Invalid error with module_variable_optional_attrs

[Derek-Ashmore]

I get invalid error reports when using the "optional" experimental feature with complex map inputs. The value supplied should be valid. I realize this feature is experimental, but thought you would like to know. A minimal repo that reproduces this error can be found here. The variable declaration with the "optional" feature usage that errs out whenever the ipsec_policy attribute is used is the following:

variable "vpn_site_list" {
    type = map(object({
        onprem_address_space    = string
        device_vendor           = string
        device_provider         = string
        links                   = map(object({
            preshared_key_secret    = string
            onprem_gateway_address  = string
            ipsec_policy            = optional(map(object({
                saLifeTimeSeconds   = number
                saDataSizeKilobytes = number
                ipsecEncryption         = string
                ipsecIntegrity          = string
                ikeEncryption           = string
                ikeIntegrity            = string
                dhGroup                 = string
                pfsGroup                = string
            })))
        }))
    }))
}

I've noticed the following:

• The error only appears when I supply a value for the optional ipsec_policy attribute.
• The error appears whether or not I supply variable validations
• the error messages indicate different fields on different runs with no changes in between (see description below)

Version and local run commands below. Please feel free to contact me if you have questions. Thanks for looking at this.

Error Description

This configuration doesn't have an input error, but one is reported anyway. Furthermore, the error is inconsistent.
Running the apply several times, I received the three different error messages below although the input should be viewed as valid.

The given value is not valid for variable "vpn_site_list": element
"vpn-test-site-ipsec": attribute "device_provider": string required.

The given value is not valid for variable "vpn_site_list": element
"vpn-test-site-ipsec": attribute "device_vendor": string required.

The given value is not valid for variable "vpn_site_list": element
"vpn-test-site-ipsec": attribute "onprem_address_space": string required.

Versions

Terriform version == 0.14.2
The experimental feature module_variable_optional_attrs is turned on.

Local run commands

terraform init
terraform apply -var-file=environments/valid-multiple-entries.tfvars -auto-approve

[mildwonkey]

Hi @Derek-Ashmore !
The problem is in your configuration: You've declared that the ipsec_policy is a map of objects, but only provided a single object:

                ipsec_policy            = {                         # This attribute is *optional*  
                    saLifeTimeSeconds       = 3600,
                    saDataSizeKilobytes     = 2048,
                    ipsecEncryption         = "GCMAES256",
                    ipsecIntegrity          = "GCMAES256",
                    ikeEncryption           = "GCMAES256",
                    ikeIntegrity            = "SHA256",
                    dhGroup                 = "DHGroup14",
                    pfsGroup                = "None"
                }

You need to either update the definition of ipsec_policy to be just an object, or include a map key:

                ipsec_policy            = {                         # This attribute is *optional*  
                   mypolicy = {                                       # now it's a map
                        saLifeTimeSeconds       = 3600,
                        saDataSizeKilobytes     = 2048,
                        ipsecEncryption         = "GCMAES256",
                        ipsecIntegrity          = "GCMAES256",
                        ikeEncryption           = "GCMAES256",
                        ikeIntegrity            = "SHA256",
                        dhGroup                 = "DHGroup14",
                        pfsGroup                = "None"
                    }
                }

I've confirmed both options apply successfully in your example repository - thank you so much for providing that! - so I am going to close this issue.

[Derek-Ashmore]

My bad -- thanks for finding the error in my ways. Sorry for the hassle.

[mildwonkey]

You're welcome, and no worries! It was very sneaky, not at all obvious, and we know those error messages are rarely clear enough

[apparentlymart]

For what it's worth, I believe the particularly-odd behavior of randomly complaining about different attributes will be fixed by the upstream change zclconf/go-cty#78, once it's included in an upstream release and then upgraded in Terraform. #27010 is the issue tracking the Terraform manifestation of it.

This situation would still be an error for the reason @mildwonkey noted, but it should soon be a correct error, rather than a misleading one!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.