Execution fails when using `vpc_attachments[].vpc_route_table_ids`

[Jarodiv]

Description

ℹ️ This is a copy of #100 which was closed automatically while still valid.

Trying to add routes to Route Tables provided via vpc_attachments[].vpc_route_table_ids results in Terraform failing with an error message.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 2.8.2
• Terraform version:

  Terraform v1.3.7
  on darwin_arm64
  

• Provider version(s):

  provider registry.terraform.io/hashicorp/aws v4.46.0
  

Reproduction Code [Required]

Everything it needs is to configure IPv6 and provide VPC Route Tables:

module "my_vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 3.0"

  name = "my-vpc"
  cidr = "10.1.0.0/16"

  azs             = ["${local.region}a", "${local.region}b"]
  private_subnets = ["10.1.1.0/24", "10.1.2.0/24"]
  public_subnets  = ["10.1.101.0/24", "10.1.102.0/24"]

  enable_nat_gateway = false
}

module "my_tgw" {
  source  = "terraform-aws-modules/transit-gateway/aws"
  version = "~> 2.0"

  name = "my-tgw"

  vpc_attachments = {
    vpc = {
      vpc_id     = module.my_vpc.vpc_id
      subnet_ids = module.my_vpc.private_subnets

      tgw_destination_cidr = "0.0.0.0/0"
      vpc_route_table_ids  = module.my_vpc.private_route_table_ids
    },
  }
}

Expected behavior

The code runs and routes are being created.

Actual behavior

The code fails with

╷
│ Error: Invalid for_each argument
│ 
│   on .terraform/modules/my_tgw/main.tf line 112, in resource "aws_route" "this":
│  112:   for_each = { for x in local.vpc_route_table_destination_cidr : x.rtb_id => x.cidr }
│     ├────────────────
│     │ local.vpc_route_table_destination_cidr will be known only after apply
│ 
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
│ 
│ When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place apply-time results only in the map values.
│ 
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge.
╵

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[Jarodiv]

"Keep alive" post

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[Jarodiv]

"Keep alive" post

[timroh]

Can confirm, we have the same issue.
A two-step apply seems to be the best workaround right now.

[LuckyDucky583]

Same here, it does work when replacing the for_each statement with a count, but the trade-off isn't worth it in our opinion.

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[Jarodiv]

"Keep alive" post

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days