I’m starting to use check blocks, like the example below, to assert changes have been properly applied following terraform apply, but I can’t seem to stop them producing a warning when I run terrafrom plan prior to first application.
check "name_tag_valid" {
data "aws_subnets" "with_valid_name_tag" {
depends_on = [aws_ec2_tag.name]
tags = {
Name = "my-subnet-*"
}
}
assert {
condition = length(setsubtract(data.aws_subnets.this.ids, data.aws_subnets.with_valid_name_tag.ids)) == 0
error_message = <<-EOT
One or more subnets have an invalid value for the tag 'Name'.
- The value of the 'Name' tag must match 'snet-*'
- Invalid subnets: ${join(", ", setsubtract(data.aws_subnets.this.ids, data.aws_subnets.with_valid_name_tag.ids))}
EOT
}
}
As suggested in the documentation, I’m using the depends_on meta-argument of a scoped data source, and specifically the phrase “This strategy avoids producing unnecessary warnings during setup”, suggests that warnings will not be emitted in this scenario.
However, they still are, as can be seen below. This is causing our CI/CD pipelines to fail because we cannot proceed with any warnings or errors.
So how can I suppress check block warnings for terraform plan operations prior to the configuration being applied for the first time?
╷
│ Warning: Check block assertion known after apply
│
│ on assert.tf line 58, in check "stack_repository_tag_valid":
│ 58: condition = length(setsubtract(data.aws_subnets.this.ids, data.aws_subnets.with_valid_stack_repository_tag.ids)) == 0
│ ├────────────────
│ │ data.aws_subnets.this.ids is list of string with 3 elements
│ │ data.aws_subnets.with_valid_stack_repository_tag.ids is a list of string
│
│ The condition could not be evaluated at this time, a result will be known when this plan is applied.
╵