Dynamic for_each dependency prevents plan/apply with existing network resources #1023
Description
Hi Oracle team,
When using the official module oracle-terraform-modules/terraform-oci-oke (tested on v5.3.0), we encountered a critical issue when provisioning an OKE cluster with pre-existing VCN and subnets.
During terraform plan and terraform apply, the following error occurs:
Error: Invalid for_each argument
│ on modules/workers/data-faultdomains.tf line 5, in data "oci_identity_fault_domains" "all":
│ 5: for_each = var.ad_numbers_to_names
│ ├────────────────
│ │ var.ad_numbers_to_names is a map of string, known only after apply
│
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
This happens because for_each depends on a map only known after other resources are created, blocking full convergence via plan or apply.
Current workaround:
The only way to proceed is to run apply in stages, forcing the cluster creation before the workers, for example:
terraform apply -target=module.oci_oke.module.cluster -auto-approve
terraform apply -auto-approve
But sometimes the error persists for other submodules.
Suggested fix:
Refactor the use of for_each so that map keys are always known at plan time, avoiding dynamic dependencies between resources.
Alternatively, document this limitation and the workaround clearly in the module README until the bug is fixed.
This adjustment is essential for declarative convergence, especially in corporate environments using pre-existing resources.
Thank you for your attention and for the great work!