Can't add accounts not known at plan-time

[spar-eag]

I'm using Terraform and aws_organizations_account to create new AWS accounts in my organization, and then want to create groups and permissionsets using this module, associating them with the accounts to be created, in a signle terraform apply run.

However, this does not currently work, because the IDs of the accounts are not known until the apply has been performed, so terraform can not create the aws_ssoadmin_account_assignment here as for_each does not work with sets that contain values that are unknown in the plan phase (Error: The "for_each" set includes values derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.)

A solution is to instead of a list of accounts, have a map from e.g. account name (which is known at apply time) to account id (which is not know), and use the account name, rather than the id as the resource key when creating the account associations,

A workaround is to not pass any accounts to the module, and create the aws_ssoadmin_account_assignments myself in this manner outside the module. However, it would be nice to have support for this in the module itself.

One solution might be to e.g. add an accounts_map input to the module, and use the keys and values from there if it is defined, instead of the accounts input. This would keep the module backwards compatible. We would then have something like

module "group" {
  ...
  accounts_map = { "dev": 1234567890, "prod": 2345678901, ...}
}

If this seems like an acceptable change, I could open a PR to implement it.

[chtakahashi]

Hi @spar-eag, I like the idea for this change. Your line of reasoning for this is similar to why I put the configuration for users the way that I did:

  users = [
    for user in aws_identitystore_user.user : user.user_name => user.user_id
  ]

this let me avoid having two applys as well.

Please feel free to submit a PR!