"keys derived from resource attributes" error

I think my problem is similar to Suggestions to implement modules that avoid "keys derived from resource attributes" error

but I’m still struggling with it. The TF module I wrote accepts a var:

variable "sso_groups_supplemental" {
  default = {}
  ### Example:
  # {
  #   "sso-aws-mycorp-marketplace-pc-ace" : {  # AD group name
  #     role : "okta-aws-pc-ace",               # generally matches the first SAML role name
  #     saml_roles : ["okta-aws-pc-ace"]   # probably the IAM role you want to use
  #   }
  # }
  description = "{ <okta_group_name>: { role: <okta_role_name>, saml_roles:[] } "
  type = map(object({
    role       = string,
    saml_roles = list(string)
  }))
}

Because Okta only accepts a group_idin the resource okta_app_group_assignment I have to use a data call to get the group_ids from the group name passed in:

data "okta_group" "sso-groups" {
  for_each = var.sso_groups_supplemental
  name     = each.key
}

I’m trying to import an unrelated resource, but Terraform doesn’t like this data:

 Error: Invalid for_each argument

 on .terraform/modules/okta-aws-admin/okta.tf line 44, in resource "okta_app_group_assignment" "sso-other-groups":
│   44:   for_each = data.okta_group.sso-groups
│     ├────────────────
│     │ data.okta_group.sso-groups will be known only after apply
│
The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.

When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place apply-time results only in the map values.

As far as I can understand what’s going on, the group ids are not derived values except in the sense that I need to look up the group_id from the group name (which was passed in as a variable) which is the whole point of data?

(Here, no value is being passed into var.sso_groups_supplemental so it’s the default {})

I don’t know the keys (group_ids?) ahead of time to statically define them in the TF code. Any ideas what I’m missing here?

This is a weird case of the “unknown for_each” problem that seems to have some subtlety I don’t quite follow yet.

The error message you shared is talking about okta_app_group_assignment.sso-other-groups referring to data.okta_group.sso-groups, and if this is the only error message you’re seeing then two things jump out at me:

• Terraform didn’t complain about data.okta_group.sso-groups’s for_each referring to var.sso_groups_supplemental, and so it seems like the map being passed into that input variable does have keys that are known during the planning phase.
• Complaining about unknown keys in data.okta_group.sso-groups is strange then, because if the map keys for data.okta_group.sso-groups’s for_each are known then the map keys for data.okta_group.sso-groups should also be known.

So based only on the information you’ve shared, something isn’t quite adding up here and I’m not sure what to suggest.

Is there anything else in the output from terraform plan that’s relevant to one or both of these resources? For example, does Terraform report that reading data.okta_group.sso-groups must be delayed until the apply phase? If you’re able to share the entire plan output that’d be most helpful, but I understand there’s probably some details in there you’d rather not share in a public place.