tried using ResourceAliases condition to limit the kms:DescribeKey permission to just the default secretsmanager KMS key but that, surprisingly, didn't work.

Add support for GitOps-Bridge

What is the outcome that you are trying to reach?

Ability to include ACK Addons when using the EKS Blueprints GitOps-Bridge

Describe the solution you would like

Implement similar support as the EKS Blueprints GitOps-Bridge like aws-ia/terraform-aws-eks-blueprints-addons#209

Describe alternatives you have considered


Additional context

This have being implemented in ArgoCD on Amazon EKS Workshop here

The integration will look like this with the new variable create_kubernetes_resources = false

# EKS ACK Addons
module "eks_ack_addons" {
  source = ""

  cluster_name      = module.eks.cluster_name
  cluster_endpoint  = module.eks.cluster_endpoint
  oidc_provider_arn = module.eks.oidc_provider_arn

  # Using GitOps Bridge
  create_kubernetes_resources = false

  # ACK Controllers to enable
  enable_apigatewayv2      = try(local.aws_addons.enable_ack_apigatewayv2, false)
  enable_dynamodb          = try(local.aws_addons.enable_ack_dynamodb, false)
  enable_s3                = try(local.aws_addons.enable_ack_s3, false)
  enable_rds               = try(local.aws_addons.enable_ack_rds, false)
  enable_prometheusservice = try(local.aws_addons.enable_ack_prometheusservice, false)
  enable_emrcontainers     = try(local.aws_addons.enable_ack_emrcontainers, false)
  enable_sfn               = try(local.aws_addons.enable_ack_sfn, false)
  enable_eventbridge       = try(local.aws_addons.enable_ack_eventbridge, false)

  tags = local.tags

Add EKS controller support

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK Amazon Elastic Kubernetes Service controller.
This would allow users to create Amazon Elastic Kubernetes Service resources (Cluster, Addon, NodeGroup, FargateProfile) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

Additional context

I'm using my fork of terraform-aws-eks-ack-addons with the terraform-aws-eks-blueprints.
You can see it's changes here, but I'll outline them in this issue too.

module "eks_blueprints_ack_addons" {
  source = ""

  cluster_id = module.eks_blueprints.eks_cluster_id
  # Wait for data plane to be ready
  data_plane_wait_arn = module.eks_blueprints.managed_node_group_arn[0]

  enable_api_gatewayv2 = false
  enable_dynamodb      = false
  enable_s3            = false
  enable_rds           = false
  enable_amp           = false
  enable_eks           = true

  tags = local.tags

This controller requires to pay more attention to the iRSA settings as no single pre-existing IAM Policy covers the permissions needed to create all its resources.

The recommended inline policy from ACK is not enough either ... If you want to create NodeGroups or FargateProfiles, you need more permissions.
Hence the addition of the inline policies.

Here is what I've come up with after testing every resources:

# Elastic Kubernetes Service

locals {
  eks_name = "ack-eks"

module "eks" {
  source = ""

  count = var.enable_eks ? 1 : 0

  helm_config = merge(
      name             = local.eks_name
      chart            = "eks-chart"
      repository       = "oci://"
      version          = "v0.1.7"
      namespace        = local.eks_name
      create_namespace = true
      description      = "ACK eks Controller v2 Helm chart deployment configuration"
      values = [
        # shortens pod name from `ack-eks-eks-chart-xxxxxxxxxxxxx` to `ack-eks-xxxxxxxxxxxxx`
          nameOverride: ack-eks

  set_values = [
      name  = ""
      value = local.eks_name
      name  = "serviceAccount.create"
      value = false
      name  = "aws.region"
      value = local.region

  irsa_config = {
    create_kubernetes_namespace = true
    kubernetes_namespace        = try(var.eks_helm_config.namespace, local.eks_name)

    create_kubernetes_service_account = true
    kubernetes_service_account        = local.eks_name

    irsa_iam_policies = [aws_iam_policy.ack_eks_policy[0].arn, data.aws_iam_policy.eks[0].arn]

