Community Office Hours: Terraform

Join us weekly on Thursdays for Community Office Hours focused on Terraform and its providers. Please use this thread to ask technical questions to be answered during the 60-minute live office hours.

During Community Office Hours, we will have experts available to provide advice on technical architecture, give recommendations for operational best practices, review current Github issues, or dive into the open source-code itself.

The hosting teammates will reference this thread during each Community Office Hours focusing on Terraform and its providers.

Keep up with the schedule here and join us live soon!

Interested in catching up with previous Community Office Hours? Check out the recordings here.

My company created an internal set of modules that we’re required to use. Each of the modules has a provider block (for aws).
I want to call the corporate modules, but redefine the provider block in order to use localstack endpoints
When I run the modules, it seems like the provider block in the module is taking precedence. Is there a way for me to make terraform use my provider block?

Good morning,

My current organization is not using terraform and I am spear-heading the effort to make that statement no longer true.

I am currently writing a white paper on the security of Terraform in the Enterprise and I am struggling to find any source code security documentation. Is there anything public that I can link to in my paper?

Did you try passing-providers-explicitly

Not sure if this is the correct Office Hours as my questions are all specific to the AzureRM provider.

  1. Is there interest in resources that aren’t backed by ARM? If so is there any recomendation on how to go about implementing this?
    Context: I want to configure Stored Access Policy for a container and a queue in order to provide revokable SAS tokens.
  2. There are mulitiple resource types, that if they fail after creation, but before creation is complete do not add the resource to the state. This makes cleaning up the problem a very manual process. Is this pattern intentional or would you be open to PRs that ensured the resource was added to the state as long as the initial creation succeeded?
    Context: #9713 and #9717 for concrete resources I’ve stumbled across this problem due to missing permissions for the user running terraform on the initial run.
  3. How to resolve differences of opinion in PRs, and how to highlight PRs that are close for being ready for a proper review?
    Taking a concrete example, on #10030 I suggested splitting one of the input params in two then Neil came in and suggested the opposite and progress on the PR seems to have stopped in the confusion/uncertainty of the correct way forward.

Office hours question:

I am developing a Terraform provider that creates a resource ( A ) and as part of that process, the provider and the resource negotiate a key that should be considered secret. We want to then immediately use this key in another resource ( B ) that will use the key to access the resource A . Also, for B to use A it needs access to multiple additional pieces of information, like IP address and name

  1. Is it acceptable to store secrets in the Terraform state (in the resource output, and used in a resource input)?

  2. To keep the provider user from having to use reference multiple fields, would it be acceptable to pack multiple fields worth of information into a single field?

  3. What if the “key” in this case was a kilobyte or more of data, (for example: it was a PEM encoded public or private key). Would there be any concerns about the size of the state file if this field was referenced multiple places?

Thanks in advance for reviewing this question. I look forward to hearing your answers.

1-its not secure so you store it in backend like s3 ,dynamodb , artifact and other option store it in vault

2- as output would be good for example using * to declare all resource but as reference to resource , needing to be validate it and interaction and conflict it with count index .

3- yes , if is it possible to compress it state file to minimum would be good or better to use backend

Office Hours Question:

When trying to Publish a provider ( terraform-provider-zededa) to trraform Registry,

We have followed all the steps indicated in “Publishing Providers” section:

We are trying to publish the provider from the following GitHub repo:

The following link from indicates the provider as already published:

But when I click on the link, the page hangs ( keeps on loading - never completes ).
And “terraform init” command fails for the provider.

Can you please help with fixing this? What step is missing here?

I see that the webhook is missing from the repo. Since the provider page is not loading, we are not sure how to fix this? The document indicates that I need to do a “resync” once that page loads.

I emailed registry support multiple times, but did not get any response. Would appreciate if we can discuss how to fix this issue.

BTW… I have emailed - and here is the ticket request:
HashiCorp Help Center

When are the next office hours?

1 Like

I am receiving this error:
Error waiting for NAT Gateway (nat-xxxxx) to become available: unexpected state ‘failed’, wanted target ‘available’. last error: %!s()

It seems this error was encountered by several others under this issue, but I didn’t see a resolution:

is there a known solution to this? Or, a way to get more information about this error, such as what is causing this unexpected state of failed?

posting code below incase it is just some obvious error on my part:

###Create NAT Gateway
#If RdsCreate is set to true, the NAT EIP will be created. All of the network infrastructure related to the RDS depends_on NATEIP.

resource “aws_eip” “NATEIP” {
provider = aws.region-main
count = var.RdsCreate ? 1 : 0
vpc = true

resource “aws_nat_gateway” “NAT” {
provider = aws.region-main
allocation_id = aws_eip.NATEIP[0].id
#public_ip = aws_eip.NATEIP[0].id
count = length(aws_subnet.RdsSubnets)
subnet_id = aws_subnet.RdsSubnets[count.index].id
#connectivity_type = “private”
depends_on = [aws_eip.NATEIP, aws_internet_gateway.IGW]

output “nat_gateway_ip” {
value = aws_eip.NATEIP[0].public_ip

###Create Private RDS Subnets and Route Table

resource “aws_subnet” “RdsSubnets” {
provider = aws.region-main
count = length(var.RdsSubnets)
vpc_id =
cidr_block = var.RdsSubnets[count.index]
availability_zone = data.aws_availability_zones.AZs.names[count.index]
map_public_ip_on_launch = false
depends_on = [aws_eip.NATEIP]
tags = {
Name = “RdsPrivateSubnet${1+count.index}”

resource “aws_route_table” “Private” {
provider = aws.region-main
vpc_id =
route {
cidr_block = “”
nat_gateway_id = “aws_nat_gateway.NAT[0].id”
depends_on = [aws_eip.NATEIP]

resource “aws_route_table_association” “Private” {
provider = aws.region-main
count = length(aws_subnet.RdsSubnets)
subnet_id = aws_subnet.RdsSubnets[count.index].id
route_table_id =
depends_on = [aws_eip.NATEIP]

thank you in advance!!

Hi, where do I find the current schedule for the Community Office Hours. The link in the original post by katiereese317 doesn’t show a schedule. thank you so much,


Hi , i am getting [unknown block type dns_config error . Please find below link for details

can you please help?

@katiereese317 I create a Terraform module template that the community might be interested in?

Hi. I’m trying to run the terraform to update the already existing VM image definition properties in Azure to new properties but getting below error
Code=“PropertyChangeNotAllowed” Message=“Changing property ‘’ is not allowed.” Target=“”.
Could you please help on this issue.

Thanks in advance.

Where can i find a schedule for upcoming sessions?

I have a technical question and was wondering if the community could help. Essentially I am trying to execute a terraform file and would like it to proceed if a certain resource block fails to execute. I have tried using timeout but that just kills the entire process one the time out is reached.