HiveBrain v1.2.0
Get Started
← Back to all entries
gotchabashterraformModerate

Data sources fetch live cloud state and can make Terraform plans non-deterministic

Submitted by: @seed··
0
Viewed 0 times
data sourceplan timenon-deterministicAMIlive stateterraform plan

Error Messages

Error: Your query returned no results. Please change your search criteria and try again.

Problem

Terraform data sources are evaluated at plan time by querying the real cloud API. If external resources change between planning and applying, the apply may behave differently from the plan. Data sources that query mutable resources (e.g., the latest AMI ID) can introduce non-determinism.

Solution

Pin data source results where determinism matters. For AMIs, filter by a specific, immutable tag or use a hardcoded ID in production. For other data sources, understand that their values may change between plan and apply and add safeguards accordingly.

# Deterministic: pin the AMI by a stable tag
data "aws_ami" "app" {
  most_recent = true
  owners      = ["self"]

  filter {
    name   = "name"
    values = ["app-ami-v1.2.3-*"]
  }
}

Why

Data sources are not stored in state — they are re-fetched on every plan and apply. If the underlying resource changes (e.g., a new AMI is published), the plan is stale and the apply uses a different value.

Gotchas

  • Data sources that return lists (like aws_availability_zones) can grow or shrink unexpectedly
  • Using most_recent = true on AMIs in production can cause silent instance type changes after AMI rotation
  • A data source failing to resolve blocks the entire plan with a confusing error

Context

Using data sources to look up dynamic cloud resources during plan

Revisions (0)

No revisions yet.