  addon_context = local.addon_context

resource "aws_iam_policy" "ack_eks_policy" {
  count = var.enable_eks ? 1 : 0

  name        = "${local.cluster_id}-ack-eks-sa-policy"
  description = "IAM policy for ${local.eks_name} Service Account"
  path        = "/"
  policy      = data.aws_iam_policy_document.ack_eks_policy_document[0].json

  tags = local.tags

data "aws_iam_policy_document" "ack_eks_policy_document" {
  count = var.enable_eks ? 1 : 0

  statement {
    sid       = "ACKEKSPolicy1" # Recommended ACK inline Policy, see
    effect    = "Allow"
    actions   = ["eks:*"]
    resources = ["*"]

  statement {
    sid    = "ACKEKSPolicy2" # iam:GetRole is required to create NodeGroups and iam:CreateServiceLinkedRole is required to create FargateProfiles
    effect = "Allow"
    actions = [
    resources = ["*"]

  statement {
    sid       = "ACKEKSPolicy3" # Required to create NodeGroups
    effect    = "Allow"
    actions   = ["iam:PassRole"]
    resources = ["*"]

    condition {
      test     = "StringEquals"
      variable = "iam:PassedToService"
      values   = [""]

data "aws_iam_policy" "eks" {
  count = var.enable_eks ? 1 : 0

  name = "AmazonEKSServicePolicy"

Here are my test results:



kind: Cluster
  name: my-ack-test-cluster
  name: my-ack-test-cluster
  roleARN: arn:aws:iam::<REDACTED>:role/crossplane-ack-meetup-cluster-role
    endpointPrivateAccess: true
    endpointPublicAccess: true
      - "subnet-02421b2bc404c9324"
      - "subnet-0604d52bdcb46e8b6"

2022-12-01T13:37:10.936Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Cluster", "namespace": "default", "name": "my-ack-test-cluster", "is_adopted": false, "generation": 1}


kind: Addon
  name: vpc-cni
  name: vpc-cni
  addonVersion: "v1.12.0-eksbuild.1"
  clusterName: my-ack-test-cluster
  resolveConflicts: "OVERWRITE"
kind: Addon
  name: coredns
  name: coredns
  addonVersion: "v1.8.7-eksbuild.3"
  clusterName: my-ack-test-cluster
  resolveConflicts: "OVERWRITE"
kind: Addon
  name: kube-proxy
  name: kube-proxy
  addonVersion: "v1.23.13-eksbuild.2"
  clusterName: my-ack-test-cluster
  resolveConflicts: "OVERWRITE"

2022-12-01T15:16:11.236Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Addon", "namespace": "default", "name": "vpc-cni", "is_adopted": false, "generation": 1}
2022-12-01T15:16:11.950Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Addon", "namespace": "default", "name": "coredns", "is_adopted": false, "generation": 1}
2022-12-01T15:16:12.802Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Addon", "namespace": "default", "name": "kube-proxy", "is_adopted": false, "generation": 1}


kind: Nodegroup
  name: my-ack-test-ng
  name: my-ack-test-ng
  clusterName: my-ack-test-cluster
    - "subnet-02421b2bc404c9324"
    - "subnet-0604d52bdcb46e8b6"
  nodeRole: arn:aws:iam::<REDACTED>:role/crossplane-ack-meetup-cluster-role
    minSize: 1
    maxSize: 1
    desiredSize: 1

2022-12-01T15:23:06.006Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Nodegroup", "namespace": "default", "name": "my-ack-test-ng", "is_adopted": false, "generation": 1}
2022-12-01T15:51:13.894Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Nodegroup", "namespace": "default", "name": "my-ack-test-ng", "generation": 3}


โฏ cat pod-execution-role-trust-policy.json
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:eks:eu-west-1:<REDACTED>:fargateprofile/my-ack-test-cluster/*"
      "Principal": {
        "Service": ""
      "Action": "sts:AssumeRole"
โฏ aws iam create-role \       
  --role-name AmazonEKSFargatePodExecutionRole \
  --assume-role-policy-document file://"pod-execution-role-trust-policy.json"
โฏ aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy \
  --role-name AmazonEKSFargatePodExecutionRole
kind: FargateProfile
  name: my-ack-test-profile
  name: my-ack-test-profile
  clusterName: my-ack-test-cluster
  podExecutionRoleARN: arn:aws:iam::<REDACTED>:role/AmazonEKSFargatePodExecutionRole
    - "subnet-087c10af4f1bc624b"
    - "subnet-0f29941bb08e3c58a"
    - namespace: default

