Empty destroy fails on conditional modules

[jta]

Terraform Version

Terraform v1.3.0
on darwin_amd64
+ provider registry.terraform.io/hashicorp/null v3.1.1

Terraform Configuration Files

main.tf:

locals {
  enable = true
  value  = local.enable ? module.example[0].thing : null
}

module "example" {
  count  = local.enable ? 1 : 0
  source = "./example"
}

The contents of .example/main.tf:

resource "null_resource" "thing" {
}

output "thing" {
  value = null_resource.thing
}

Debug Output

https://gist.github.com/jta/4b9bd020354d470c6d1f006b7baf7341

Expected Behavior

Destroying where there is no state should be a no-op.

Actual Behavior

Terraform can apply and destroy the provided config correctly. However, issuing a destroy when the state is empty triggers an error:

Error: Invalid index

  on main.tf line 3, in locals:
   3:   value  = local.enable ? module.example[0].thing : null
    ├────────────────
    │ module.example is empty tuple

The given key does not identify an element in this collection value: the collection has no elements.

Steps to Reproduce

1. terraform init
2. terraform destroy

Additional Context

This is a regression introduced by v1.3.0.

References

No response

[supershal]

I am still facing this issue when tested with real resource other than null_resource. I am trying to create a vsphere VM using terraform.
in my main.tf

resource "vsphere_virtual_machine" "node" {
  count                            = var.node_count
...
...
}
output "default_ip_address" {
  description = "The IP address selected by Terraform vsphere module."
  value       = vsphere_virtual_machine.node[0].default_ip_address
}

• Output of terraform version:

❯ terraform version
Terraform v1.3.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/hashicorp/vsphere v2.2.0

• Output for terraform destroy:

❯ terraform destroy
data.template_cloudinit_config.vsphere: Reading...
data.template_cloudinit_config.vsphere: Read complete after 0s [id=3367078445]
data.vsphere_custom_attribute.owner: Reading...
data.vsphere_custom_attribute.expiration: Reading...
data.vsphere_datacenter.dc: Reading...
data.vsphere_custom_attribute.owner: Read complete after 0s [id=101]
data.vsphere_custom_attribute.expiration: Read complete after 0s [id=102]
data.vsphere_datacenter.dc: Read complete after 1s [id=datacenter-foobar-3]
data.vsphere_resource_pool.resource_pool[0]: Reading...
data.vsphere_compute_cluster.cluster: Reading...
data.vsphere_network.network: Reading...
data.vsphere_datastore.ds[0]: Reading...
data.vsphere_virtual_machine.node: Reading...
data.vsphere_network.network: Read complete after 0s [id=network-foobar-1015]
data.vsphere_datastore.ds[0]: Read complete after 0s [id=datastore-foobar-37]
data.vsphere_compute_cluster.cluster: Read complete after 1s [id=domain-foo-barc1005]
data.vsphere_resource_pool.resource_pool[0]: Read complete after 1s [id=resgroup-foobar-1010]
data.vsphere_virtual_machine.node: Read complete after 2s [id=4216bdb0-98ab-e4a7-5121-228c7731097b]

No changes. No objects need to be destroyed.

Either you have not created any objects yet or the existing objects were already deleted outside of Terraform.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

╷
│ Error: Invalid index
│
│   on output.tf line 4, in output "default_ip_address":
│    4:   value       = vsphere_virtual_machine.node[0].default_ip_address
│     ├────────────────
│     │ vsphere_virtual_machine.node is empty tuple
│
│ The given key does not identify an element in this collection value: the collection has no elements.

contents of terraform.tfstate

❯ cat terraform.tfstate
{
  "version": 4,
  "terraform_version": "1.3.1",
  "serial": 10,
  "lineage": "f37325ff-f2fe-0bac-6c74-84d7d80edd34",
  "outputs":{},
  "resources": [
    {
      "mode": "managed",
      "type": "vsphere_virtual_machine",
      "name": "node",
      "provider": "provider[\"registry.terraform.io/hashicorp/vsphere\"]",
      "instances": []
    }
  ],
  "check_results": []
}

Before reopening this issue I like to make sure if this needs to be fixed in the terraform vsphere provider or in my script.
cc: @jbardin

[jkritzen]

I am also facing this issue, but with AWS and Azure provider.

