Terraform: Need to apply twice to have output vars computed
Terraform Version
$ terraform -v
Terraform v0.8.8
Affected Resource(s)
I am not 100% sure whether these are the resources affected or this affects other resources as well, may be a core issue?
- aws_rds_cluster_instance
- aws_rds_cluster
Terraform Configuration Files
resource "aws_rds_cluster_instance" "aurora_cluster_instance" {
count = 1
identifier = "aurora-cluster-demo-${count.index}"
cluster_identifier = "${aws_rds_cluster.aurora_cluster.id}"
instance_class = "db.t2.medium"
}
resource "aws_rds_cluster" "aurora_cluster" {
cluster_identifier = "aurora-cluster-demo"
availability_zones = ["${var.availability_zones}"]
database_name = "myrancherdb"
master_username = "myrancherdbuser"
master_password = "myrancherdbuserpassword"
}
output "db_cluster_fqdn" {
value = "${aws_rds_cluster.aurora_cluster.endpoint}"
}
output "db_cluster_readonly_fqdn" {
value = "${aws_rds_cluster.aurora_cluster.reader_endpoint}"
}
output "db_cluster_port" {
value = "${aws_rds_cluster.aurora_cluster.port}"
}
Expected Behavior
After running terraform apply, the output variables should have been computed.
Actual Behavior
$ terraform output -module=aurora_db
The state file has no outputs defined. Define an output
in your configuration with the `output` directive and re-run
`terraform apply` for it to become available.
$
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
- Create a Terraform module as above
terraform plan -target=module.aurora_dbterraform apply -target=module.aurora_dbterraform output -module=aurora_db
Quick Fix
Execute Terraform apply again which will not change any resources, but after that output variables would be computed.
$ terraform apply -target=module.aurora_db
...
...
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
$ terraform output -module=aurora_db
db_cluster_fqdn = aurora-cluster-demo.cluster-cmsnqrrandom.ap-southeast-2.rds.amazonaws.com
db_cluster_port = 3306
db_cluster_readonly_fqdn = aurora-cluster-demo.cluster-ro-cmsnqrrandom.ap-southeast-2.rds.amazonaws.com
vikas027
All 11 comments
This appears related to a problem we have with planfiles. Plan files with targeted resources do not populate outputs.
Given this terraform file:
provider "aws" {
region = "us-west-1"
}
resource "aws_security_group" "aj_test" {
name = "aj_test"
description = "Just testing"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
output "sg_id" {
value = "${aws_security_group.aj_test.id}"
}
$ terraform plan --out planfile --target aws_security_group.aj_test
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.
The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.
Your plan was also saved to the path below. Call the "apply" subcommand
with this plan file and Terraform will exactly execute this execution
plan.
Path: planfile
+ aws_security_group.aj_test
description: "Just testing"
egress.#: "1"
egress.482069346.cidr_blocks.#: "1"
egress.482069346.cidr_blocks.0: "0.0.0.0/0"
egress.482069346.from_port: "0"
egress.482069346.prefix_list_ids.#: "0"
egress.482069346.protocol: "-1"
egress.482069346.security_groups.#: "0"
egress.482069346.self: "false"
egress.482069346.to_port: "0"
ingress.#: "1"
ingress.482069346.cidr_blocks.#: "1"
ingress.482069346.cidr_blocks.0: "0.0.0.0/0"
ingress.482069346.from_port: "0"
ingress.482069346.protocol: "-1"
ingress.482069346.security_groups.#: "0"
ingress.482069346.self: "false"
ingress.482069346.to_port: "0"
name: "aj_test"
owner_id: ""
vpc_id: ""
Plan: 1 to add, 0 to change, 0 to destroy.
