Is there a way to render the output of a data resource before run terraform apply?

Arrow Root

2/27/24, 1:27 PM

I would like to be able to see the JSON of a data resource (like a policy document) on the plan. Currently these type of resources only "renders" during the apply.

I want to know if there is a way to see it before run the terraform apply.

Here is my code:

data "aws_iam_policy_document" "my_policy" {
  statement {
    sid = "S3"
    effect = "Allow"
    actions = ["s3:*"]
    resources = [
      aws_s3_bucket.some-bucket.arn,
      "arn:aws:s3:::another-bucket/*",
      "arn:aws:s3:::another-bucket/"
    ]
  }
  statement {
    sid = "CloudWatch"
    effect = "Allow"
    actions = ["logs:*"]
    resources = [
      aws_cloudwatch_log_group.some_lambda.arn,
      "arn:aws:logs:us-east-1:123456789123:log-group:/some/log/group:*",
      "arn:aws:logs:us-east-1:123456789123:log-group:/some/log/group"
    ]
  }
}

305

1 + 2

terraform

palvarez

2/27/24, 1:55 PM

Could you provide the code? did you use output?

Arrow Root

2/27/24, 8:03 PM

Sure, I just updated the description. And no, I never used the `terraform output`. In fact, it is the first time I heard about it.

Score:1

Server

Martin Atkins

2/28/24, 5:48 PM

Terraform will read from a data resource during the plan phase if and only if the entire configuration of the data resource is known during the planning phase.

In your case you have references to both aws_s3_bucket.some-bucket.arn and aws_cloudwatch_log_group.some_lambda.arn, and I suspect that neither of those values are known during planning because the remote API decides the ARN for an object as part of creating it.

Therefore the only way to see this policy during planning would be for those two objects to have already been created and so their ARNs already be known from a previous run.

One way to achieve that would be to initially apply only part of your configuration just to get those objects created:

terraform apply -target=aws_s3_bucket.some-bucket -target=aws_cloudwatch_log_group.some_lambda

Terraform should propose to create those two objects and anything else they depend on, but will not yet read the data resource or anything else that depends on it. If you accept that plan and allow Terraform to create those objects, then you can subsequently run terraform apply as normal and Terraform should then be able to read this data resource during the second planning step and so show you the final value of this policy with the two ARNs already inserted.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is there a way to render the output of a data resource before run terraform apply?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.