terraform modules value of count cannot be computed

[zerolaser]

I was using terraform modules for IAM user creation, add multiple inline policies and multiple policy_arn's to the user after creation. But now I got an issue where I create an IAM_POLICY and get the arn of this policy and i am trying to add it as policy_arn ="{module.policy.policy_arn}" but i was getting the error, value of 'count' cannot be computed.
My current version of terraform is 0.8.7

module/user/users.tf

variable user {}
variable policy_arn {
   type = "list"
   default = ["default"]
}

variable policy_file {
  type = "list"
  default = ["default"]
}

resource "aws_iam_user" "user" {
  name  = "${var.user}"
}

resource "aws_iam_access_key" "key" {
  user  = "${var.user}"
}

resource "aws_iam_user_policy" "user_policy" {
    count = "${element(var.policy_file, 0) =="default" ? 0: length(var.policy_file)}"
    name = "${element(var.policy_file,count.index)}"
    user = "${var.user}"
    policy = "${file("../policies/${element(var.policy_file,count.index)}.json")}"
    depends_on = ["aws_iam_user.user"]
}

resource "aws_iam_user_policy_attachment" "policy_attach" {
    count = "${element(var.policy_arn, 0) =="default" ? 0: length(var.policy_arn)}"
    user  = "${var.user}"
    policy_arn = "${element(var.policy_arn, count.index)}"
    depends_on = ["aws_iam_user.user"]
}

module/policy/policy.tf

variable policy_file {
  type = "string"
  default = "default"
}

variable description {
  type = "string"
  default = "policy description"
}

resource "aws_iam_policy" "policy" {
    path = "/"
    description = "$(var.description}"
    name = "${var.policy_file}"
    policy = "${file("../policies/${var.policy_file}.json")}"
}

main.tf

module "app_user" {
  source = "../module/user"  
  user = "app-user"     
 policy_file = ["ec2_access", "rds_access" ]
  policy_arn = [ "arn:aws:iam::aws:policy/ReadOnlyAccess","arn:aws:iam::aws:policy/AmazonSQSFullAccess", "${module.test_policy.policy_arn}" ]
}

module "test_policy" {
  source = "../module/policy/policy.tf"
  policy_file = "test_policy"
  description = "Read access to the autoscale event queue"
}

output "policy_arn" {
  value = "${module.test_policy.policy_arn}"
}

when i do terraform plan i was getting the error the aws_iam_user_policy.user_policy: value of 'count' cannot be computed.
now i am not sure. how would i get the arn of the policy created in other module to the current policy_arn to the user.

I tried with terraform 0.9.0 dev its showing the same issue. but if i first apply with target module on the policy then apply for user, Its not throwing any count error. Its working. I might need a way to tell terraform to apply policy module first then apply user module. It should be done with depends_on but i'm not able to call depends_on on other modules. Could we write a null_resource depending on policy and user module depending on null_resource ?

Any suggestions/workarounds or modifications to my modules will be appreciated. thanks.

[mfischer-zd]

I've seen a similar problem. There seems to be a general issue where the deferred evaluation of the count attribute of any resource declared in a module is performed. In my case, I'm getting a circular dependency error instead of a value of 'count' cannot be computed error.

Here's my case:

module "provisioner" {
  source = "path"
  hosts = "${zipmap("${google_compute_instance.consul_server.*.network_interface.0.access_config.0.assigned_nat_ip}", "${google_compute_instance.consul_server.*.network_interface.0.address}")}"

Module source:

variable "hosts" {
  type = "map"
}

resource "null_resource" "provision_consul" { 
   count = "${length(keys(var.hosts))}"   
   # etc
}

If I do this, I get:

Error configuring: 1 error(s) occurred:

* Cycle: module.provisioner.var.hosts, module.provisioner.null_resource.provision_consul (destroy), google_compute_instance.consul_server (destroy), google_compute_instance.consul_server

However, if I simply change the count in the module to a number, it works fine.

