I’m facing to this issue.
Clearly I cannot accept the alternative solution. So how Can I fix my issue ?
Error: Invalid for_each argument
│
│ on groups.tf line 4, in module "keycloak_group":
│ 4: for_each = {
│ 5: for role in module.keycloak_saml_role : role.role_id => role }
│ ├────────────────
│ │ module.keycloak_saml_role is object with 6 attributes
│
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place apply-time results only in the map values.
│
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge.
You haven’t shown enough of your code to enable much help to be given, so all I can say is that you need to use something other than role.role_id as the keys of your for_each.
It needs to be some string value that is known before Terraform starts to apply the changes.
Indeed… what @maxb is suggesting is the same thing Terraform is trying to suggest in the second paragraph of the error message:
When working with unknown values in for_each, it’s better to define the map keys statically in your configuration and place apply-time results only in the map values.
The role IDs seem to be “apply-time results” here in that the final values for those will be decided by the remote system during the apply step, rather than being chosen by logic within your Terraform configuration.
It is hard to offer a concrete suggestion that will definitely work without seeing more about how this is defined and how that other upstream module is defined. However, the hints in the error message make me suspect that your module "keycloak_saml_role" block also has for_each set on it (making the module.keycloak_saml_role result appear as an object with one attribute for each instance). If that is true then you could try chaining the instances directly, since that module’s result is already compatible with for_each:
for_each = module.keycloak_saml_role
This means that the instance keys for module "keycloak_group" will exactly match the instance keys for module "keycloak_saml_role", which are guaranteed to be known during planning or else you would have seen this same error upstream in the other module block.
There is more detail on this pattern in the Chaining for_each section of the docs.