2022-12-01T21:07:24.631Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "FargateProfile", "namespace": "default", "name": "my-ack-test-profile", "is_adopted": false, "generation": 1}
2022-12-01T21:11:29.696Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "FargateProfile", "namespace": "default", "name": "my-ack-test-profile", "generation": 2}

In the end, the created NodeGroup can't join the created Cluster because of the lacking RBAC mapping from the missing aws-auth ConfigMap, and the missing security group rules.
But stricly on the controller side, the create & delete actions are allowed with this set of IAM permissions.

I'm proposing this changes in #34

I'm also going to propose the change in recommended iam policy upstream.

sample app doesn't have health endpoint


When inspecting the target group for the load balancer, I noticed that the pod is unhealthy


Add ACK ec2 controller

What is the outcome that you are trying to reach?

Ability to install the ACK ec2 controller

This will allow to create resources

Describe the solution you would like

Follow same pattern as the other controllers

Add KMS controller support

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK AWS Key Management Service (KMS) controller.
This would allow users to create AWS Key Management Service (KMS) resources (Key, Alias, Grant) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

Additional context

I'm using my fork of terraform-aws-eks-ack-addons with the terraform-aws-eks-blueprints.
You can see it's changes here, but I'll outline them in this issue too.

module "eks_blueprints_ack_addons" {
  source = ""

  cluster_id = module.eks_blueprints.eks_cluster_id
  # Wait for data plane to be ready
  data_plane_wait_arn = module.eks_blueprints.managed_node_group_arn[0]

  enable_api_gatewayv2 = false
  enable_dynamodb      = false
  enable_s3            = false
  enable_rds           = false
  enable_amp           = false
  enable_kms           = true

  tags = local.tags

This controller requires to pay more attention to the iRSA settings as no single pre-existing IAM Policy covers the permissions needed to create all its resources.

The recommended inline policy from ACK is not enough ... If you want to Delete or Rotate Keys, or Create and Revoke Grants, you need more permissions.
Hence the addition of the inline policies.

Here is what I've come up with after testing every resources:

# Key Management Service

locals {
  kms_name = "ack-kms"

module "kms" {
  source = ""

  count = var.enable_kms ? 1 : 0

  helm_config = merge(
      name             = local.kms_name
      chart            = "kms-chart"
      repository       = "oci://"
      version          = "v0.1.3"
      namespace        = local.kms_name
      create_namespace = true
      description      = "ACK kms Controller v2 Helm chart deployment configuration"
      values = [
        # shortens pod name from `ack-kms-kms-chart-xxxxxxxxxxxxx` to `ack-kms-xxxxxxxxxxxxx`
          nameOverride: ack-kms

  set_values = [
      name  = ""
      value = local.kms_name
      name  = "serviceAccount.create"
      value = false
      name  = "aws.region"
      value = local.region

  irsa_config = {
    create_kubernetes_namespace = true
    kubernetes_namespace        = try(var.kms_helm_config.namespace, local.kms_name)

    create_kubernetes_service_account = true
    kubernetes_service_account        = local.kms_name

    irsa_iam_policies = [aws_iam_policy.ack_kms_policy[0].arn, data.aws_iam_policy.kms[0].arn]

  addon_context = local.addon_context

resource "aws_iam_policy" "ack_kms_policy" {
  count = var.enable_kms ? 1 : 0

  name        = "${local.cluster_id}-ack-kms-sa-policy"
  description = "IAM policy for ${local.kms_name} Service Account"
  path        = "/"
  policy      = data.aws_iam_policy_document.ack_kms_policy_document[0].json

  tags = local.tags

data "aws_iam_policy_document" "ack_kms_policy_document" {
  count = var.enable_kms ? 1 : 0

  statement {
    sid    = "ACKKMSPolicy"
    effect = "Allow"
    actions = [
    resources = ["*"]

data "aws_iam_policy" "kms" {
  count = var.enable_kms ? 1 : 0

  name = "AWSKeyManagementServicePowerUser"

