With 0.3.1, when tearing down the module, getting an error on terraform_iam_policy output

[apogrebnyak]

Version: 0.3.1

After this change 7290218#diff-c09d00f135e3672d079ff6e0556d957d deletion of the module fails with

Error: Invalid index

  on .terraform/modules/remote_state/terraform-aws-remote-state-s3-backend-0.3.1/outputs.tf line 23, in output "terraform_iam_policy":
  23:   value       = var.terraform_iam_policy_create ? aws_iam_policy.terraform[0] : null
    |----------------
    | aws_iam_policy.terraform is empty tuple

The given key does not identify an element in this collection value.

Before that change nothing was accessed by index.

Looks like changing output to this fixes the error

output "terraform_iam_policy" {
  description = "The IAM Policy to access remote state environment."
  value       = var.terraform_iam_policy_create ? (
        length(aws_iam_policy.terraform) == 0 ? null : aws_iam_policy.terraform[0]
      ) : null
}

[nozaq]

Thank you for the report.

Hmm, it couldn't be reproduced on my side.
I tried terraform apply then terraform destroy in my testing account, but that was successful without any errors.

[apogrebnyak]

The issue arises with using terraform_iam_policy in outputs of calling code.

Also, just verified that the problem still exists in 0.4.0 version

Here is the one-pager that demonstrates the problem

locals {
  common_prefix = "test-deploy"
}

terraform {
  required_version = ">= 0.12.24"
}

provider "aws" {
  version = ">= 2.65.0"
}

provider "aws" {
  version = ">= 2.65.0"

  alias = "replica"
}

module "remote_state" {
  source = "nozaq/remote-state-s3-backend/aws"
  version = "0.4.0"

  providers = {
    aws         = aws
    aws.replica = aws.replica
  }

  dynamodb_table_name = "${local.common_prefix}-lock"

  noncurrent_version_transitions = []
  noncurrent_version_expiration = {
    days = 90
  }

  state_bucket_prefix = "${local.common_prefix}-bucket-"
  replica_bucket_prefix = "${local.common_prefix}-replica-"

  terraform_iam_policy_name_prefix = "test--state-access-"
}

output "terraform_iam_policy" {
  value = module.remote_state.terraform_iam_policy
  description = "The IAM Policy to access remote state environment."
}

If you comment out the last output statement the error is not raised on destroy

[mattwillsher]

I'm using TF 0.13.4 and also can't reproduce, even when outputting module.remote_state.terraform_iam_policy.arn.
From your code, I wonder if your issue is that the replica is in the same region as the source bucket?

[apogrebnyak]

I'm using TF 0.13.4 and also can't reproduce, even when outputting module.remote_state.terraform_iam_policy.arn.
From your code, I wonder if your issue is that the replica is in the same region as the source bucket?

Is it not supported configuration?

[mattwillsher]

I've not double checked the actual code, but the README says:

Two providers must point to different AWS regions.

[apogrebnyak]

Two providers must point to different AWS regions.

What is the issue with pointing to the same region? I think requiring a replica in a different region is an overkill.

[mattwillsher]

Perhaps, and it may be unrelated to your issue. I quite like the level of overkill in this module, given it's storing the state. Losing state files keeps me awake at night :)

Could you test and see if it does solve your issue?