for_each fails when the number of resources should be known

[jsimoni]

Description

I am getting the following error message when the number of resources to create is known at plan

│ The "for_each" value depends on resource attributes that cannot be
│ determined until apply, so Terraform cannot predict how many instances will
│ be created. To work around this, use the -target argument to first apply
│ only the resources that the for_each depends on.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]:

• Terraform version:
  Terraform v1.1.7

• Provider version(s):
  registry.terraform.io/hashicorp/aws v4.4.0

Reproduction Code [Required]

data "aws_organizations_organization" "this" {}

locals {
  account_id_list = data.aws_organizations_organization.this.accounts
}

module "permissionset" {
  source = "../../..//modules/permissionset"

  permission_set_name        = "name"
  permission_set_description = "description"
  awssso_instance_arn        = var.awsinstance_arn
  managed_policies_to_attach = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

locals {
  account_permissionset_product = setproduct(var.account_id_list[*].id, var.permission_set_arn_list)
}

# associate the group to the permission set(s) & account(s)
resource "aws_ssoadmin_account_assignment" "group_permissionset_account_assignments" {
  for_each = {
    for association in local.account_permissionset_product : "${association[0]}-${association[1]}" => {
      account_id         = association[0]
      permission_set_arn = association[1]
    }
  }
  instance_arn       = var.awssso_instance_arn
  permission_set_arn = each.value.permission_set_arn

  principal_id   = data.aws_identitystore_group.awssso_group.group_id
  principal_type = "GROUP"

  target_id   = sensitive(each.value.account_id)
  target_type = "AWS_ACCOUNT"
}

Steps to reproduce the behavior:

terraform apply

Expected behavior

AWS SSO Group would be successfully assigned with the specified Accounts and Permission Sets

Actual behavior

│ The "for_each" value depends on resource attributes that cannot be
│ determined until apply, so Terraform cannot predict how many instances will
│ be created. To work around this, use the -target argument to first apply
│ only the resources that the for_each depends on.

Terminal Output Screenshot(s)

Additional context

If I use -target as suggested elsewhere (4149) to provision the permission set first, then the assignments works. However, the explanations I've seen for this error is that Terraform is unable to determine the number of resources to provision at plan so it fails. But in this case, while the arn of the permission set would be unknown, Terraform can determine the number of assignments to create.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.