Here are my test results:



kind: Key
  name: my-ack-test-key
  description: a kms key
  enableKeyRotation: true

2022-12-09T13:40:03.389Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Key", "namespace": "default", "name": "my-ack-test-key", "is_adopted": false, "generation": 1}
2022-12-09T14:22:03.949Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Key", "namespace": "default", "name": "my-ack-test-key", "generation": 3}


kind: Alias
  name: my-ack-test-key-alias
  name: alias/my-ack-test-key-alias
      name: my-ack-test-key

2022-12-09T13:40:03.547Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Alias", "namespace": "default", "name": "my-ack-test-key-alias", "is_adopted": false, "generation": 1}
2022-12-09T14:22:03.936Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Alias", "namespace": "default", "name": "my-ack-test-key-alias", "generation": 2}


kind: Grant
  name: my-ack-test-grant
  granteePrincipal: arn:aws:iam::<REDACTED>:user/<REDACTED>
  name: my-ack-test-grant
    - Encrypt
  retiringPrincipal: arn:aws:iam::<REDACTED>:user/<REDACTED>

2022-12-09T14:05:21.758Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Grant", "namespace": "default", "name": "my-ack-test-grant", "is_adopted": false, "generation": 1}
2022-12-09T14:11:07.860Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Grant", "namespace": "default", "name": "my-ack-test-grant", "generation": 3}

I'm proposing this change in #35

I'm also going to propose the change in recommended iam policy upstream.

ack apigateway role_policies default


Trying to customize apigatewayv2 helm installation and irsa role creation with minimal configuration fails on the IRSA role_policies as the lookup default value does not match the key type.

role_policies = lookup(var.apigatewayv2, "role_policies", {
    AmazonAPIGatewayInvokeFullAccess = "${local.iam_role_policy_prefix}/AmazonAPIGatewayInvokeFullAccess"
    AmazonAPIGatewayAdministrator    = "${local.iam_role_policy_prefix}/AmazonAPIGatewayAdministrator"

The default is an object {} while the map element role_policies is not defined afaik.

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.


  • Module version: 2.2.0

  • Terraform version: 1.6.6

  • Provider version(s):

  • provider v1.14.0
  • provider v5.8.0
  • provider v2.13.1
  • provider v2.29.0
  • provider v3.4.3
  • provider v0.11.1
  • provider v0.1.2

Reproduction Code [Required]

module "eks_ack_addons" {
  count              = var.enable_eks_ack_addons ? 1 : 0
  source             = "aws-ia/eks-ack-addons/aws"
  version            = "2.2.0"

  # Cluster Info
  cluster_name       = var.eks_cluster_name
  cluster_endpoint = data.aws_eks_cluster.cluster.endpoint
  oidc_provider_arn = var.eks_oidc_provider_arn

  # ECR Credentials
  ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name
  ecrpublic_token    = data.aws_ecrpublic_authorization_token.token.password

  enable_apigatewayv2 = var.enable_ack_api_gatewayv2_controller

  apigatewayv2 = var.apigatewayv2

  tags = var.tags

apigatewayv2 variable:

apigatewayv2 = {
    chart_version = "1.1.0"
    skip_crds = false

Steps to reproduce the behavior:

terraform plan (with valid variables for eks cluster required vars)

Expected behavior

Helm chart is installed using chart_version, and IRSA role is created with default policies

Actual behavior

Terraform plan fails as the lookup for role policies for apigatewayv2 default return does not match the role_policies key type

Terminal Output Screenshot(s)

โ”‚ Error: Invalid function argument
โ”‚   on .terraform/modules/eks_ack_addons/ line 118, in module "apigatewayv2":
โ”‚  118:   role_policies = lookup(var.apigatewayv2, "role_policies", {
โ”‚  119:     AmazonAPIGatewayInvokeFullAccess = "${local.iam_role_policy_prefix}/AmazonAPIGatewayInvokeFullAccess"
โ”‚  120:     AmazonAPIGatewayAdministrator    = "${local.iam_role_policy_prefix}/AmazonAPIGatewayAdministrator"
โ”‚  121:   })
โ”‚     โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
โ”‚     โ”‚ while calling lookup(inputMap, key, default...)
โ”‚     โ”‚ local.iam_role_policy_prefix is "arn:aws:iam::aws:policy"
โ”‚ Invalid value for "default" parameter: the default value must have the same
โ”‚ type as the map elements.

