Terraform Set Value Retrieval: Beyond for_each?

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

In Terraform, the set datatype is a useful way to manage collections of unique values. However, unlike lists, sets don't support direct element access using indices. This guide will explain how to effectively work with sets in Terraform, primarily using the for_each meta-argument, and address potential challenges and alternative strategies.

Terraform's set datatype is a collection of unique values without any particular order. This lack of indexing means you can't directly access elements like you would with a list using indices (e.g., my_list[0]).

The primary way to work with sets in Terraform is using the for_each meta-argument. This construct allows you to iterate over each element of the set and perform actions.

Let's say you have a set of AWS instance types:

variable "instance_types" {
  type = set(string)
  default = ["t3.micro", "t3.small", "t3.medium"]
}

You can use for_each to create an AWS instance for each type:

resource "aws_instance" "example" {
  for_each = var.instance_types
  ami           = "ami-0c94855ba95c574c9"
  instance_type = each.value 
  # ... other instance configurations
}

In this example, for_each = var.instance_types tells Terraform to create one aws_instance resource for each value in the instance_types set. The each.value expression within the resource block represents the current element from the set during each iteration.

However, directly referencing a specific element from a set outside a for_each loop isn't possible. If you need to access a particular value based on a condition, you might need to restructure your data or logic. For instance, converting the set to a map with meaningful keys could allow you to reference values directly.

Keep in mind that for_each expressions often depend on values known only during the apply phase. This can lead to errors where Terraform can't determine the number of instances to create during the planning stage. In such cases, using the -target argument to apply specific resources first can help resolve dependencies.

While for_each is the primary method for working with sets, remember that Terraform's capabilities are constantly evolving. It's always beneficial to consult the latest documentation and explore community forums for alternative approaches or potential workarounds for specific scenarios.

This Terraform code demonstrates creating multiple AWS security groups, each allowing SSH access from specific CIDR blocks defined in a set variable. It uses the for_each meta-argument to iterate over the set and create a security group for each CIDR block. The code dynamically generates security group names and descriptions based on the CIDR blocks. Finally, it outputs the IDs of all created security groups. This example highlights using sets and for_each for efficient resource creation based on unique values.

This example demonstrates how to use Terraform's set datatype and the for_each meta-argument.

Scenario: We want to create multiple AWS security groups, each allowing SSH access from a specific CIDR block.

# Define a variable for allowed CIDR blocks as a set
variable "allowed_cidr_blocks" {
  type = set(string)
  default = ["10.0.0.0/16", "192.168.1.0/24"]
}

# Create a security group for each CIDR block
resource "aws_security_group" "ssh_access" {
  for_each = var.allowed_cidr_blocks

  name = "allow_ssh_from_${each.value}"
  description = "Allow SSH traffic from ${each.value}"

  # Define ingress rule for SSH
  ingress {
    from_port = 22
    to_port = 22
    protocol = "tcp"
    cidr_blocks = [each.value]
  }

  # Outbound rule (allow all)
  egress {
    from_port = 0
    to_port = 0
    protocol = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# Output the created security group IDs
output "security_group_ids" {
  value = aws_security_group.ssh_access
}

Explanation:

1. Variable Definition: We define a variable allowed_cidr_blocks of type set(string) to store the allowed CIDR blocks.
2. Resource Creation with for_each: The aws_security_group resource uses for_each = var.allowed_cidr_blocks to create one security group per CIDR block in the set.
3. Accessing Set Elements: Inside the resource block, each.value represents the current CIDR block from the set during each iteration. We use it to dynamically set the security group name, description, and ingress rule.
4. Output: The output block displays the IDs of all created security groups.

This example showcases how to leverage sets and for_each for efficient resource creation based on a collection of unique values. Remember that you cannot directly access specific elements from a set outside a for_each loop.

Here are some additional notes to supplement the article, covering common use cases, limitations, and workarounds related to Terraform sets:

Use Cases for Sets:

• Uniqueness Enforcement: Sets are ideal when you need to ensure only unique values are used, preventing accidental duplicates.
• Resource Iteration: As shown in the examples, for_each with sets is powerful for creating multiple resources with variations based on set elements.
• Data Filtering and Transformation: While not covered in the article, sets can be used with functions like contains, setintersection, setunion, etc., for data manipulation.

Limitations and Workarounds:

• No Direct Element Access: The inability to access set elements directly by index is a key limitation.
  • Workaround: If you need index-based access, consider using a list. If you need both uniqueness and indexing, use a map and access values via keys.
• Dynamic for_each Dependencies: When the number of iterations in for_each depends on resources created in the same Terraform run, it can lead to planning-phase errors.
  • Workaround: Use -target to apply dependent resources first, or restructure your code to make dependencies explicit.
• Finding Specific Elements: You can't directly search for a specific element within a set outside of for_each.
  • Workaround: Use functions like contains within conditional expressions inside for_each to perform actions based on element presence.

Best Practices:

• Choose the Right Data Structure: Carefully consider whether a set, list, or map is most appropriate for your use case.
• Meaningful Variable Names: Use descriptive names for sets and their elements to improve code readability.
• Comments for Clarity: Add comments to explain the purpose of sets and how they are used within your Terraform code.

Additional Tips:

• Set Functions: Explore Terraform's built-in functions for working with sets (e.g., length, element, setproduct).
• Community Resources: The Terraform community is very active. Don't hesitate to ask questions on forums or search for examples online.

Remember that Terraform is constantly evolving. New features and improvements are released regularly, so staying up-to-date with the latest documentation is crucial.

In conclusion, Terraform's set datatype is a valuable tool for managing distinct values. While it doesn't allow direct element access by index, the for_each meta-argument provides a powerful mechanism for iterating over sets and creating resources dynamically. Understanding the nuances of for_each, potential challenges like dynamic dependencies, and workarounds like using maps for index-based access are crucial for effectively leveraging sets in your Terraform code. As Terraform continues to evolve, staying informed about new features and community best practices will further enhance your ability to write efficient and maintainable infrastructure-as-code.

• The "for_each" value depends on resource attributes that cannot be ... | As so many people before me (and most probably after me), I ran into the following dreaded problem: The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the for_each depends on. I did some digging and I must admit that no explanation really gives full insights into what the actual problem is. I thought I saw ...
• Better (any?) documentation for retrieving values from set data type ... | The terraform-aws provider started using sets as output values in version 3, instead of lists or maps, so last night was my first experience using them. I have a set that has a single value in it. ...
• Help outputting a block of a for_each : r/Terraform | Posted by u/azureboy44 - 7 votes and 10 comments
• for_each and splat · Issue #22476 · hashicorp/terraform · GitHub | Using for_each with a map in resources results in a weird behaviour: Input: provider "aws" { version = "~> 2" } resource "aws_eip" "this" { for_each = { "a": 1, "b": 2, } } output "eips" { descript...
• Get output from a set of resource created with foreach : r/Terraform | Posted by u/MiaMyDiaz97 - 2 votes and 7 comments
• The for_each Meta-Argument - Configuration Language | Terraform ... | The keys of the map (or all the values in the case of a set of strings) must be known values, or you will get an error message that for_each has dependencies ...
• Terraform for_each problems (or confusion) : r/Terraform | Posted by u/gandalf8110 - 1 vote and 8 comments
• How to Use Terraform For_Each Meta-Argument [Examples] | In this tutorial you'll learn what is Terraform for_each meta-argument and how to use it. See example with map, set, list, modules and data sources.
• issue referencing a set of aws resources in a for_each condition : r ... | Posted by u/Wrectal - 4 votes and 7 comments