Same Code works with terraform 1.2.9 but not from 1.3.0 till 1.3.2.

Seems that happens only when the state is empty ( Remote state or local state).

with terraform 1.2.9:

Apply / Destroy / Destroy works as expected:

❯ cat terraform.tfstate
{
  "version": 4,
  "terraform_version": "1.2.9",
  "serial": 59,
  "lineage": "1fdb1e16-6375-92f3-8cb5-cf11a3c56bcc",
  "outputs": {},
  "resources": []
}
❯ terraform-1.2.9 --version
Terraform v1.2.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.34.0
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/time v0.8.0
+ provider registry.terraform.io/hashicorp/tls v4.0.3
❯ terraform-1.2.9 destroy --auto-approve
module.myvm.module.ssm[0].data.aws_iam_policy.default: Reading...
module.myvm.data.aws_subnet.selected["linux"]: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Reading...
module.myvm.module.vm["linux"].data.aws_ami.default: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Read complete after 0s [id=1903849331]
module.myvm.data.aws_subnet.selected["linux"]: Read complete after 0s [id=subnet-0688e708c48a0f799]
module.myvm.module.vm["linux"].data.aws_ami.default: Read complete after 0s [id=ami-08658d5197becde34]
module.myvm.module.ssm[0].data.aws_iam_policy.default: Read complete after 0s [id=arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore]

Changes to Outputs:

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Destroy complete! Resources: 0 destroyed.

with terraform 1.3.0:

❯ cat terraform.tfstate
{
  "version": 4,
  "terraform_version": "1.2.9",
  "serial": 60,
  "lineage": "1fdb1e16-6375-92f3-8cb5-cf11a3c56bcc",
  "outputs": {},
  "resources": []
}
❯ terraform-1.3.0 destroy --auto-approve
module.myvm.module.ssm[0].data.aws_iam_policy.default: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Reading...
module.myvm.data.aws_subnet.selected["linux"]: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Read complete after 0s [id=1903849331]
module.myvm.module.vm["linux"].data.aws_ami.default: Reading...
module.myvm.data.aws_subnet.selected["linux"]: Read complete after 0s [id=subnet-0688e708c48a0f799]
module.myvm.module.vm["linux"].data.aws_ami.default: Read complete after 0s [id=ami-08658d5197becde34]
module.myvm.module.ssm[0].data.aws_iam_policy.default: Read complete after 0s [id=arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore]
╷
│ Error: Invalid index
│ 
│   on ../../main.tf line 84, in module "vm":
│   84:   vpc_security_group_ids                  = lookup(each.value, "vpc_security_group_ids", [module.sg_vm[each.key].sg_id])
│     ├────────────────
│     │ each.key is "linux"
│     │ module.sg_vm is object with no attributes
│ 
│ The given key does not identify an element in this collection value.
╵
╷
│ Error: Unsupported attribute
│ 
│   on ../../main.tf line 85, in module "vm":
│   85:   iam_instance_profile                    = var.session_manager_enable == true ? module.ssm[0].iam_instance_profile_id : lookup(each.value, "iam_instance_profile", null) # Default when not profile is set
│     ├────────────────
│     │ module.ssm[0] is object with 2 attributes
│ 
│ This object does not have an attribute named "iam_instance_profile_id".
╵

with terraform 1.3.1

Terraform v1.3.1
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.34.0
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/time v0.8.0
+ provider registry.terraform.io/hashicorp/tls v4.0.3
❯ terraform destroy --auto-approve
module.myvm.module.ssm[0].data.aws_iam_policy.default: Reading...
module.myvm.data.aws_subnet.selected["linux"]: Reading...
module.myvm.module.vm["linux"].data.aws_ami.default: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Read complete after 0s [id=1903849331]
module.myvm.data.aws_subnet.selected["linux"]: Read complete after 0s [id=subnet-0688e708c48a0f799]
module.myvm.module.vm["linux"].data.aws_ami.default: Read complete after 0s [id=ami-08658d5197becde34]
module.myvm.module.ssm[0].data.aws_iam_policy.default: Read complete after 0s [id=arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore]