Additional context

Dummy issue


  • Module version [Required]:

  • Terraform version:

  • Provider version(s):

Reproduction Code [Required]

Steps to reproduce the behavior:

Expected behavior

Actual behavior

Terminal Output Screenshot(s)

Additional context

Add ACK mq controller

What is the outcome that you are trying to reach?

Ability to install the ACK mq controller

This will allow to create Amazon MQ brokers (rabbitmq or activemq)

Describe the solution you would like

Follow same pattern as the other controllers

Add ACK Amazon Managed service for Prometheus controller

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK Amazon Managed service for Prometheus controller.
This would allow users to create Amazon Managed service for Prometheus resources (AlertManagerDefinition, RuleGroupsNamespace, Workspace) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

Add link to source code of sample application container


Document the location of the source code for the sample application
There is a container victorgucanada/new-dynamo-nodejs:latest being reference, but no link to a github repo that contains the code.
If the code is a couple of lines I would just embed the code into the deployment yaml

Support ElastiCache Controller

What is the outcome that you are trying to reach?

Add ElastiCache and an enablement variable similar to other controllers e.g.

enable_rds = true

Describe the solution you would like

Same behavior as the other controllers.

Describe alternatives you have considered

I can probably do this on my own using aws-ia/eks-blueprints-addon/aws, but it'd be nice if it supported it already. ๐Ÿ‘ฏ

Add ECR controller support

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK Amazon EC2 Container Registry controller.
This would allow users to create Amazon EC2 Container Registry resources (Repository, PullThroughCacheRule) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

`Invalid index` error when emrcontainers or step functions (sfn) are not enabled


If, using the existing example, you disable the emrcontainers and/or step functions as follows:

# Controllers to enable
# ... other parts elided
enable_emrcontainers = false
enable_sfn = false

Then terraform responds with the following output:

โ”‚ Error: Invalid index
โ”‚   on .terraform/modules/eks_ack_addons/ line 592, in module "emrcontainers":
โ”‚  592:     AmazonEmrContainers = aws_iam_policy.emrcontainers[0].arn
โ”‚     โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
โ”‚     โ”‚ aws_iam_policy.emrcontainers is empty tuple
โ”‚ The given key does not identify an element in this collection value: the collection has no elements.
โ”‚ Error: Invalid index
โ”‚   on .terraform/modules/eks_ack_addons/ line 773, in module "sfn":
โ”‚  773:     AWSStepFunctionsIamPassRole = aws_iam_policy.sfnpasspolicy[0].arn
โ”‚     โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
โ”‚     โ”‚ aws_iam_policy.sfnpasspolicy is empty tuple
โ”‚ The given key does not identify an element in this collection value: the collection has no elements.

This is always reproducible with v2.0.0 of the provider (latest at time of writing)

  • Module version: v2.0.0

  • Terraform version: 1.5.2

  • Provider version(s):

Terraform v1.5.2
on linux_amd64
+ provider v5.6.2
+ provider v2.10.1
+ provider v2.21.1

Reproduction Code

See example above in the description.
This is verifiable with the example code in this repository.

Expected behavior

Resources to be provisioned

Actual behavior

Error reported as above.

Terminal Output Screenshot(s)

Error reported as above.

Additional context

I believe this can easily be solved by either a conditional assignment:

AmazonEmrContainers = var.enable_emrcontainers ? aws_iam_policy.emrcontainers[0].arn : null

or by the use of try:

AmazonEmrContainers = try(aws_iam_policy.emrcontainers[0].arn, null)

