Introduce resource attributes defined only on resource creation to avoid unnecessary updates in depending resources #38023
Description
Terraform Version
N/AUse Cases
This is an attempt to overcome the known limitation that data sources are being recreated/repulled if they depends_on the resource with pending updates. Let's take a look at the following example:
resource "aws_sns_topic" "my_topic" {
name = "my-topic"
}
resource "aws_iam_role" "sns_access_role" {
name = "sns-access-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = "sts:AssumeRole"
Principal = {
Service = "ec2.amazonaws.com"
}
}
]
})
}
data "aws_iam_policy_document" "sns_access_policy" {
statement {
actions = ["sns:Publish", "sns:Subscribe", "sns:ListSubscriptionsByTopic"]
resources = [aws_sns_topic.my_topic.arn]
}
}
resource "aws_iam_role_policy" "sns_access_inline_policy" {
name = "sns-access-inline-policy"
role = aws_iam_role.sns_access_role.name
policy = data.aws_iam_policy_document.sns_access_policy.json
}
If I update aws_sns_topic, the aws_iam_policy_document will be repulled leading to aws_iam_role_policy updates.
Attempted Solutions
Calculate topic ARN in locals and use it in data source:
locals {
topic_arn = "arn:aws:sns:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:my-topic"
}
...
data "aws_iam_policy_document" "sns_access_policy" {
statement {
actions = ["sns:Publish", "sns:Subscribe", "sns:ListSubscriptionsByTopic"]
resources = [local.topic_arn]
}
}
Proposal
Usually resources have some attributes, such as identifiers (arn in AWS or id in Azure) that are defined on the resource creation and remain unchanged on in-place (~) modification. However, currently Terraform doesn't take it into account (at least in data sources case) and it leads to a complex Terraform plan.
References
There are many similar GitHub issues but I really don't know which one to link.