Data block working inconsistently when 'count' and 'provider' arguments are used together

[kanagaraj-pandian-p-s]

Problem description -

We have 2 provider configuration defined in the same script and want to execute a data block with particular provider based on the 'count' conditional expression. While the data block behaves normally when only the 'count' argument is used, when an additional argument of provider is added, it tries to read the provider configuration even if the condition turns out to be false. Question here is, if the condition is false, why the data block needs to execute the provider block?

Terraform Version

C:\Users\z004h53k>terraform -v
Terraform v1.1.7
on windows_amd64

Your version of Terraform is out of date! The latest version
is 1.2.2. You can update by downloading from https://www.terraform.io/downloads.html

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=3.0.0"
    }
  }
}

provider "azurerm" {
  subscription_id = xxxxx
  tenant_id       = xxxxx
  client_id     = xxxxx
  client_secret = xxxxx
  features {}
}

provider "azurerm" {
  alias           = "china"
  subscription_id = xxxxx
  tenant_id       = xxxxx
  client_id     = xxxxx
  client_secret = xxxxx
  environment = "china"
  features {}
}

/* Using Data Source for fetching resource group details */
data "azurerm_resource_group" "rg" {
  count = local.tenant == "SHS" ? 1 : 0
  name  = split("/", var.resource_id)[4]
}

data "azurerm_resource_group" "rg_china" {
  count    = local.tenant == "china" ? 1 : 0
  provider = azurerm.china
  name     = split("/", var.resource_id)[4]
}

Note: local.tenant variable gets resolved to "SHS" here.

Debug Output

terraform apply --auto-approve

│ Error: building account: getting authenticated object ID: listing Service Principals: ServicePrincipalsClient.BaseClient.Get(): clientCredentialsToken: received HTTP status 400 with response: {"error":"invalid_request","error_description":"AADSTS90002: Tenant 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.\r\nTrace ID: e36ac19c-09d3-417e-a5e0-aa09e99a3801\r\nCorrelation ID: 07b73f82-8cef-484e-bdf3-fccc382d68e5\r\nTimestamp: 2022-06-02 13:01:53Z","error_codes":[90002],"timestamp":"2022-06-02 13:01:53Z","trace_id":"e36ac19c-09d3-417e-a5e0-aa09e99a3801","correlation_id":"07b73f82-8cef-484e-bdf3-fccc382d68e5","error_uri":"https://login.chinacloudapi.cn/error?code=90002"}
│
│ with provider["registry.terraform.io/hashicorp/azurerm"].china,
│ on main.tf line 34, in provider "azurerm":
│ 34: provider "azurerm" {

Expected Behavior

terraform should have skipped executing the data block with the provider argument.

Actual Behavior

data block is getting executed and provider block is getting called.

Steps to Reproduce

1. Terraform script with 2 provider blocks and a data block with provider and count arguments. (count expression should return false)
2. terraform init
3. terraform plan (or) terraform apply

[crw]

Hello,

Thanks for this request! This ticket seems very similar to #16967 -- do you think this is essentially the same issue? If so, we can close this as a duplicate and repost your comment on that issue.

You might also have some luck asking this question on the community forum where there are more people ready to help. The GitHub issues here are monitored only by a few core maintainers.

If this helps, there are also a few similar or adjacent issues that may help.

Similar:
#25244

Adjacent:
#30589
#24476
#19932
#2430

Thanks!

[kanagaraj-pandian-p-s]

hi @crw thanks for your response. I went through the issues you have shared but I think this one is not related to them.

Can you please suggest me a way to make this script work for 2 different provider configurations with data block referring the correct provider configuration based on the value passed by the application/user?

[jbardin]

Hi @kanagaraj-pandian-p-s,

Unfortunately the way terraform is designed, the azurerm.china provider must be completely evaluated before the data source, so there's no way to know ahead of time that the data source evaluation is going to result in 0 instances.

You might be able to work around this by abusing the behavior of the provider which (I think) will ignore the configuration values if they're null. You can try something like this to make the provider config conditional on the same value as the data source:

locals {
  azure_config = local.tenant == "china" ? {
    subscription_id = "xxxx"
    tenant_id       = "xxxx"
    client_id       = "xxxx"
    client_secret   = "xxxx"
  } : {
    subscription_id = null
    tenant_id       = null
    client_id       = null
    client_secret   = null
  }

provider "azurerm" {
  alias           = "china"
  subscription_id = azure_config.subscription_id
  tenant_id       = azure_config.tenant_id
  client_id       = azure_config.client_id
  client_secret   = azure_config.client_secret
  environment     = "china"
  features {}
}

A more general solution would have to come from the resolution of one or more of the issues linked above (most directly #19932). Since we already have enhancement requests for more dynamic provider configuration, I'm going to close this out and we can follows the other for updates in the situation.

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.