Accessing resources through terraform_remote_state data source doesn't work as documented

[shorn....@gmail.com]

The TF doco seems to imply that I can refer directly to resources through terraform_remote_state data source, but I can't make it work.

I'm following the example from the terraform_remote_state command (but using state stored on local file system):

data "terraform_remote_state" "vpc" {
    backend = "atlas"
    config {
        name = "hashicorp/vpc-prod"
    }
}

resource "aws_instance" "foo" {
    # ...
    subnet_id = "${data.terraform_remote_state.vpc.subnet_id}"
}

When I try to follow that example, it doesn't work:

data "terraform_remote_state" "dev2" {

  backend = "local"

  config {

    path = "${path.module}/../../../../terraform.tfstate"

  }

}

resource "aws_lambda_function" "sto-test-lambda" {

...

  role = "${data.terraform_remote_state.dev2.aws_iam_role.dev-cloudwatch-lambda-role.arn}"

...
}

I get the error:

* Resource 'data.terraform_remote_state.dev2' does not have attribute 'aws_iam_role.dev-cloudwatch-lambda-role.arn' for variable 'data.terraform_remote_state.dev2.aws_iam_role.dev-cloudwatch-lambda-role.arn'

If however, I define the data I want as an output (and apply), then it works.

So in the "dev2" state I define the output as:

output "dev-cloudwatch-lambda-role-arn" {

  value = "${aws_iam_role.dev-cloudwatch-lambda-role.arn}"

}

And refer to it as:

data "terraform_remote_state" "dev2" {

  backend = "local"

  config {

    path = "${path.module}/../../../../terraform.tfstate"

  }

}

resource "aws_lambda_function" "sto-test-lambda" {

...

  role = "${data.terraform_remote_state.dev2.dev-cloudwatch-lambda-role-arn}"

...
}

Then it appears to work (I haven't started applying this stuff yet, just starting to try to figure out how it's supposed to work).

I actually think defining these outputs is better (makes the interface between parent project and sub-project better defined, so I won't accidentally delete a resource being used by a sub-project).

I'm just wondering why it doesn't work the way the doco shows - am I doing something wrong?

[David Maze]

On Thursday, January 12, 2017 at 11:39:46 PM UTC-5, shorn....@gmail.com wrote:

The TF doco seems to imply that I can refer directly to resources through terraform_remote_state data source, but I can't make it work.

No, only things you explicitly output.  (This is spelled out midway through https://www.terraform.io/docs/providers/terraform/d/remote_state.html, but remote state is referenced in several places in the documentation.)

 

I actually think defining these outputs is better (makes the interface between parent project and sub-project better defined, so I won't accidentally delete a resource being used by a sub-project).

That's one part of the motivation for the module setup I use: VPCs and databases are defined separately from application servers, so that if we refresh an application server, there's no risk of accidentally destroying the underlying data.