Terraform Plan Data Source Refresh Output

Greetings!

Something I noticed around terraform 0.13 or terraform 0.14, when I do a plan, it’s outputting data source updates, such as…

$ terraform plan
...
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
+/- create replacement and then destroy
 <= read (data resources)

# module.bootstrap.module.public_website["app"].module.aws_iam["live"].data.aws_iam_policy_document.base will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "base"  {
      ~ id      = "1812989946" -> (known after apply)
      ~ json    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "s3:Put*",
                          - "s3:List*",
                          - "s3:Get*",
                          - "s3:Describe*",
                          - "s3:Delete*",
                          - "cloudfront:CreateInvalidation",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                         ...REDACTED...
                        ]
                      - Sid      = ""
                    },
                  - {
                      - Action   = [
                          - "s3:DeleteObjectVersion",
                          - "s3:DeleteBucket",
                        ]
                      - Effect   = "Deny"
                      - Resource = [
                        ...REDACTED...
                        ]
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
      - version = "2012-10-17" -> null

      ~ statement {
          - effect        = "Allow" -> null
          - not_actions   = [] -> null
          - not_resources = [] -> null
            # (2 unchanged attributes hidden)
        }
      ~ statement {
          - not_actions   = [] -> null
          - not_resources = [] -> null
            # (3 unchanged attributes hidden)
        }
    }

It’s really making my plan executions unreadable. I’m seeing this on the aws provider and the github provider, so it doesn’t appear to be a provider-specific issue.

Is something bad/incorrect happening that it terraform is feeling the need to inform me of data source refreshes? I don’t feel like they are actionable?

Hi @cnuss,

In this particular case it seems like Terraform is telling you that the actual read operation for this data resource will be deferred until the apply step because some of its arguments are (known after apply).

In the common case where the data resource depends on something that’s being created in the same plan then this typically converges after the first apply and you won’t see it again on subsequent plans unless something else changes which makes the data resource configuration or result change.

If you have applied a plan like what you showed here and yet it still appeared again on the next terraform plan then that suggests that there’s something non-convergent elsewhere in your configuration, in which case I’d say that it’s that non-convergence that is the problem here, with the constantly-appearing data resource only being a symptom.

I can’t say anything more specific without seeing the configuration for this data resource, but I will say that for aws_iam_policy_document in particular it’s pretty typical for it to appear in the plan on initial create of new objects because a constructed policy typically refers to the arn attribute of various resources and the AWS provider typically can’t populate those until the apply step, because they contain remote-system-assigned identifiers. The arn attributes should remain constant on future terraform plan without any other changes though, and so this typical case should converge.