From 0ef7d6dea7e1a6d09a1c75ee14acfb27c538671e Mon Sep 17 00:00:00 2001
From: Alisdair McDiarmid <alisdair@users.noreply.github.com>
Date: Fri, 14 Feb 2020 17:20:08 -0500
Subject: [PATCH] terraform: detect null values in for_each sets

Previously, passing `[null, null]` to `for_each` caused a panic. This
commit detects this invalid usage and returns an error instead.

Fixes #24047
---
 terraform/eval_for_each.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/terraform/eval_for_each.go b/terraform/eval_for_each.go
index efe0dd9198..599995728c 100644
--- a/terraform/eval_for_each.go
+++ b/terraform/eval_for_each.go
@@ -89,6 +89,22 @@ func evaluateResourceForEachExpressionKnown(expr hcl.Expression, ctx EvalContext
 		if !forEachVal.IsWhollyKnown() {
 			return map[string]cty.Value{}, false, diags
 		}
+
+		// A set of strings may contain null, which makes it impossible to
+		// convert to a map, so we must return an error
+		it := forEachVal.ElementIterator()
+		for it.Next() {
+			item, _ := it.Element()
+			if item.IsNull() {
+				diags = diags.Append(&hcl.Diagnostic{
+					Severity: hcl.DiagError,
+					Summary:  "Invalid for_each set argument",
+					Detail:   fmt.Sprintf(`The given "for_each" argument value is unsuitable: "for_each" sets must not contain null values.`),
+					Subject:  expr.Range().Ptr(),
+				})
+				return nil, true, diags
+			}
+		}
 	}
 
 	return forEachVal.AsValueMap(), true, nil