Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Cross-package move statement with v4.10.0 #182

Closed
AmitKumarDas opened this issue Jan 21, 2022 · 2 comments
Closed

Error: Cross-package move statement with v4.10.0 #182

AmitKumarDas opened this issue Jan 21, 2022 · 2 comments

Comments

@AmitKumarDas
Copy link

Description

We believe this change breaks existing setups. The issue is reproducible consistently. Pinning the version to 4.9.0 avoids the issue.

Versions

  • Terraform: 1.1.3
  • Provider(s): ~> 4.7
  • Module: ~> 4.7

Reproduction

Steps to reproduce the behavior:

  • Are you using workspaces?
    • YES
  • Have you cleared the local cache (see Notice section above)?
    • No. The CI CD setups are recreated
  • List steps in order that led up to the issue you encountered
    • terraform init -reconfigure
    • terraform plan -lock=false

Code Snippet to Reproduce

The impacted module configuration (./iam_sa.tf) looks like the following:

module "iam_iam-assumable-role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version = "~> 4.7"

  trusted_role_arns = [
    "arn:aws:iam::xxxx:xxxx",
  ]

  role_requires_mfa       = false
  custom_role_policy_arns = [aws_iam_policy.backstage.arn]

  create_role = true

  role_name        = local.backstage-role-name
}

Expected behavior

terraform plan -lock=false should work without issues

Actual behavior

While above configuration was working fine for the last 20 days, It started to break on 20th Jan 2022 in our CI CD pipelines.
The pipelines reported a bunch of below error(s):

╷
│ Error: Cross-package move statement
│ 
│   on .terraform/modules/iam_iam-assumable-role/modules/iam-assumable-role/main.tf line 6, in data "aws_iam_policy_document" "assume_role":
│    6:   count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 0 : 1
│ 
│ This statement declares a move from an object declared in external module
│ package
│ "registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-assumable-role".
│ Move statements can be only within a single module package.
╵

Terminal Output Screenshot(s)

terraform init -reconfigure
/home/runner/work/_temp/e980b45d-6fb2-49c5-afd9-a12d2809c9d1/terraform-bin init -reconfigure
Initializing modules...
- bastion in modules/bastion
- cloudtrail in modules/cloudtrail
- eks in modules/eks
Downloading registry.terraform.io/terraform-aws-modules/iam/aws 4.9.0 for iam...
- iam in .terraform/modules/iam
Downloading registry.terraform.io/terraform-aws-modules/iam/aws 4.10.0 for iam_iam-assumable-role...
- iam_iam-assumable-role in .terraform/modules/iam_iam-assumable-role/modules/iam-assumable-role
- network in modules/network

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
╷
│ Error: Cross-package move statement
│ 
│   on .terraform/modules/iam_iam-assumable-role/modules/iam-assumable-role/main.tf line 6, in data "aws_iam_policy_document" "assume_role":
│    6:   count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 0 : 1
│ 
│ This statement declares a move from an object declared in external module
│ package
│ "registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-assumable-role".
│ Move statements can be only within a single module package.
╵
╷
│ Error: Cross-package move statement
│ 
│   on .terraform/modules/iam_iam-assumable-role/modules/iam-assumable-role/main.tf line 6, in data "aws_iam_policy_document" "assume_role":
│    6:   count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 0 : 1
│ 
│ This statement declares a move to an object declared in external module
│ package
│ "registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-assumable-role".
│ Move statements can be only within a single module package.
╵
╷
│ Error: Cross-package move statement
│ 
│   on .terraform/modules/iam_iam-assumable-role/modules/iam-assumable-role/main.tf line 35, in data "aws_iam_policy_document" "assume_role_with_mfa":
│   35:   count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 1 : 0
│ 
│ This statement declares a move from an object declared in external module
│ package
│ "registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-assumable-role".
│ Move statements can be only within a single module package.
╵
╷
│ Error: Cross-package move statement
│ 
│   on .terraform/modules/iam_iam-assumable-role/modules/iam-assumable-role/main.tf line 35, in data "aws_iam_policy_document" "assume_role_with_mfa":
│   35:   count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 1 : 0
│ 
│ This statement declares a move to an object declared in external module
│ package
│ "registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-assumable-role".
│ Move statements can be only within a single module package.
╵

Additional context

Our terraform folder structure looks something like below:

$ tree
.
├── Makefile
├── constants.tf
├── iam_policies
│   ├── alb-ingress-controller.json
│   ├── cluster-autoscaler.json
│   ├── ebs-csi-driver.json
│   ├── external-dns.json
│   └── prometheus-aws-limits-exporter.json
├── iam_sa.tf
├── main.tf
├── modules
│   ├── bastion
│   │   ├── bastion_templates.tf
│   │   ├── host.tf
│   │   ├── output.tf
│   │   ├── sync-users.sh
│   │   └── variables.tf
│   ├── cloudtrail
│   │   └── cloudtrail.tf
│   ├── eks
│   │   ├── eks.tf
│   │   ├── iam.tf
│   │   ├── iam_sa.tf
│   │   ├── output.tf
│   │   ├── templates
│   │   │   └── oidc_assume_role_policy.json
│   │   └── variables.tf
│   └── network
│       ├── constants.tf
│       ├── gateways.tf
│       ├── output.tf
│       ├── peerings.tf
│       ├── route_tables.tf
│       ├── subnets.tf
│       ├── variables.tf
│       ├── vpc.tf
│       └── vpn.tf
└── system-test.tf
@antonbabenko
Copy link
Member

Please upgrade Terraform to 1.1.4 where this core issue was fixed. I am pretty sure it is not related to the module itself.

https://github.com/hashicorp/terraform/blob/v1.1/CHANGELOG.md#114-january-19-2022

@github-actions
Copy link

github-actions bot commented Nov 9, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antonbabenko @AmitKumarDas