Converting set to list - Unpredictable number of elements

Terraform v0.13.7

Hi,

I’m trying to move from version 2.70.0 to version 3.X of the AWS provider plug-in. That entails dealing with a change in the domain_validation_options attribute of aws_acm_certificate, which becomes a set rather than a list.

I have code managing a certificate with 3 SANs in addition to the main certificate name. With version 2.70.0 of the AWS provider plug-in, as expected, this produces a four-element list, as can be seen in this output from a terraform show -json planfile:

                "domain_validation_options": [
                  {
                    "domain_name": "example.net",
                    "resource_record_name": "blah-1.example.net.",
                    "resource_record_type": "CNAME",
                    "resource_record_value": "blah-1.acm-validations.aws."
                  },
                  {
                    "domain_name": "*.a.example.net",
                    "resource_record_name": "blah-2.a.example.net.",
                    "resource_record_type": "CNAME",
                    "resource_record_value": "blah-2.acm-validations.aws."
                  },
                  {
                    "domain_name": "*.b.example.net",
                    "resource_record_name": "blah-3.b.example.net.",
                    "resource_record_type": "CNAME",
                    "resource_record_value": "blah-3.acm-validations.aws."
                  },
                  {
                    "domain_name": "*.c.example.net",
                    "resource_record_name": "blah-4.c.example.net.",
                    "resource_record_type": "CNAME",
                    "resource_record_value": "blah-4.acm-validations.aws."
                  }
                ],

Also as expected, I can address each one of these list elements by its index, e.g.:

aws_acm_certificate.sslcert.domain_validation_options[0]

When I install a 3.X version of the plug-in, however, a set is returned. I am trying to make things easy by converting it to a list with the tolist() function. That returns a lexicographically ordered list–which is expected.

                "domain_validation_options": [
                  {
                    "domain_name": "*.a.example.net",
                    "resource_record_name": "blah-2.a.example.net.",
                    "resource_record_type": "CNAME",
                    "resource_record_value": "blah-2.acm-validations.aws."
                  },
                  {
                    "domain_name": "*.b.example.net",
                    "resource_record_name": "blah-3.b.example.net.",
                    "resource_record_type": "CNAME",
                    "resource_record_value": "blah-3.acm-validations.aws."
                  },
                  {
                    "domain_name": "*.c.example.net",
                    "resource_record_name": "blah-4.c.example.net.",
                    "resource_record_type": "CNAME",
                    "resource_record_value": "blah-4.acm-validations.aws."
                  },
                 {
                    "domain_name": "example.net",
                    "resource_record_name": "blah-1.example.net.",
                    "resource_record_type": "CNAME",
                    "resource_record_value": "blah-1.acm-validations.aws."
                  },
                ],

What is unexpected is Terraform reports that it is a two-element rather than a four-element list. When I try to access what appears to be the last element in the second terraform show -json planfile output quoted above (“domain_name”: “example.net”), it gives me the following error:

  on common/certificate/certificate.tf line 14, in locals:
  14:   vopt = tolist(aws_acm_certificate.sslcert.domain_validation_options)[3]

aws_acm_certificate.sslcert.domain_validation_options is set of object with 2 elements

Can anyone help me understand why this is happening? And is there a more reliable way to inspect variables than browsing the output of terraform show -json planfile?

Thanks!