How to Set dependency on Resource Block in Data Block

Hello All,
I am new to Terraform. I am currently buliding a IaaC on AWS using terrform, where I need to set an dependency on resource block in a data block.


  • Creating a MWAA Private Server, which creates vpc endpoint.
  • I need to pull all the IP’s once, the VPC Endpoint/MWAA Server is been created, so that I can use these IP’s on AWS target groups which connects to ALB using the Data blocks.
  • I have set a dependency on resource in the data block. Below is the code,
data "aws_network_interfaces" "mwaa" {
  depends_on = [ aws_mwaa_environment.this ]
  filter {
    name   = "group-id"
    values = []
   filter {
    name   = "interface-type"
    values = ["vpc_endpoint"]

data "aws_network_interface" "mwaa" {
  depends_on = [ aws_mwaa_environment.this, data.aws_network_interfaces.mwaa ]
  for_each = toset(data.aws_network_interfaces.mwaa.ids)
  id = each.key


  • When deploying the terraform code, I am facing a issue as below

Terrform: 1.4.6
AWS Provider: 5.0.1

I would like your inputs on how to fix it.

Thanking you in advance.


I’m not familiar with the particular AWS resources mentioned, and you have not included the relevant resource blocks in your post… but you’ll need to see if those resources can directly return the relevant information about what they created.

That is the normal way this kind of thing works in Terraform.

There is a hard requirement that the keys of a for_each be known at the end on the plan phase, so your current approach cannot work.

@maxb, This is the resource Block,

resource "aws_mwaa_environment" "this" {
  count                            = local.compare_min_max_nodes ? 0 : 1
  name                             = local.mwaa_name
  airflow_version                  = var.mwaa_version
  environment_class                = var.mwaa_env_class
  source_bucket_arn                = data.aws_s3_bucket.mwaa_bucket.arn
  dag_s3_path                      = var.mwaa_s3_dags_prefix
  plugins_s3_path                  = var.mwaa_s3_plugins
  plugins_s3_object_version        = local.mwaa_plugins_version
  requirements_s3_path             = var.mwaa_s3_requirements
  requirements_s3_object_version   = local.mwaa_requirments_version
  startup_script_s3_path           = var.mwaa_s3_startup_script
  startup_script_s3_object_version = local.mwaa_startup_script_version
  webserver_access_mode            = "PRIVATE_ONLY"
  execution_role_arn               = module.mwaa_role.iam_role_arn
  max_workers                      = var.mwaa_max_worker_nodes
  min_workers                      = var.mwaa_min_worker_nodes
  schedulers                       = var.mwaa_scheduler_nodes
  #   kms_key                          = aws_kms_key.mwaa_kms.arn
  network_configuration {
    subnet_ids         = local.mwaa_subnets
    security_group_ids = []
  logging_configuration {
    dag_processing_logs {
      enabled   = var.mwaa_dag_processing_logs_enabled
      log_level = var.mwaa_dag_processing_logs_level

    scheduler_logs {
      enabled   = var.mwaa_scheduler_logs_enabled
      log_level = var.mwaa_scheduler_logs_level

    task_logs {
      enabled   = var.mwaa_task_logs_enabled
      log_level = var.mwaa_task_logs_level

    webserver_logs {
      enabled   = var.mwaa_webserver_logs_enabled
      log_level = var.mwaa_webserver_logs_level

    worker_logs {
      enabled   = var.mwaa_worker_logs_enabled
      log_level = var.mwaa_worker_logs_level
  tags = {
    Environment = var.env

Link for the Documentation for aws_mwaa_environment

Unfortunately, this resource block will not give IPs of the server, it only gives the private endpoint.

It might be worth you raising your use case in the terraform-provider-aws issue tracker - I can’t think of a way to make this work nicely without additional support from the provider.

Although, looking at the documentation, I wonder if it is intended that you not care about the IPs, and exclusively interact with the webserver_url returned from the resource.

True, I can use the Webserver url returned from the resource. But in some of the corporate network, they use there own DNS servers instead of Amazon DNS servers, because of it Amazon based Domain names will not be resolved, thus the case I am retrieving IP’s of the endpoint.

And forgot to mention that, AWS Target group will not point CNames.
It requires IP address, Lambda, Instance or NLB only. The output of the MWAA will give me CName.