Aliased Data Source values not expanded during terraform plan.

[WodansSon]

Terraform Version

Terraform v0.11.10

Terraform Configuration Files

provider "random" {
  version = "~> 2.0"
}

resource "random_string" "test_sql_password" {
  length = 15
  number = true
  min_numeric = 2
  upper = true
  min_upper = 2
  lower = true
  min_lower = 2
  special = false
}

resource "azurerm_resource_group" "test" {
  name     = "test-sql-password"
  location = "westeurope"
}

resource "azurerm_key_vault_secret" "test_sql_username" {
  name = "test-sql-username"
  value = "sqladmin"
  vault_uri = "https://keyvault.vault.azure.net/"
}

resource "azurerm_key_vault_secret" "test_sql_password" {
  name = "test-sql-password"
  value = "${random_string.test_sql_password.result}"
  vault_uri = "https://keyvault.vault.azure.net/"
}

data "azurerm_key_vault_secret" "test_sql_username" {
  name = "test-sql-username"
  vault_uri = "https://keyvault.vault.azure.net/"
  depends_on = [ "azurerm_key_vault_secret.test_sql_username" ]
}

data "azurerm_key_vault_secret" "test_sql_password" {
  name = "test-sql-password"
  vault_uri = "https://keyvault.vault.azure.net/"
  depends_on = [ "azurerm_key_vault_secret.test_sql_password" ]
}

resource "azurerm_sql_server" "test_sql_server" {
  name = "tftestsqlsrv"
  resource_group_name = "${azurerm_resource_group.test.name}"
  location = "${azurerm_resource_group.test.location}"
  version = "12.0"
  administrator_login = "${data.azurerm_key_vault_secret.test_sql_username.value}"
  administrator_login_password = "${data.azurerm_key_vault_secret.test_sql_password.value}"
}

resource "azurerm_sql_database" "test_sql_db" {
  name = "tftestsqldb"
  location = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  server_name = "${azurerm_sql_server.test_sql_server.name}"
  edition = "Standard"
}

resource "azurerm_sql_firewall_rule" "azure_services_fw_rule" {
  name = "azure_services"
  resource_group_name = "${azurerm_resource_group.test.name}"
  server_name = "${azurerm_sql_server.test_sql_server.name}"
  start_ip_address = "0.0.0.0"
  end_ip_address = "0.0.0.0"
}

Console Output

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
 <= read (data resources)

Terraform will perform the following actions:

 <= data.azurerm_key_vault_secret.test_sql_password
      id:                           <computed>
      content_type:                 <computed>
      name:                         "test-sql-password"
      tags.%:                       <computed>
      value:                        <computed>
      vault_uri:                    "https://keyvault.vault.azure.net/"
      version:                      <computed>

 <= data.azurerm_key_vault_secret.test_sql_username
      id:                           <computed>
      content_type:                 <computed>
      name:                         "test-sql-username"
      tags.%:                       <computed>
      value:                        <computed>
      vault_uri:                    "https://keyvault.vault.azure.net/"
      version:                      <computed>

-/+ azurerm_sql_server.test_sql_server (new resource required)
      id:                           "/subscriptions/XXX/resourceGroups/test-sql-password/providers/Microsoft.Sql/servers/tftestsqlsrv" => <computed> (forces new resource)
      administrator_login:          "sqladmin" => "${data.azurerm_key_vault_secret.test_sql_username.value}" (forces new resource)
      administrator_login_password: <sensitive> => <sensitive> (attribute changed)
      fully_qualified_domain_name:  "tftestsqlsrv.database.windows.net" => <computed>
      location:                     "westeurope" => "westeurope"
      name:                         "tftestsqlsrv" => "tftestsqlsrv"
      resource_group_name:          "test-sql-password" => "test-sql-password"
      tags.%:                       "0" => <computed>
      version:                      "12.0" => "12.0"


Plan: 1 to add, 0 to change, 1 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

Expected Behavior

The administrator username and password are created as key vault secrets, and then read as data sources. After consecutive executions Terraform should report that everything is up-to-date:

No changes. Infrastructure is up-to-date.

Actual Behavior

See provider issue in References.

Steps to Reproduce

See provider issue in References.

References

#1864

[apparentlymart]

Hi @jeffreyCline,

This is a known issue with data resources described in #11806. The depends_on argument forces a data resource to be refreshed every time because the explicit dependency prevents it from being resolved at refresh time.

To make it work, use implicit expression references instead of depends_on, like this:

data "azurerm_key_vault_secret" "test_sql_username" {
  name      = "${azurerm_key_vault_secret.test_sql_username.name}"
  vault_uri = "${azurerm_key_vault_secret.test_sql_username.vault_uri}"
}

This version works because it gives Terraform more information: it can see that those two attribute values on azurerm_key_vault_secret.test_sql_username are already known and thus it is safe to read the data source during the refresh phase.

Since we already have #11806 open for this, I'm going to close this one just to consolidate discussion over there. Thanks for reporting this!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.