Terraform: Conditionally create resource if variable is set

Created on 14 Jun 2017 · 7Comments · Source: hashicorp/terraform

I'd like to create the following resource only if the variable var.google_vpc_cidr is set not empty. How is this possible?

variable "google_vpc_cidr" {
    description = "Google Compute Engine VPC CIDR"
    default = ""
}

resource "aws_security_group" "queue" {
    name = "queue"
    description = "Queue role"
}

// pseudo code
if(${google_vpc_cidr}) {
    resource "aws_security_group_rule" "rabbitmq_tcp_5672_google" {
        type = "ingress"
        from_port = 5672
        to_port = 5672
        protocol = "tcp"
        cidr_blocks = [
           "${var.google_vpc_cidr}"
        ]
        security_group_id = "${aws_security_group.queue.id}"
   }
}

question

Source

nodesocket

👍12

Most helpful comment

Using the count trick then force you to do the splat, split, join, and element dance in the outputs, I think a meta attribute that enables and disables a resource is pretty logical thing to have.

See #17617 for example.

omeid on 18 Mar 2018

👍61 🎉3 😄1

All 7 comments

Hi @nodesocket,

We try to keep questions out of the github issues because it's harder for people in future to find the answers, so I'd ask that in future questions be directed to one of the forums on the Community page.

Here's one way to achieve what you're looking for here, though:

variable "google_vpc_cidr" {
    description = "Google Compute Engine VPC CIDR"
    default = ""
}

resource "aws_security_group" "queue" {
    name = "queue"
    description = "Queue role"
}

resource "aws_security_group_rule" "rabbitmq_tcp_5672_google" {
    count = "${var.google_vpc_cidr != "" ? 1 : 0}"

    type = "ingress"
    from_port = 5672
    to_port = 5672
    protocol = "tcp"
    cidr_blocks = [
       "${var.google_vpc_cidr}"
    ]
    security_group_id = "${aws_security_group.queue.id}"
}

If you have any further questions about the above, please refer to the community page, since it's hard for us to track ongoing Q&A within the github issues UI.

Thanks!

apparentlymart on 14 Jun 2017

👍57 🎉8 👎5

@apparentlymart I just followed up in the gitter https://gitter.im/hashicorp-terraform/Lobby. Seems like if var.google_vpc_cidr = "" this breaks still.

nodesocket on 14 Jun 2017

Even doing:

resource "aws_security_group_rule" "web_tcp_11211_google" {
    count = "${var.google_vpc_cidr != "" ? 1 : 0}"
    type = "ingress"
    from_port = 11211
    to_port = 11211
    protocol = "tcp"
    cidr_blocks = [
        "${var.google_vpc_cidr != "" ? var.google_vpc_cidr : "0.0.0.0/0"}"
    ]
    security_group_id = "${aws_security_group.web.id}"
}

Still breaks, which it should not. If var.google_vpc_cidr = "" then cidr_blocks = [] should be getting 0.0.0.0/0

nodesocket on 14 Jun 2017

Using the count trick then force you to do the splat, split, join, and element dance in the outputs, I think a meta attribute that enables and disables a resource is pretty logical thing to have.

See #17617 for example.

omeid on 18 Mar 2018

👍61 🎉3 😄1

Does closing this issue mean that we'll have to wrap all the references to a conditional resource in element(concat(..., list("")), 0)? I wonder if there is anything on the roadmap that would help in making it simpler?

Leon99 on 27 Nov 2018

👍7

Also, this "solution" does not integrate well with tools that auto-generate the variables documentation, like terraform-docs.

isaccavalcante on 13 Dec 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.