Invalid for_each argument - provided tuple

Terraform
2

Hi @caldwell2000,

It seems like your goal is to have one data.azurerm_policy_definition.security_policyset_definitions instance per element of local.security_flat. When you use for_each Terraform needs to know which string to use to uniquely identify each of the instances it will produce, which it does by taking either the keys of the map you provide or the elements of the set of strings you provide.

The upshot of this is that you’ll need to define some sort of unique identifier for each element, which Terraform will then use as the identifier for the corresponding instance. Looking at your declaration of variable "security_policyset_definitions", it seems like there is no suitable identifier there right now: you only have a human-friendly English description of the policy and a non-unique “effect”.

One way to proceed here would be to change the type constraint of variable "security_policyset_definitions" to be a map of objects instead, where the map keys will be the unique identifiers for your definitions. Interestingly, I see that you already have a suitable type argument commented out in what you shared:

  type = map(object({
    policy = string
    effect = string
  }))

If you declare it in that way (and make sure the default complies with that new type) you can then use this variable directly as the for_each. (It doesn’t seem like you actually need flatten here, because the data structure is already a flat map of objects):

data "azurerm_policy_definition" "security_policyset_definitions" {
  for_each = var.security_policyset_definitions

  display_name = each.value.policy
}

I’m not familiar with this azurerm_policy_definition data source, but it seems like it supports looking up policies both by display name (non-unique) and name (unique). With that said, one design decision you could potentially make here, if the unique names are predictable, is to make the map keys be the unique names in the remote system and use name = each.key instead of display_name = each.value.policy, though I don’t know if that actually makes sense for what you are trying to achieve here.