$ terraform apply planfile
aws_security_group.aj_test: Creating...
description: "" => "Just testing"
egress.#: "" => "1"
egress.482069346.cidr_blocks.#: "" => "1"
egress.482069346.cidr_blocks.0: "" => "0.0.0.0/0"
egress.482069346.from_port: "" => "0"
egress.482069346.prefix_list_ids.#: "" => "0"
egress.482069346.protocol: "" => "-1"
egress.482069346.security_groups.#: "" => "0"
egress.482069346.self: "" => "false"
egress.482069346.to_port: "" => "0"
ingress.#: "" => "1"
ingress.482069346.cidr_blocks.#: "" => "1"
ingress.482069346.cidr_blocks.0: "" => "0.0.0.0/0"
ingress.482069346.from_port: "" => "0"
ingress.482069346.protocol: "" => "-1"
ingress.482069346.security_groups.#: "" => "0"
ingress.482069346.self: "" => "false"
ingress.482069346.to_port: "" => "0"
name: "" => "aj_test"
owner_id: "" => ""
vpc_id: "" => ""
aws_security_group.aj_test: Creation complete
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.
State path: terraform.tfstate
$ terraform output
The state file has no outputs defined. Define an output
in your configuration with the `output` directive and re-run
`terraform apply` for it to become available.
The only way we have gotten output with targeted plans is by running apply without a plan. We find this incredibly dangerous and stress to all operators to only apply inspected plans.
If we continue with the test case above, I can get output if all I run an apply without a plan:
$ terraform plan --out planfile --target aws_security_group.aj_test Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. aws_security_group.aj_test: Refreshing state... (ID: sg-5d7be23a) No changes. Infrastructure is up-to-date. This means that Terraform could not detect any differences between your configuration and the real physical resources that exist. As a result, Terraform doesn't need to do anything. $ terraform apply --target aws_security_group.aj_test aws_security_group.aj_test: Refreshing state... (ID: sg-5d7be23a) Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: sg_id = sg-5d7be23a
This is dangerous because we can no longer guarantee what terraform will apply. We prefer to know that terraform will only do what we direct it to do in the planfile, applying without a plan is dangerous and we would prefer a workflow that allows us to continue to only apply planfiles.
icebourg
on 14 Mar 2017
Can confirm. This only happens if you use a plan file and specify a target. Not specifying a target will generate the outputs correctly.
Rhathe
on 15 Mar 2017
@Rhathe I am not using any plan file, but still encountering this.
vikas027
on 16 Mar 2017
Same.
Wenzil
on 19 Apr 2017
After testing some more, outputs fail to be updated when doing either one of these:
terraform apply -target=module.mymoduleterraform plan -target=mymodule -out=planfilethenterraform apply planfile
Note that applying twice had no effect whatsoever in my tests. In fact the only way I've been able to have the outputs updated is by doing either:
- simply
terraform applywith no target - or
terraform plan -out=planfilewith no target, thenterraform apply planfile
Of course, the problem is that all other modules will be invoked as well, which is no good...
Wenzil
on 19 Apr 2017
For what it's worth, all our problems went away when we upgraded to terraform 0.9+.
icebourg
on 19 Apr 2017
I've made a quick hack to pinpoint the origin of the bug, simply getting rid of this step in ApplyGraphBuilder seems to (naively) resolve the problem on my end, haven't checked for regressions. I was tipped by this comment, the bug seems to point to the filtering being too wide-reaching. I will try and propose a proper bugfix if I find the time.
pjcliche
on 19 Apr 2017
For others facing this issue. This may be a helpful stopgap workaround https://github.com/hashicorp/terraform/issues/13555#issuecomment-299992079
bclodius
on 8 May 2017
Terraform v0.9.6 fixes this issue for my use case.
bclodius
on 31 May 2017
Hi all,
As @bclodius said, there was a fix for this in v0.9.6 from #14378. The issue was that -target was culling all of the output nodes from the graph, since they weren't directly targeted. The fix there causes outputs to be implicitly targeted if any of their dependencies are targeted.
Hopefully that cleared things up for everyone!
apparentlymart
on 31 May 2017
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 11 Apr 2020
Related issues
rkulagowski
ยท
3Comments
allomov
ยท
3Comments
rnowosielski
ยท
3Comments
zeninfinity
ยท
3Comments
rjinski
ยท
3Comments