Issue with Dynamic Blocks in Terraform Configuration

Terraform
1

Hello,

I am currently facing issues with the usage of dynamic blocks in my Terraform configuration. The dynamic blocks do not seem to be functioning as expected, and I’m encountering an error saying: Required attribute "policy_arn" not specified: An attribute named "policy_arn" is required here

Terraform Configuration:

## vars
variable "sa_namespace_policies_mapping" {
  description = "A mapping between service accounts and their associated namespace and IAM policy ARN."
  type        = map(map(string))
  default     = {}
}

variable "enable_pod_identity" {
  description = "Determines whether to create a Pod Identit for EKS"
  type        = bool
  default     = false
}

##
data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["pods.eks.amazonaws.com"]
    }

    actions = [
      "sts:AssumeRole",
      "sts:TagSession"
    ]
  }
}
resource "aws_iam_role" "eks_pod_identity_roles" {
  for_each = toset(keys(var.sa_namespace_policies_mapping))
  name             = "eks-pod-identity_${each.key}"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_eks_pod_identity_association" "pod_identity_association" {
  for_each = var.enable_pod_identity ? var.sa_namespace_policies_mapping : {}

  cluster_name    = var.cluster_name
  service_account = each.key

  dynamic "namespace" {
    for_each = each.value
    content {
      namespace = namespace.key
    }
  }
}

resource "aws_iam_role_policy_attachment" "pod_identity_attachment" {
  for_each = var.enable_pod_identity ? var.sa_namespace_policies_mapping : {}

  role = aws_iam_role.eks_pod_identity_roles[each.key].name

  dynamic "policy" {
    for_each = each.value
    content {
      name        = policy.key
      policy_arn  = policy.value
    }
  }
}


## input:
 enable_pod_identity = true
 sa_namespace_policies_mapping = {
  "service-account" = {
    "default"            = "arn:aws:iam::219219219:policy/sss",
    "kube-system"        = "arn:aws:iam::219219219:policy/abc"
  }
  "another-service-account" = {
    "namespace-1"        = "arn:aws:iam::219219219:policy/def",
    "namespace-2"        = "arn:aws:iam::219219219:policy/ghi"
  }

Errors:

Error: Missing required argument

   on main.tf line 606, in resource "aws_eks_pod_identity_association" "pod_identity_association":
  606: resource "aws_eks_pod_identity_association" "pod_identity_association" {

The argument "role_arn" is required, but no definition was found.

Error: Missing required argument

   on main.tf line 606, in resource "aws_eks_pod_identity_association" "pod_identity_association":
  606: resource "aws_eks_pod_identity_association" "pod_identity_association" {

The argument "namespace" is required, but no definition was found.

Error: Unsupported block type

   on main.tf line 612, in resource "aws_eks_pod_identity_association" "pod_identity_association":
  612:   dynamic "namespace" {

Blocks of type "namespace" are not expected here.

Error: Missing required argument

   on main.tf line 620, in resource "aws_iam_role_policy_attachment" "pod_identity_attachment":
  620: resource "aws_iam_role_policy_attachment" "pod_identity_attachment" {

The argument "policy_arn" is required, but no definition was found.

Error: Unsupported block type

   on main.tf line 625, in resource "aws_iam_role_policy_attachment" "pod_identity_attachment":
  625:   dynamic "policy" {

Blocks of type "policy" are not expected here.

Thank you for your assistance in resolving this issue.

Best regards