The terraform_remote_state
Data Source
The terraform_remote_state
data source uses the latest state snapshot from a specified state backend to retrieve the root module output values
from some other OpenTF configuration.
You can use the terraform_remote_state
data source without requiring or configuring a provider. It is always available through a built-in provider with the source address terraform.io/builtin/terraform
. That provider does not include any other resources or data sources.
Alternative Ways to Share Data Between Configurations
Sharing data with root module outputs is convenient, but it has drawbacks.
Although terraform_remote_state
only exposes output values, its user must have
access to the entire state snapshot, which often includes some sensitive
information.
When possible, we recommend explicitly publishing data for external consumption to a separate location instead of accessing it via remote state. This lets you apply different access controls for shared information and state snapshots.
To share data explicitly between configurations, you can use pairs of managed resource types and data sources in various providers, including (but not limited to) the following:
These are some common options from the Official OpenTF providers, but there are too many configuration storage options for us to list them all here, including some in partner and community providers. Any pair of managed resource type and corresponding data source can potentially be used to share data between OpenTF configurations. See individual provider documentation to find other possibilities.
A key advantage of using a separate explicit configuration store instead of
terraform_remote_state
is that the data can potentially also be read by
systems other than OpenTF, such as configuration management or scheduler
systems within your compute instances. For that reason, we recommend selecting
a configuration store that your other infrastructure could potentially make
use of. For example:
- If you wish to share IP addresses and hostnames, you could publish them as
normal DNS
A
,AAAA
,CNAME
, andSRV
records in a private DNS zone and then configure your other infrastructure to refer to that zone so you can find infrastructure objects via your system's built-in DNS resolver. - If you use HashiCorp Consul then publishing data to the Consul key/value
store or Consul service catalog can make that data also accessible via
Consul Template
or the
HashiCorp Nomad
template
stanza. - If you use Kubernetes then you can make Config Maps available to your Pods.
Some of the data stores listed above are specifically designed for storing
small configuration values, while others are generic blob storage systems. For
those generic systems, you can use
the jsonencode
function
and
the jsondecode
function respectively
to store and retrieve structured data.
You can encapsulate the implementation details of retrieving your published configuration data by writing a data-only module containing the necessary data source configuration and any necessary post-processing such as JSON decoding. You can then change that module later if you switch to a different strategy for sharing data between multiple OpenTF configurations.
Example Usage (remote
Backend)
data "terraform_remote_state" "vpc" {
backend = "remote"
config = {
organization = "hashicorp"
workspaces = {
name = "vpc-prod"
}
}
}
resource "aws_instance" "foo" {
# ...
subnet_id = data.terraform_remote_state.vpc.outputs.subnet_id
}
Example Usage (local
Backend)
data "terraform_remote_state" "vpc" {
backend = "local"
config = {
path = "..."
}
}
resource "aws_instance" "foo" {
# ...
subnet_id = data.terraform_remote_state.vpc.outputs.subnet_id
}
Argument Reference
The following arguments are supported:
backend
- (Required) The remote backend to use.workspace
- (Optional) The OpenTF workspace to use, if the backend supports workspaces.config
- (Optional; object) The configuration of the remote backend. Although this argument is listed as optional, most backends require some configuration.The
config
object can use any arguments that would be valid in the equivalentterraform { backend "<TYPE>" { ... } }
block. See the documentation of your chosen backend for details.noteIf the backend configuration requires a nested block, specify it here as a normal attribute with an object value. (For example,
workspaces = { ... }
instead ofworkspaces { ... }
.)defaults
- (Optional; object) Default values for outputs, in case the state file is empty or lacks a required output.
Attributes Reference
In addition to the above, the following attributes are exported:
outputs
- An object containing every root-level output in the remote state.
Root Outputs Only
Only the root-level output values from the remote state snapshot are exposed for use elsewhere in your module. Resource data and output values from nested modules are not accessible.
If you wish to make a nested module output value accessible as a root module output value, you must explicitly configure a passthrough in the root module. For example:
For example:
module "app" {
source = "..."
}
output "app_value" {
value = module.app.example
}
In this example, the output value named example
from the "app" module is
available as the app_value
root module output value. If this configuration
didn't include the output "app_value"
block then the data would not be
accessible via terraform_remote_state
.
Although terraform_remote_state
doesn't expose any other
state snapshot information for use in configuration, the state snapshot data
is a single object and so any user or server which has enough access to read
the root module output values will also always have access to the full state
snapshot data by direct network requests. Don't use terraform_remote_state
if any of the resources in your configuration work with data that you consider
sensitive.