I am trying to deploy a role using module terraform-aws-modules/iam/aws//modules/iam-assumable-role.
Here I need to set up that every user’s arn from a group trusted so I wrote this structure:
data "aws_iam_group" "developers" {
count = local.only_in_dev
group_name = "Developers"
}
data "aws_iam_user" "developers_users" {
for_each = { for user in data.aws_iam_group.developers[0].users : user.user_name => user }
user_name = each.key
}
module "iam_assumable_role_access_to_eks_dev" {
count = local.only_in_dev
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
trusted_role_arns = [for user in data.aws_iam_user.developers_users : user.arn]
...
}
And it worked!
But the group “developers” exists only in dev. So when I applied this code for prod, I got an error. After that I added count = local.only_in_dev to the developers_users and also got an error because it is not possible to use both for_each and count.
The only solution I see for this problem is to create a group “Developers” in prod that will contain no users, but it is bad practice I think.
So what could you recommend for me?