Terraform: v0.14.0-beta2, outputs from submodules showing on plan
Terraform Version
Terraform v0.14.0-beta2
Terraform Configuration Files
variable asgs {
default = {
"a" = "a security group"
"b" = "because"
"c" = "cats"
}
type = map
}
provider aws {}
module asdf {
for_each = var.asgs
enable = true
source = "./modules/asg"
name = each.key
description = each.value
}
and then the module:
resource aws_security_group sg {
count = var.enable ? 1 : 0
name = var.name
description = "tf test ${var.description}"
}
output sg {
value = aws_security_group.sg
}
variable description { type = string }
variable name { type = string }
variable enable { type = bool }
a run.sh
rm -rf .terraform
terraform init
terraform validate
terraform plan
terraform apply -auto-approve
terraform plan
terraform destroy -auto-approve
Output
$ ./run.sh
Initializing modules...
- asdf in modules/asg
Initializing the backend...
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/aws v3.13.0...
- Installed hashicorp/aws v3.13.0 (signed by HashiCorp)
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
Success! The configuration is valid.
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.asdf["a"].aws_security_group.sg[0] will be created
+ resource "aws_security_group" "sg" {
+ arn = (known after apply)
+ description = "tf test a security group"
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = "a"
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ vpc_id = (known after apply)
}
# module.asdf["b"].aws_security_group.sg[0] will be created
+ resource "aws_security_group" "sg" {
+ arn = (known after apply)
+ description = "tf test because"
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = "b"
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ vpc_id = (known after apply)
}
# module.asdf["c"].aws_security_group.sg[0] will be created
+ resource "aws_security_group" "sg" {
+ arn = (known after apply)
+ description = "tf test cats"
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = "c"
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ vpc_id = (known after apply)
}
Plan: 3 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ sg = [
+ {
+ arn = (known after apply)
+ description = "tf test because"
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = "b"
+ name_prefix = null
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags = null
+ timeouts = null
+ vpc_id = (known after apply)
},
]
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
module.asdf["b"].aws_security_group.sg[0]: Creating...
module.asdf["a"].aws_security_group.sg[0]: Creating...
module.asdf["c"].aws_security_group.sg[0]: Creating...
module.asdf["c"].aws_security_group.sg[0]: Creation complete after 1s [id=sg-xxxx]
module.asdf["b"].aws_security_group.sg[0]: Creation complete after 1s [id=sg-xxxx]
module.asdf["a"].aws_security_group.sg[0]: Creation complete after 1s [id=sg-xxxx]
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
module.asdf["a"].aws_security_group.sg[0]: Refreshing state... [id=sg-xxxx]
module.asdf["c"].aws_security_group.sg[0]: Refreshing state... [id=sg-xxxx]
module.asdf["b"].aws_security_group.sg[0]: Refreshing state... [id=sg-xxxx]
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
Terraform will perform the following actions:
Plan: 0 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ sg = [
+ {
+ arn = "arn:aws:ec2:ap-southeast-2:xxxx:security-group/sg-xxxx"
+ description = "tf test a security group"
+ egress = []
+ id = "sg-xxxx"
+ ingress = []
+ name = "a"
+ name_prefix = ""
+ owner_id = "xxxx"
+ revoke_rules_on_delete = false
+ tags = {}
+ timeouts = null
+ vpc_id = "vpc-xxxx"
},
]
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
module.asdf["c"].aws_security_group.sg[0]: Destroying... [id=sg-xxxx]
module.asdf["a"].aws_security_group.sg[0]: Destroying... [id=sg-xxxx]
module.asdf["b"].aws_security_group.sg[0]: Destroying... [id=sg-xxxx]
module.asdf["a"].aws_security_group.sg[0]: Destruction complete after 0s
module.asdf["c"].aws_security_group.sg[0]: Destruction complete after 0s
module.asdf["b"].aws_security_group.sg[0]: Destruction complete after 0s
Destroy complete! Resources: 3 destroyed.
Expected Behavior
if I want to show an output on screen or to export to another workspace, as per before v0.14 we should define this output in the root.
Actual Behavior
sub module outputs are being displayed.
Additional Context
This is annoying for TF Cloud users, as this is now happening on every run (seeing new outputs). It means TFCloud things there is a change and we have to discard all the runs, even though there are no changes.
References
jurgenweber
All 4 comments
Thanks for reporting this, @jurgenweber! I'm able to reproduce it on 0.14.0-beta2 with a slightly simpler config below.
main.tf:
module "foo" {
source = "./foo"
}
foo/main.tf:
resource "random_pet" "pet" {
length = 3
}
output "pet" {
value = random_pet.pet.id
}
Plan output:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.foo.random_pet.pet will be created
+ resource "random_pet" "pet" {
+ id = (known after apply)
+ length = 3
+ separator = "-"
}
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ pet = (known after apply)
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
This doesn't seem to be an intentional change. It seems to have been introduced between alpha20201007 and beta1, and I believe it's a result of #26551. Reverting commit 5eca0788 seems to fix the issue.
I think the problem is that 5eca0788 accidentally removed the filtering of changed outputs. My proposed fix would be to restore the allRootModuleOutputs function and use it to ensure that we only render root module outputs.
alisdair
on 2 Nov 2020
👍2
I've merged a fix for this, which will go out in 0.14.0-beta3. Thanks again for reporting!
alisdair
on 2 Nov 2020
n1 mate, thank you!
jurgenweber
on 2 Nov 2020
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 3 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
darron
ยท
3Comments
rjinski
ยท
3Comments
rjinski
ยท
3Comments
rnowosielski
ยท
3Comments
c4milo
ยท
3Comments
Most helpful comment
Thanks for reporting this, @jurgenweber! I'm able to reproduce it on 0.14.0-beta2 with a slightly simpler config below.
main.tf:
foo/main.tf:
Plan output:
This doesn't seem to be an intentional change. It seems to have been introduced between alpha20201007 and beta1, and I believe it's a result of #26551. Reverting commit 5eca0788 seems to fix the issue.
I think the problem is that 5eca0788 accidentally removed the filtering of changed outputs. My proposed fix would be to restore the
allRootModuleOutputsfunction and use it to ensure that we only render root module outputs.