I have a little unique situation while running Terraform. Code is creating resources in Azure. But, we ought to have an order of when which resource would be created. For example - Keys, Identities, Storage etc. And, all of these resources have a separate state file. Now, keys code has a reference to Identities state file via data block. My problem is only limited to the first ever Terraform Plan when the pipeline runs for the first time. Whilst plan is running, there isn't any resource created and hence data block would throw error. I tried dummy block using 'can' function but that needs a statefile at least be present.
Code block -
data "terraform_remote_state" "identities" {
count = fileexists("${var.pattern_output_dir}/identities/identities.terraform.tfstate") ? 1 : 0
backend = "local"
config = {
path = "${var.pattern_output_dir}/identities/identities.terraform.tfstate"
}
}
This kind of succeeds with the 'fileexists' function. But, problem comes in the reference of the data block -
locals {
blob_reader_mi_available = length(data.terraform_remote_state.identities) > 0 ? can(data.terraform_remote_state.identities[0].outputs.blob_reader_mi) : false
dummy_object_id = "bd65600d-8669-4903-8a14-af88203add38"
}
resource "azurerm_key_vault_access_policy" "blob_key_access" {
count = local.blob_reader_mi_available ? 1 : 0
object_id = data.terraform_remote_state.identities[0].outputs.blob_reader_mi
}
resource "azurerm_key_vault_access_policy" "planoutputblob_key_access" {
count = local.blob_reader_mi_available ? 0 : 1
object_id = local.dummy_object_id
}
It's like the chicken egg problem. First check is statefile and second check is resource from the statefile. This piece isn't working as it still expects statefile to be populated.
Any suggestions on how to take this forward ?
I just want the first Terraform Plan to be successful. Once terraform apply is done, everything falls into place.
If your resources are all dependent, they should probably be in the same configuration/state file, rather than separate ones. And if you really want/need to have them in separate configurations/state files, then you should be completely deploying each one independently, in the order required by the dependency tree, rather than trying to plan one of the deployments before the resources it depends on are deployed.