Team,

I am using the modules to create a lambda, IAM and policies. Which is working fine but a few ofthe resources end with cycle errors. Terraform version and the codes are given below.

Version – Terraform v1.3.2

Code:

module "certissue_lambda" {
  source        = "terraform-aws-modules/lambda/aws"
  version       = "7.0.0"
  function_name = "acmpca-certIssue"
  description   = "Acmpca certIssue Transform"
  handler       = "certIssue.lambda_handler"
  runtime       = "python3.9"
  timeout       = "60"
  create_role   = false
  #lambda_role   = aws_iam_role.cert_issue_lambda_role.arn
  lambda_role = module.iam_assumable_roles["ert_issue_lambda_role_test"].iam_role_arn

  source_path                   = "${path.module}/python/certIssue.py"
  attach_cloudwatch_logs_policy = true

  layers = []
  environment_variables = {
    SigningAlgorithm = local.signing_algorithm
    PCAarn           = aws_acmpca_certificate_authority.private_ca_authority.arn
    CSR_PATH         = local.csr_path
    SNS_TOPIC_ARN    = aws_sns_topic.failed_cert_rotation_sns_topic.id
  }

  tags = local.tags
}

module "iam_assumable_roles" {
  for_each = local.iam_roles
  source   = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version  = "v5.41.0"

  create_role       = true
  role_requires_mfa = false

  role_name                       = each.key
  custom_role_policy_arns         = each.value.custom_role_policy_arns
  create_custom_role_trust_policy = each.value.create_custom_trust_policy
  custom_role_trust_policy        = each.value.custom_role_trust_policy
  trusted_role_arns               = each.value.trusted_role_arns
  trusted_role_services           = each.value.trusted_role_services
  tags                            = local.tags
}

module "iam_policies" {
  for_each = local.iam_policies
  source   = "terraform-aws-modules/iam/aws//modules/iam-policy"
  version  = "v5.41.0"
  name     = each.key
  path     = "/"
  policy   = each.value.policy

  tags = local.tags
}

locals {
  iam_roles = {
    "cert_issue_lambda_role_test" = {
      create_custom_trust_policy = "false"
      custom_role_trust_policy   = ""
      custom_role_policy_arns = [
         "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
      ]
      trusted_role_services = [
        "lambda.amazonaws.com"
      ]
      trusted_role_arns = []
    }
  }
  iam_policies = {
    "cert_issue_lambda_policy_test" = {
      description = "Cert Issue lambda policy"
      policy = jsonencode({
        Version = "2012-10-17"
        Statement = [
          {
            Effect = "Allow"
            Action = [
              "ssm:SendCommand",
              "ssm:GetCommandInvocation",
              "dynamodb:PutItem",
              "acm-pca:IssueCertificate",
              "sns:Publish"
            ]
            Resource = ["*"]
          }
        ]
      })
    }
}

Steps to reproduce – terraform init and terraform apply

Error:

t validate
╷
│ Error: Cycle: module.iam_policies.output.path (expand), module.iam_policies.output.arn (expand), module.iam_policies (close), module.iam_policies.output.policy (expand), module.iam_policies.output.name (expand), module.iam_policies.output.description (expand), module.iam_policies.var.path (expand), module.iam_policies.var.name_prefix (expand), module.iam_policies.var.name (expand), module.iam_policies.var.description (expand), module.iam_policies.var.tags (expand), module.iam_policies.var.policy (expand), module.iam_policies.var.create_policy (expand), module.iam_policies.aws_iam_policy.policy, module.iam_assumable_roles.var.custom_role_trust_policy (expand), module.iam_assumable_roles.local.custom_role_trust_policy_condition (expand), module.iam_assumable_roles.var.tags (expand), module.iam_assumable_roles.var.max_session_duration (expand), module.iam_assumable_roles.var.role_permissions_boundary_arn (expand), module.iam_assumable_roles.data.aws_iam_policy_document.assume_role, module.iam_assumable_roles.var.force_detach_policies (expand), module.iam_assumable_roles.var.create_role (expand), module.iam_assumable_roles.var.role_description (expand), module.iam_assumable_roles.var.mfa_age (expand), module.iam_assumable_roles.data.aws_partition.current, module.iam_assumable_roles.local.partition (expand), module.iam_assumable_roles.var.allow_self_assume_role (expand), module.iam_assumable_roles.var.create_custom_role_trust_policy (expand), module.iam_assumable_roles.var.trusted_role_actions (expand), module.iam_assumable_roles.var.role_name_prefix (expand), module.iam_assumable_roles.var.role_name (expand), module.iam_assumable_roles.local.role_name_condition (expand), module.iam_assumable_roles.var.trusted_role_services (expand), module.iam_assumable_roles.var.role_sts_externalid (expand), module.iam_assumable_roles.local.role_sts_externalid (expand), module.iam_assumable_roles.var.role_path (expand), module.iam_assumable_roles.var.trusted_role_arns (expand), module.iam_assumable_roles.data.aws_caller_identity.current, module.iam_assumable_roles.local.account_id (expand), module.iam_assumable_roles.var.role_session_name (expand), module.iam_assumable_roles.var.role_requires_session_name (expand), module.iam_assumable_roles.data.aws_iam_policy_document.assume_role_with_mfa, module.iam_assumable_roles.aws_iam_role.this, module.iam_assumable_roles.output.iam_role_arn (expand), module.certissue_lambda.var.lambda_role (expand), module.certissue_lambda.aws_lambda_function.this, module.certissue_lambda.output.lambda_function_arn (expand), module.certcheck_lambda.var.environment_variables (expand), module.certcheck_lambda.aws_lambda_function.this, module.certcheck_lambda.output.lambda_function_arn (expand), local.iam_policies (expand), module.iam_policies (expand), module.iam_policies.output.id (expand), local.iam_roles (expand), module.iam_assumable_roles (expand), module.iam_assumable_roles.var.role_requires_mfa (expand)
│

I’ve tried adding depends_on but no luck. Any Suggestion?

On the lambda module depends_on = [module.iam_policies, module.iam_assumable_roles]