Module depends_on triggers update/replacement of all datasource-dependent resources

[jensenak]

Terraform Version

Terraform v0.13.3
+ provider registry.terraform.io/hashicorp/aws v3.8.0

Terraform Configuration Files

main.tf:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.8"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

module "sub1" {
  source     = "./sub1"
}

module "sub2" {
  source     = "./sub2"
  depends_on = [module.sub1]
}

sub(1|2)/main.tf

data "aws_vpc" "vpc1" {
  tags = {
    Name = "vpc1"
  }
}

resource "aws_security_group" "data_test" {
  name_prefix = "data_test"
  vpc_id      = data.aws_vpc.vpc1.id
}

resource "aws_security_group_rule" "data_test" {
  type              = "egress"
  from_port         = 65535 # We're going to change this line in *one* of the two modules
  to_port           = 65535
  protocol          = "udp"
  cidr_blocks       = [data.aws_vpc.vpc1.cidr_block]
  security_group_id = aws_security_group.data_test.id
}

Note that the same file is used for both submodules initially simply so that you can change one without changing the other. This is for reproduction only. The actual issue was found in a substantially more complex configuration.

Expected Behavior

An update to the from_port of the security group rule in sub1/main.tf should cause only one resource to be replaced.

Actual Behavior

All datasource-dependent resources in the dependent module (sub2) are replaced.

Steps to Reproduce

1. Create the repro files above (note that there are two modules, sub1 and sub2 with identical content initially).
2. terraform init and apply
3. Alter the from_port in the security group rule of sub1/main.tf
4. terraform plan

Result: Both the security group and security group rule of sub2/main.tf will be replaced, even though the data sources they depend on haven't changed and return identical data.

Additional Context

This issue happens with any data source, including aws_iam_policy_document, template_file, etc. that should have no external dependencies. We believe this is a problem because it means that the use of depends_on on a module in conjunction with data sources will force the recreation of resources that have no changes.

References

[jbardin]

Thanks @jensenak!

This appears to be working as designed, but is a good example of why one should not put depends_on into a module without fully understanding the consequences.

When depends_on is added to the sub2 module, it makes everything in the sub2 module depend on everything in the sub1 module. This means that if there is any sort of change in the sub1 module, Terraform has no way of knowing if it's valid to update data sources in the sub2 module, hence they are deferred until apply. Resources that depend on the data sources in sub2 are subsequently given unknown values during plan, indicating they also cannot be handled until apply, which may cause unnecessary updates or replacements.

There is a related situation where a data source being refreshed in the dependency module might cause the same cascade of replacement. Since data sources should not defer other data sources to the apply phase, we can avoid that particular situation, which was recently fixed in #26375.

Whenever possible, we suggest users avoid depends_on and use explicit references to the data required by each resource, so that Terraform has the most precise data available for planning.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.