Conditionally create resource if variable is set

[nodesocket]

I'd like to create the following resource only if the variable var.google_vpc_cidr is set not empty. How is this possible?

variable "google_vpc_cidr" {
    description = "Google Compute Engine VPC CIDR"
    default = ""
}

resource "aws_security_group" "queue" {
    name = "queue"
    description = "Queue role"
}

// pseudo code
if(${google_vpc_cidr}) {
    resource "aws_security_group_rule" "rabbitmq_tcp_5672_google" {
        type = "ingress"
        from_port = 5672
        to_port = 5672
        protocol = "tcp"
        cidr_blocks = [
           "${var.google_vpc_cidr}"
        ]
        security_group_id = "${aws_security_group.queue.id}"
   }
}

[apparentlymart]

Hi @nodesocket,

We try to keep questions out of the github issues because it's harder for people in future to find the answers, so I'd ask that in future questions be directed to one of the forums on the Community page.

Here's one way to achieve what you're looking for here, though:

variable "google_vpc_cidr" {
    description = "Google Compute Engine VPC CIDR"
    default = ""
}

resource "aws_security_group" "queue" {
    name = "queue"
    description = "Queue role"
}

resource "aws_security_group_rule" "rabbitmq_tcp_5672_google" {
    count = "${var.google_vpc_cidr != "" ? 1 : 0}"

    type = "ingress"
    from_port = 5672
    to_port = 5672
    protocol = "tcp"
    cidr_blocks = [
       "${var.google_vpc_cidr}"
    ]
    security_group_id = "${aws_security_group.queue.id}"
}

If you have any further questions about the above, please refer to the community page, since it's hard for us to track ongoing Q&A within the github issues UI.

Thanks!

[nodesocket]

@apparentlymart I just followed up in the gitter https://gitter.im/hashicorp-terraform/Lobby. Seems like if var.google_vpc_cidr = "" this breaks still.

[nodesocket]

Even doing:

resource "aws_security_group_rule" "web_tcp_11211_google" {
    count = "${var.google_vpc_cidr != "" ? 1 : 0}"
    type = "ingress"
    from_port = 11211
    to_port = 11211
    protocol = "tcp"
    cidr_blocks = [
        "${var.google_vpc_cidr != "" ? var.google_vpc_cidr : "0.0.0.0/0"}"
    ]
    security_group_id = "${aws_security_group.web.id}"
}

Still breaks, which it should not. If var.google_vpc_cidr = "" then cidr_blocks = [] should be getting 0.0.0.0/0

[omeid]

Using the count trick then force you to do the splat, split, join, and element dance in the outputs, I think a meta attribute that enables and disables a resource is pretty logical thing to have.

See #17617 for example.

[Leon99]

Does closing this issue mean that we'll have to wrap all the references to a conditional resource in element(concat(..., list("")), 0)? I wonder if there is anything on the roadmap that would help in making it simpler?

[isaccavalcante]

Also, this "solution" does not integrate well with tools that auto-generate the variables documentation, like terraform-docs.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.