No changes. No objects need to be destroyed.

Either you have not created any objects yet or the existing objects were already deleted outside of Terraform.
╷
│ Error: Invalid index
│ 
│   on .terraform/modules/myvm.sg_vm/locals.tf line 5, in locals:
│    5:   this_sg_id = var.create_sg ? resource.aws_security_group.this[0].id : var.security_group_id
│     ├────────────────
│     │ resource.aws_security_group.this is empty tuple
│ 
│ The given key does not identify an element in this collection value: the collection has no elements.
╵

with terrform 1.3.2

❯ terraform-1.3.2 --version
Terraform v1.3.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.34.0
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/time v0.8.0
+ provider registry.terraform.io/hashicorp/tls v4.0.3
❯ terraform-1.3.2 destroy --auto-approve
module.myvm.module.ssm[0].data.aws_iam_policy.default: Reading...
module.myvm.data.aws_subnet.selected["linux"]: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Reading...
module.myvm.module.vm["linux"].data.aws_ami.default: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Read complete after 0s [id=1903849331]
module.myvm.data.aws_subnet.selected["linux"]: Read complete after 0s [id=subnet-0688e708c48a0f799]
module.myvm.module.vm["linux"].data.aws_ami.default: Read complete after 1s [id=ami-08658d5197becde34]
module.myvm.module.ssm[0].data.aws_iam_policy.default: Read complete after 1s [id=arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore]

Changes to Outputs:
  - instance_ids = [
      - [],
    ] -> null

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.
╷
│ Error: Invalid index
│ 
│   on .terraform/modules/myvm.sg_vm/locals.tf line 5, in locals:
│    5:   this_sg_id = var.create_sg ? resource.aws_security_group.this[0].id : var.security_group_id
│     ├────────────────
│     │ resource.aws_security_group.this is empty tuple
│ 
│ The given key does not identify an element in this collection value: the collection has no elements.

Please reopen the Issue or should we create a new one.

[jkritzen]

It seems, that the state will be handled different since 1.3.0.

Without terraform deploy, the state after the commands above looks like:

{
  "version": 4,
  "terraform_version": "1.3.2",
  "serial": 69,
  "lineage": "1fdb1e16-6375-92f3-8cb5-cf11a3c56bcc",
  "outputs": {},
  "resources": [
    {
      "module": "module.myvm.module.sg_vm[\"linux\"]",
      "mode": "managed",
      "type": "aws_security_group",
      "name": "this",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
      "instances": []
    }
  ],
  "check_results": [
    {
      "object_kind": "resource",
      "config_addr": "module.myvm.module.ssm.module.aws_s3_bucket_ssm.aws_s3_bucket_server_side_encryption_configuration.this",
      "status": "unknown",
      "objects": null
    },
    {
      "object_kind": "resource",
      "config_addr": "module.myvm.module.ssm.module.aws_s3_bucket_ssm.data.aws_iam_policy_document.elb_log_delivery",
      "status": "unknown",
      "objects": null
    },
    {
      "object_kind": "resource",
      "config_addr": "module.myvm.module.ssm.module.aws_s3_bucket_ssm.data.aws_iam_policy_document.lb_log_delivery",
      "status": "unknown",
      "objects": null
    }
  ]
}

[jkritzen]

