Thanks, this is helpful. Although it means I have to split my application modules into pieces. Let me elaborate.
I have terraform configuration for environment, it provisions environment infrastructure (VPC, EKS, Cloudwatch, Cloudwatch Agent, Fluentd agent etc) and installs application modules, terraform modules which describe resources required for each application (RDS, Elasticache, Elasticsearch, Kubernetes Workloads etc). These modules normally hosted in application repository, makes it easier to manage. All these modules use variables and outputs to wire infrastructure and applications.
Following your advice I can separate common infrastructure and application modules into multiple configurations. And, definetely remote state data source will help me wire things.
Maybe I can try auto-discovery using data sources. But I’m afraid it might be somewhat fragile. I want to have reliable way of passing configuration between modules within environment, variables work great because they are typed and can be marked as mandatory. It’s harder to forget something. With auto-discovery, I think, things will go wrong too late, during apply. But I have to try to know for sure.
But back the topic… within application modules I have something like this:
resource "aws_acm_certificate" "ingress" {
domain_name = var.ingress_host
validation_method = "DNS"
tags = var.tags
lifecycle {
create_before_destroy = true
}
}
resource "aws_route53_record" "validation" {
count = length(aws_acm_certificate.ingress.domain_validation_options)
name = aws_acm_certificate.ingress.domain_validation_options[count.index].resource_record_name
type = aws_acm_certificate.ingress.domain_validation_options[count.index].resource_record_type
zone_id = var.ingress_zone
records = [aws_acm_certificate.ingress.domain_validation_options[count.index].resource_record_value]
ttl = 60
}
I need to create SSL certificate for application to run on the environment. It takes ingress_host and ingress_zone variables to create load balancer and assign SSL certificate to it. This small configuration does not work without -target because you need to create aws_acm_certificate before you can plan aws_route53_record. So, that means I need to separate my application module into two, which violates idea of incapsulating application resources into modules.
Thanks again for remote state data source, it’s will help me to refactor my setup a little bit, but I still think terraform’s plan-everything apply-everything is flawed by design and for_each and count parameter restrictions prove it.