Terraform apply scopes and namespacing - an alternative to boolean resource counts for flagging

hey folks. first time poster here on the forum. i’m trying to figure out how to apply some sort of broad stroke build flags on my terraform builds. right now i have 2 separate folders of terraform: one for setting up a provisioning environment for building with packer (creates some iam stuff that i can then attach to packer as it builds amis), and then a much larger environment build of the vpc, nodes, dbs, etc etc. after i build the provisioning environment, i need to then copy that iam.tf file into the environment build folder, so that it keeps the iam roles intact when i build the rest of the environment. but copying the file seems weird. cleaner code would be to reuse the same file and enable runtime flags.

so i started out with using basic boolean vars to trigger whether certain portions of my environment would build (using the resource count attribute), but i’d like to somehow use tags, or another namespace type of approach, for selectively provisioning certain elements of the environment build, so that i don’t need to use the count attribute and all the [index] syntax. that count attribute [index] syntax is just unnecessary when lots of things are single items. basically i just want to set a runtime var to true, and if it’s true, then certain portions of the environment build will be created, but without using the resource count attribute, it won’t create them.

took a look through all the docs, but couldn’t find anything to support this. maybe i’m blind, so posting this here to see if someone has a strategy that i haven’t learned yet.

thank you very much!

I agree that it’s cumbersome but the count = var.flag == true ? 1 : 0 construct is the only way of achieving this at the moment.

I don’t understand the “copy the iam.tf” part though. Most IAM resources (assume you mean AWS IAM) are global and so the apply operation should fail when you try it in the second config - if it’ the same account. If you’re trying to share resources between configurations, look towards data resources - and in particular, the terraform_remote_state which lets one configuration read the state from another configuration.

thanks for the reply @bentterp. appreciate the confirmation there.

i’ll also take a look at your suggested sharing of backend resources. when i say “copy the iam.tf” basically i provision an aws environment via terraform with a single iam ec2 policy for building packer images, which is using s3/dynamo for state storage and state locking. i then need to provision the rest of the larger environment using a different set of terraform files, but also using the same state storage and state locking, so that it’s one environment all together that can be all torn down in one swoop when needed later (it’s all namespaced in aws for easy identifying like “sandbox0”) therefore i need to copy the single iam.tf from the provisioning terraform over to the large environment terraform folder to keep the iam ec2 policy intact for additional provisioning later of amis.

the sharing of backend resources may be a better option to fix this problem, so thank you!