Preventing Unintended Rancher Resource Recreations Due to Data Source Dependencies

SUSE Rancher

Rancher2 Terraform Provider

Users frequently encounter situations where resources, dependent on data source properties, are unexpectedly recreated during every terraform plan or terraform apply operation. This results in unnecessary changes and increased operational overhead.

Terraform plan output consistently shows resources marked for replacement, even when no intentional configuration changes have been made. This is often accompanied by messages indicating that data sources are being read during the apply phase, rather than the refresh phase.
Example Terraform plan snippet showing a forced resource replacement:

# resource "example_resource" "resource_name" must be replaced
-/+ resource "example_resource" "resource_name" {
    ~ property_dependent_on_data_source = "old_value" -> (known after apply) # forces replacement
    ...
}

And logs showing the data source being read during apply:(below is terraform plan output when debug is enabled)

[1m# data.example_data_source.source_name[0m will be read during apply
# (depends on a resource or a module with changes pending)

This not a rancher2 terraform provider issue, its by design expected behaviour for terraform datasources, out of the provider scope, we can follow below to avoid the issue:

• Minimize "Known After Apply" Dependencies:
  • Carefully analyze data source dependencies and identify properties that rely on "known after apply" values.
  • Explore alternative methods for obtaining necessary information, such as:
    • Using static values or variables when possible.
    • Leveraging output values from other resources.
    • Pre-populating data outside of Terraform.
• Optimize Data Source Usage:
  • Ensure data sources are only used when absolutely necessary, specially for critical resources.
  • Consider caching data source as local variables to store retrieved values.
• Refactor Terraform Modules:
  • Design modules to minimize dependencies on dynamic data source properties.
  • Improve module structure to reduce the number of data sources being read during apply.

Terraform's data sources are designed to retrieve information needed for resource configuration. Ideally, these data sources should populate their values during the refresh step, which happens before Terraform calculates the plan. However, if a data source depends on a value that is only known after a resource is created or modified (a "known after apply" value), Terraform must read the data source during the apply step. When a data source is read during apply, any changes in its output will trigger changes in resources that depend on it. Terraform perceives it as a change and marks the dependent resources for recreation.

[1] https://developer.hashicorp.com/terraform/language/data-sources#data-resource-behavior

[2] https://github.com/rancher/terraform-provider-rancher2/issues/460