Terraform: Toggle access_logs with environment variables

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

In Terraform, you can conditionally include or exclude blocks of code using the dynamic block feature along with conditional expressions. This is particularly useful when you want to apply certain configurations based on variables or environments. For example, you might want to enable access logs only in your production environment.

To control the inclusion or exclusion of a block in your Terraform code based on a condition, such as an environment variable, you can use the dynamic block feature in conjunction with conditional logic.

Let's say you have an access_logs block that you want to enable only for a specific environment.

1. Define a variable to hold your environment name, for example, environment_name.

2. Use a dynamic block to wrap your access_logs block.

3. Inside the dynamic block, use a for_each argument. Set it to a conditional expression that evaluates to a list containing a single element (e.g., ["enabled"]) if the condition is true, and an empty list ([]) if the condition is false.

   For instance:

   dynamic "access_logs" {
     for_each = var.environment_name == "production" ? ["enabled"] : []
   
     content {
       # Your access_logs configuration here
     }
   }

In this example, the access_logs block will only be included in your Terraform plan when the environment_name variable is set to "production". If the condition is false, the for_each will iterate over an empty list, effectively skipping the access_logs block.

This approach allows you to dynamically control the presence of blocks in your Terraform code based on variables or conditions, providing flexibility in managing configurations for different environments or scenarios.

The code defines a Terraform variable for environment name and uses a dynamic block to conditionally include access logs configuration for an AWS Application Load Balancer (ALB) based on the environment. If the environment is "production", access logs are enabled and configured to be sent to a specific S3 bucket. If the environment is not "production", the access logs configuration is skipped.

# Define a variable for the environment name
variable "environment_name" {
  type = string
  default = "development"
}

# Resource that might have access logs enabled
resource "aws_alb" "example" {
  # ... other ALB configurations ...

  # Dynamically include access_logs block based on environment
  dynamic "access_logs" {
    for_each = var.environment_name == "production" ? ["enabled"] : []

    content {
      bucket = "my-alb-logs"
      enabled = true
      prefix = "alb-logs"
    }
  }
}

Explanation:

1. Variable Definition:

   • We define a variable environment_name to store the environment name. The default value is set to "development".

2. Dynamic Block:

   • The dynamic "access_logs" block is used to conditionally include the access_logs configuration.

3. Conditional for_each:

   • The for_each argument uses a conditional expression:
     • var.environment_name == "production" ? ["enabled"] : []
     • If environment_name is "production", it evaluates to ["enabled"], a list with one element. This triggers the dynamic block to iterate once and include the content block.
     • If environment_name is not "production", it evaluates to [], an empty list. The dynamic block iterates zero times, effectively skipping the access_logs configuration.

4. Content Block:

   • The content block contains the actual access_logs configuration for the aws_alb resource. This block is only evaluated and included in the plan if the for_each condition is true.

How it works:

• When you run Terraform with environment_name set to "production", the access_logs block will be included in the plan, enabling access logs for the ALB.
• When you run Terraform with any other value for environment_name (like the default "development"), the access_logs block will be skipped, and access logs will not be enabled.

This approach provides a clean and efficient way to manage environment-specific configurations within your Terraform code.

• Flexibility: This pattern isn't limited to environment variables. You can use any Terraform expression that evaluates to true or false within the for_each condition. This allows you to include or exclude blocks based on resource attributes, data sources, or even the output of external data sources.

• Alternatives to for_each: While for_each with a conditional is a common approach, you can also use count with a conditional expression for simpler scenarios where you only need to include or exclude a single instance of a block.

• Nested dynamic blocks: You can nest dynamic blocks to create more complex conditional structures. This allows you to conditionally include or exclude entire sections of your configuration based on multiple variables or conditions.

• Readability and Organization: Using dynamic blocks can make your Terraform code more readable and organized, especially when dealing with many conditional configurations. It helps separate environment-specific or feature-specific logic, making your code easier to understand and maintain.

• State Management: Keep in mind that removing a block from your configuration using conditional logic will cause Terraform to destroy the corresponding resources. Be cautious when applying changes to environments where resources are already provisioned.

• Testing: It's crucial to thoroughly test your Terraform code with different variable values or environments to ensure that the conditional logic behaves as expected. Consider using automated testing tools to validate your configurations.

This article explains how to conditionally include or exclude blocks of code in Terraform configurations using the dynamic block and conditional logic.

Scenario: Enabling access_logs only for the "production" environment.

Steps:

1. Define an environment variable: Create a variable (e.g., environment_name) to store the environment name.
2. Wrap the conditional block: Enclose the access_logs block within a dynamic block.
3. Use for_each with conditional logic:
   • Inside the dynamic block, use the for_each argument.
   • Set for_each to a conditional expression that returns:
     • ["enabled"] (a list with one element) if the condition is true (e.g., environment_name == "production").
     • [] (an empty list) if the condition is false.

Example:

dynamic "access_logs" {
  for_each = var.environment_name == "production" ? ["enabled"] : []

  content {
    # Your access_logs configuration here
  }
}

How it works:

• The dynamic block dynamically generates the access_logs block based on the for_each value.
• If environment_name is "production", for_each iterates over ["enabled"], creating the access_logs block.
• If environment_name is not "production", for_each iterates over [], effectively skipping the access_logs block.

Benefits:

• Flexibility: Manage configurations for different environments or scenarios.
• Dynamic Code: Include or exclude blocks based on variables and conditions.

By leveraging the dynamic block and conditional expressions, Terraform empowers you to craft adaptable and environment-aware infrastructure configurations. This approach streamlines the management of resources across different deployments, ensuring that specific configurations are applied only when necessary. Remember to thoroughly test your code and consider using automated testing tools to guarantee the expected behavior of your conditional logic. By mastering these techniques, you can enhance the flexibility and maintainability of your Terraform projects, enabling smoother and more efficient infrastructure provisioning.

• Terraform design discussion: inline blocks, empty vs omitted ... | I hope it's OK to file an issue to discuss Terraform's design. If this sort of discussion belongs somewhere else, let me know! Terraform's support for modules is awesome. However, there are two des...
• How to use if else-if else condition in Terraform - Stack Overflow | Nov 22, 2018 ... ... possible to turn the access_logs block on and off via the environment_name variable? Related. 1 · IF-Like Conditionals without ELSE in Terraform.
• SweetOps #terraform for June, 2021 | Jun 1, 2021 ... ... using a data source block, using [*], etc.. ... Otherwise I'd have to use a CLI/Go SDK to set all the variables in the workspace in Terraform ...
• Terraform - Don't create log_config on firewall rules unless enabled ... | Aug 11, 2021 ... Is it possible to turn the access_logs block on and off via the environment_name variable? 6. Terraform - aws_cloud_watch_log_metric_filter · 3.
• SweetOps #terraform for July, 2021 | It may be to do with you using the same variable name (user) for iterating through each array. ... Has anyone here been able to enable ASG metrics using the ...
• Ommit optional blocks in terraform module - Stack Overflow | May 6, 2020 ... Is it possible to turn the access_logs block on and off via the environment_name variable? Related. 5 · Excluding resource in Terraform module.
• How do people use appsettings.json / appsettings.development.json ... | Posted by u/PureKrome - 22 votes and 66 comments
• How to Implement GitLab CI/CD Pipeline with Terraform | Follow this step-by-step tutorial to implement a CI/CD pipeline for Terraform using GitLab with example configuration, which creates an EC2 instance on AWS.
• Topics with Label: Environment variables - Databricks Community | Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.