No partial configuration for terraform_remote_state backend?

Question

Partial Configuration allows us to specify backend configurations from command line.

terraform init \
    -backend-config="region=${AWS_DEFAULT_REGION}" \
    -backend-config="bucket=${TF_VAR_BACKEND_BUCKET}" \
    -backend-config="key=${TF_VAR_BACKEND_KEY}" \
    -backend-config="encrypt=true"

Having thought the same can be used for terraform_remote_state.

data "terraform_remote_state" "vpc" {
  backend = "s3"
  config { }
}

However, it causes the error.

Error: Error refreshing state: 1 error(s) occurred:
* data.terraform_remote_state.vpc: 1 error(s) occurred:
* data.terraform_remote_state.vpc: data.terraform_remote_state.vpc: InvalidParameter: 1 validation error(s) found.
- minimum field size of 1, GetObjectInput.Key.

It looks terraform_remote_state requires explicit configurations as indicated in Terraform terraform_remote_state Partial Configuration.

data "terraform_remote_state" "vpc" {
  backend = "s3"
  config {
    encrypt = "true"
    bucket  = "${var.BACKEND_BUCKET}"
    key     = "${var.BACKEND_KEY}"
  }
}

Question

Is there a way to use the partial configuration or is it current limitation of Terraform not being able to use partial configuration for terraform_remote_state?

Markus · Answer 1 · 2018-08-06T09:56:03.010

The partial configurations only applies to initialization of early parameters before any variables are evaluated.

The concept does not apply to "normal" resources (and in this sense, a data block is "normal"). However, since you hold your secrets in corresponding TF_VAR_* environment varibles, explicitly stating those seems better than implicitly relying on their presence. The code is clearer, and all used values are stated in the code. This is good practice.

So the question is: Why would you want to avoid to explicily state the required variables?

Addendum:

As you indicated in the comments, you want

a single location to hold one information

As you are using environment variables in your initialization process (via --backend-config parameter) and in your code (via variable access to environment variables), you are effectively using one single place to manage the information for both entries!

(Note that the possibility to omit the values in the backend is a mere workaround due to the order terraform processes the files.)

Please also reconsider the difference between backend (this is, where terraform saves its state to) and remote_state (this is just a normal data provider that gives information about any remote state you might desire (even those which are on completely separate cloud instances, accessed by potentially different credentials)). Thus, specifying the credentials explicitly as those used by the backend, is a special usecase.

To have single location to hold one information, not more than one. Change value in one location and no more. For backend bucket name, why having one in partial configuration parameter and also in terraform_remote_state.config? I mean configuration code wise. For sure not about using TF_VAR for backend, but one for terraform init and another in terraform_remote_state. — mon, Aug 06 '18 at 07:53
For consistency, if allows terraform { backend "s3" {} }, why not data "terraform_remote_state" "vpc" { backend = "s3" config { } }, with knowing "backend is special being handled extremely early stage". — mon, Aug 06 '18 at 07:58
I edited the answer to include your "one place for configuration"-argument. — Markus, Aug 06 '18 at 09:56

No partial configuration for terraform_remote_state backend?

Question

1 Answers1