My current workaround is to declare a server_count variable in the calling template and pass it to the count attributes in both the calling template (literally) and the module (via a separate variable):

variable "server_count" {
  default = "3"
}

resource "google_compute_instance" "consul_server" {
  count = "${var.server_count}"
  ...
}

module "provisioner" {
  source = "../modules/provisioner"
  hosts = "${zipmap("${google_compute_instance.consul_server.*.network_interface.0.access_config.0.assigned_nat_ip}", "${google_compute_instance.consul_server.*.network_interface.0.address}")}"
  count = "${var.server_count}"
}

Provisioner:

resource "null_resource" "provision_consul" {
  count = "${var.count}"
  ...
}

[beanaroo]

I was just hit with a similar problem:

resource "aws_security_group_rule" "ec2_allow_ssh" {
    count             = "${var.vpc["ssh_enabled"] == "true" ? 1 : 0 }"
    type              = "ingress"

    from_port         = 22
    to_port           = 22
    protocol          = "tcp"
    cidr_blocks       = ["${split(",", var.vpc["ssh_allowed_cidrs"])}"]

    security_group_id = "${aws_security_group.nodejs_ec2.id}"
}

Throws a circular dependency error:

Errors:

  * 1 error(s) occurred:

* Cycle: module.preview_vpc.aws_subnet.public (destroy), module.preview_vpc.aws_subnet.public, module.preview_vpc.output.public_subnets, module.preview_ics-api-nodejs.var.vpc, module.preview_ics-api-nodejs.aws_security_group_rule.ec2_allow_ssh (destroy), module.preview_vpc.aws_subnet.private (destroy), module.preview_vpc.aws_subnet.private, module.preview_vpc.output.private_subnets

But if I hard code a 1 or 0, it works.

Thanks for the workaround @mfischer-zd. It's not pretty but seems we have no choice at the moment.

[myroslav]

It look like all of the calculated parameters that influence the count should land in the terraform.tfstate state first and this can be done with manual selective terraform apply -target=.... After all dependencies are created and cached in tfstate, subsequent terraform plan does not require any manual dependency management.

[LinusU]

I think I have a similar problem, it seems like my count worked when I had

resource "aws_route53_record" "dns" {
  count = "${length(var.domains)}"

  // ...
}

but when I added this (👇) ternary expression, it doesn't work when length(var.ips) evaluates to more than 0...

resource "aws_route53_record" "dns" {
  count = "${length(var.ips) > 0 ? length(var.domains) : 0}"

  // ...
}

[tomyan]

We're having this issue as well, similar to the initial report (trying to pass an iam policy document into a module that references resources outside the module). If the resources already exist then it seems to work (in our staging environment the resources were created in one update and the policy added in a subsequent one, which worked), but if the resources don't exist (as we found in our production environment where both updates were applied at once) then we get the value of 'count' cannot be computed error.

[hazim1093]

I'm facing a similar issue with terraform version 0.9.6 as well

The weird thing is that im using this

count = "${(signum(length(var.myVar)) + 1) % 2}"

in one module and it seems to be working fine there, the same expression in another module with another variable inside results in the value of 'count' cannot be computed error

Another thing that confuses me is that, I changed the line to

count = "${length(var.myVar) > 0 ? 0 : 1}"

And it worked for the first time after doing this, no errors everything created successfully, but after that time, doing this also results in the same error.

Is there a workaround to this?

[hazim1093]

apparently I changed

count = "${length(var.myVar) > 0 ? 0 : 1}"

to (another variable)

count = "${length(var.myVar2) > 0 ? 0 : 1}"

and it is not complaining (for now)

[ketzacoatl]

This is still a bug / problem with 0.9.8.

Here is my version the error from a VPC module's test env:

* module.vpc.module.public-gateway.aws_route_table_association.public: aws_route_table_association.public: value of 'count' cannot be computed
* aws_instance.web: aws_instance.web: value of 'count' cannot be computed

[goetas]

duplicate of #10857