Data shown in plan output

Amit · November 3, 2021, 8:20pm

Hello! I’ve a set of modules that I wrote and I’m using those with two different workspaces (production, staging). Now, I’ve created a new IAM policy as a data source;

data "aws_iam_policy_document" "something" {

And in the plan output I can see this, but only in ONE of the envs’s (production) plan output. In the staging plan output, there wasn’t anything similar;

 <= data "aws_iam_policy_document" "something"  {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [

Any idea why? Thanks in advance

apparentlymart · November 3, 2021, 9:37pm

Hi @Amit,

Terraform’s behavior for data resources is to read them during the plan phase where possible, but to defer to the apply phase if the configuration for the data resource depends on values that won’t be known until after apply.

Since you’ve truncated the plan I can’t be sure about exactly what happened here, but my guess would be that there’s another action in the plan to create some other object, and that you’ve included the .arn attribute of that object as part of the policy here.

Most AWS provider resource types can return an ARN only after the object is created, because that’s also the point where the remote AWS API itself returns the ARN for the first time, and so you’ll typically see the following in the plan for a resource of one of those types:

      + arn = (known after apply)

If you’ve referred to that .arn attribute as part of one of your statement blocks inside the policy document, there won’t yet be enough information to populate aws_iam_policy_document.something.json, which we can see in the part of the plan output you shared as json = (known after apply).

Terraform is therefore including this in the plan in order to explain to you that the final value of aws_iam_policy_document.something.json won’t be known until the apply step.

If you’re using a reasonably modern version of Terraform then there should be an annotation just above the fragment you shared that is intended to summarize what I’ve said here:

  # data.aws_iam_policy_document.something will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "something"  {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [

If you are seeing this only in one the production environment and not in the staging environment, I would expect that you’d also notice that the plan for the production environment also includes a plan to create an object that doesn’t need to be created in staging because it already exists.

I hope that helps! If what I described here doesn’t seem to apply to what you’re seeing then it’d help if you can share a little more of the plan output, so I can see better how the information is flowing between resources in this plan.

Amit · November 3, 2021, 10:14pm

Thanks a lot @apparentlymart, that helps!
My TF version is 0.13.7 (en route to upgrade to 0.14 then 1.x).
You’re correct to say that this document json refers to another resource, not arn but an appconfig app id (aws_appconfig_application.this.id).

So that’s legit part of the plan, gotcha.
Thanks a lot for the quick response