The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created

Question

I want to exempt certain policies for an Azure VM. I have the following terraform code to exempt the policies.

It uses locals to identify the scope on which policies should be exempt.

locals {
  exemption_scope = try({
    mg       = length(regexall("(\\/managementGroups\\/)", var.scope)) > 0 ? 1 : 0,
    sub      = length(split("/", var.scope)) == 3 ? 1 : 0,
    rg       = length(regexall("(\\/managementGroups\\/)", var.scope)) < 1 ? length(split("/", var.scope)) == 5 ? 1 : 0 : 0,
    resource = length(split("/", var.scope)) >= 6 ? 1 : 0,
  })

  expires_on = var.expires_on != null ? "${var.expires_on}T23:00:00Z" : null

  metadata = var.metadata != null ? jsonencode(var.metadata) : null

  # generate reference Ids when unknown, assumes the set was created with the initiative module
  policy_definition_reference_ids = length(var.member_definition_names) > 0 ? [for name in var.member_definition_names :
    replace(substr(title(replace(name, "/-|_|\\s/", " ")), 0, 64), "/\\s/", "")
  ] : var.policy_definition_reference_ids

  exemption_id = try(
    azurerm_management_group_policy_exemption.management_group_exemption[0].id,
    azurerm_subscription_policy_exemption.subscription_exemption[0].id,
    azurerm_resource_group_policy_exemption.resource_group_exemption[0].id,
    azurerm_resource_policy_exemption.resource_exemption[0].id,
  "")
}

and the above local is used like mentioned below

resource "azurerm_management_group_policy_exemption" "management_group_exemption" {
  count                           = local.exemption_scope.mg
  name                            = var.name
  display_name                    = var.display_name
  description                     = var.description
  management_group_id             = var.scope
  policy_assignment_id            = var.policy_assignment_id
  exemption_category              = var.exemption_category
  expires_on                      = local.expires_on
  policy_definition_reference_ids = local.policy_definition_reference_ids
  metadata                        = local.metadata
}

Both the locals and azurerm_management_group_policy_exemption are part of the same module file. And Policy exemption is applied like mentioned below

module exemption_jumpbox_sql_vulnerability_assessment {
  count                           = var.enable_jumpbox == true ? 1 : 0  
  source                          = "../policy_exemption"
  name                            = "Exemption - SQL servers on machines should have vulnerability"
  display_name                    = "Exemption - SQL servers on machines should have vulnerability"
  description                     = "Not required for Jumpbox"
  scope                           = module.create_jumbox_vm[0].virtual_machine_id
  policy_assignment_id            = module.security_center.azurerm_subscription_policy_assignment_id
  policy_definition_reference_ids = var.exemption_policy_definition_ids
  exemption_category              = "Waiver"
  depends_on                      = [module.create_jumbox_vm,module.security_center]
}

It works for an existing Azure VM. However it throws the following error while trying to provision the Azure VM and apply the policy exemption on this Azure VM.

Ideally, module.exemption_jumpbox_sql_vulnerability_assessment should get executed only after [module.create_jumbox_vm as it is defined as a dependent. But not sure why it is throwing the error

│ The "count" value depends on resource attributes that cannot be determined
│ until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only
│ the resources that the count depends on.

Answer 1

I tried to reproduce the scenario in my environment.

resource "azurerm_management_group_policy_exemption" "management_group_exemption" {
  count                           = local.exemption_scope.mg
  name                            = var.name
  display_name                    = var.display_name
  description                     = var.description
  management_group_id             = var.scope
  policy_assignment_id            = var.policy_assignment_id
  exemption_category              = var.exemption_category
  expires_on                      = local.expires_on
  policy_definition_reference_ids = local.policy_definition_reference_ids
  metadata                        = local.metadata
}


locals {
  exemption_scope = try({
        ...
  })

Received the same error:

The "count" value depends on resource attributes that cannot be determined
│ until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only
│ the resources that the count depends on.

Referring to local values, the values will be known on the apply time only, and not during the apply time.So if it is not dependent on other sources, it will expmpt policies but it is dependent on the VM which may be still in process of creation.

So target only the resource that is dependent on first,as only when vm is created is when the exemption policy can be assigned to that vm. Check count:using-expressions-in-count | Terraform | HashiCorp Developer

Also note that while using terraform count argument with Azure Virtual Machines,NIC resource also to be created for each Virtual Machine resource.

resource "azurerm_network_interface" "nic" {
  count               = var.vm_count
  name                = "${var.vm_name_pfx}-${count.index}-nic"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
  //tags = var.tags
 

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.internal.id
    private_ip_address_allocation = "Dynamic"
  }
}

Reference: terraform-azurerm-policy-exemptions/examples/count at main · AnsumanBal-MT/terraform-azurerm-policy-exemptions · GitHub