❯ terraform-1.2.9 destroy --auto-approve
module.myvm.data.aws_subnet.selected["linux"]: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy.default: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Reading...
module.myvm.module.vm["linux"].data.aws_ami.default: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Read complete after 0s [id=1903849331]
module.myvm.data.aws_subnet.selected["linux"]: Read complete after 0s [id=subnet-0688e708c48a0f799]
module.myvm.module.vm["linux"].data.aws_ami.default: Read complete after 0s [id=ami-08658d5197becde34]
module.myvm.module.ssm[0].data.aws_iam_policy.default: Read complete after 0s [id=arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore]

Changes to Outputs:

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Destroy complete! Resources: 0 destroyed.
❯ cat terraform.tfstate
{
  "version": 4,
  "terraform_version": "1.2.9",
  "serial": 5,
  "lineage": "a3291582-d498-75c8-8b4a-3b3b36f7df9d",
  "outputs": {},
  "resources": []
}

Thanks @jkritzen, let's compile this info in a new issue for investigation, since the original example was fixed by the related patch.

Should i open a new issue?

Done: #32006

[jkritzen]

❯ terraform-1.3.2 destroy --auto-approve
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy.default: Reading...
module.myvm.data.aws_subnet.selected["linux"]: Reading...
module.myvm.module.vm["linux"].data.aws_ami.default: Reading...
module.myvm.module.ssm[0].data.aws_iam_policy_document.assume_role_policy: Read complete after 0s [id=1903849331]
module.myvm.data.aws_subnet.selected["linux"]: Read complete after 0s [id=subnet-0688e708c48a0f799]
module.myvm.module.vm["linux"].data.aws_ami.default: Read complete after 1s [id=ami-08658d5197becde34]
module.myvm.module.ssm[0].data.aws_iam_policy.default: Read complete after 1s [id=arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore]

No changes. No objects need to be destroyed.

Either you have not created any objects yet or the existing objects were already deleted outside of Terraform.
╷
│ Error: Invalid index
│ 
│   on .terraform/modules/myvm.sg_vm/locals.tf line 5, in locals:
│    5:   this_sg_id = var.create_sg ? resource.aws_security_group.this[0].id : var.security_group_id
│     ├────────────────
│     │ resource.aws_security_group.this is empty tuple
│ 
│ The given key does not identify an element in this collection value: the collection has no elements.
╵
❯ cat terraform.tfstate
{
  "version": 4,
  "terraform_version": "1.3.2",
  "serial": 5,
  "lineage": "c682cdc0-1aa6-dc96-a186-6e1148c3c753",
  "outputs": {
    "instance_ids": {
      "value": [
        []
      ],
      "type": [
        "tuple",
        [
          [
            "tuple",
            []
          ]
        ]
      ]
    }
  },
  "resources": [
    {
      "module": "module.myvm.module.sg_vm[\"linux\"]",
      "mode": "managed",
      "type": "aws_security_group",
      "name": "this",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
      "instances": []
    }
  ],
  "check_results": [
    {
      "object_kind": "resource",
      "config_addr": "module.myvm.module.ssm.module.aws_s3_bucket_ssm.data.aws_iam_policy_document.elb_log_delivery",
      "status": "unknown",
      "objects": null
    },
    {
      "object_kind": "resource",
      "config_addr": "module.myvm.module.ssm.module.aws_s3_bucket_ssm.data.aws_iam_policy_document.lb_log_delivery",
      "status": "unknown",
      "objects": null
    },
    {
      "object_kind": "resource",
      "config_addr": "module.myvm.module.ssm.module.aws_s3_bucket_ssm.aws_s3_bucket_server_side_encryption_configuration.this",
      "status": "unknown",
      "objects": null
    }
  ]
}

[jbardin]

Thanks @jkritzen, let's compile this info in a new issue for investigation, since the original example was fixed by the related patch.

[jkritzen]

Thanks @jkritzen, let's compile this info in a new issue for investigation, since the original example was fixed by the related patch.

Should i open a new issue?

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.