[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

[Terraform] Refer to resource information described in different tfstates

My name is Teraoka and I am an infrastructure engineer.


There is a data source called terraform_remote_state that
is useful when writing Terraform HCL This time I would like to introduce this.

■What is terraform_remote_state?

I want to refer to information about resources described in different tfstates.
This is a convenient data source to use in such cases.

First of all, Terraform

has a file called tfstate that records resource information created when deploying with Terraform Apply

When building infrastructure with Terraform,
if there are multiple environments (stepping stone, production, development, etc.),

it is a golden rule to separate tfstate for each environment so that terraform apply does not affect other environments

When tfstate is separated

You may want to refer to
the information on resources created in the stepping stone environment In this case, "terraform_remote_state" is useful.

■When should you use it?

For AWS, one example is given below.

If we assume that when connecting to a server via SSH, we will go through a stepping stone server,
what will happen if we try to create a security group and rules in Terraform?
First, I think we will create a VPC and security group + rules for the stepping stone server.

bastion.tf

terraform { backend "s3" { bucket = "terraform-tfstate" key = "terraform-blog/bastion.tfstate" region = "ap-northeast-1" } } resource "aws_vpc" "bastion" { cidr_block = "10.0.0.0 /16" enable_dns_hostnames = true tags { Name = "vpc-bastion" } } resource "aws_security_group" "bastion" { name = "bastion-sg" description = "for bastion server" vpc_id = "${aws_vpc.bastion.id} " tags { Name = "bastion-sg" } } resource "aws_security_group_rule" "prod_sg_rule" { security_group_id = "${aws_security_group.bastion.id}" type = "ingress" from_port = "22" to_port = "22" protocol = " tcp" cidr_blocks = "XXX.XXX.XXX.XXX" }

In the backend settings, tfstate is placed in S3 with the name bastion.tfstate, but
this is okay because we are just adding the VPC and security group + permission rule from a specific IP.
So, what should be the settings for the "connected side" from the stepping stone?

production.tf

terraform { backend "s3" { bucket = "terraform-tfstate" key = "terraform-blog/prod.tfstate" region = "ap-northeast-1" } } resource "aws_vpc" "prod" { cidr_block = "10.0.0.0 /16" enable_dns_hostnames = true tags { Name = "vpc-prod" } } resource "aws_security_group" "prod" { name = "prod-sg" description = "for production server" vpc_id = "${aws_vpc.prod.id} " tags { Name = "prod-sg" } } resource "aws_security_group_rule" "prod_sg_rule" { security_group_id = "${aws_security_group.prod.id}" type = "ingress" from_port = "22" to_port = "22" protocol = " tcp" source_security_group_id = "${What should I specify?}"

If you want to allow SSH connections from the springboard server, you
need to allow access from the springboard security group, so
you need to specify the springboard security group ID in source_security_group_id.

However, since the stepping stone server and tfstate are separated in the backend description
, the security group ID cannot be referenced as is.

■How to use it

I would like to be able to refer to it when I find out that it is not possible.
First, you need to add output settings on the bastion.tf side.

bastion.tf

terraform { backend "s3" { bucket = "terraform-tfstate" key = "terraform-blog/bastion.tfstate" region = "ap-northeast-1" } } resource "aws_vpc" "bastion" { cidr_block = "10.0.0.0 /16" enable_dns_hostnames = true tags { Name = "vpc-bastion" } } resource "aws_security_group" "bastion" { name = "bastion-sg" description = "for bastion server" vpc_id = "${aws_vpc.bastion.id} " tags { Name = "bastion-sg" } } resource "aws_security_group_rule" "prod_sg_rule" { security_group_id = "${aws_security_group.bastion.id}" type = "ingress" from_port = "22" to_port = "22" protocol = " tcp" cidr_blocks = "XXX.XXX.XXX.XXX" } ## Add output "security_group_id" { value = "${aws_security_group.bastion.id}" }

If you want to reference a value from a different tfstate,
you need to output the value you want to reference in advance.
This time, we want to refer to the ID of the bastion security group, so
we will output aws_security_group.bastion.id.

In this state, you can refer to the value in terraform_remote_state from production.tf.

production.tf

terraform { backend "s3" { bucket = "terraform-tfstate" key = "terraform-blog/prod.tfstate" region = "ap-northeast-1" } } resource "aws_vpc" "prod" { cidr_block = "10.0.0.0 /16" enable_dns_hostnames = true tags { Name = "vpc-prod" } } resource "aws_security_group" "prod" { name = "prod-sg" description = "for production server" vpc_id = "${aws_vpc.prod.id} " tags { Name = "prod-sg" } } resource "aws_security_group_rule" "prod_sg_rule" { security_group_id = "${aws_security_group.prod.id}" type = "ingress" from_port = "22" to_port = "22" protocol = " tcp" source_security_group_id = "${data.terraform_remote_state.bastion.security_group_id}" } ## Add data "terraform_remote_state" "bastion" { backend = "s3" config { bucket = "terraform-tfstate" key = "terraform-blog/bastion .tfstate" region = "ap-northeast-1" } }


Load the tfstate for the stepping stone saved in S3
using the data source terraform_remote_state The value can be referenced by the name specified in output, so
the value specified for source_security_group_id
will be data.terraform_remote_state.bastion.security_group_id.

■Summary

terraform_remote_state is used fairly often, so it's worth remembering.
There is no problem even if you separate tfstate with this!

If you found this article helpful , please give it a like!
1
Loading...
1 vote, average: 1.00 / 11
10,548
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

The person who wrote this article

About the author

Yuki Teraoka

Joined Beyond in 2016 and is currently in his 6th year as an Infrastructure Engineer
MSP, where he troubleshoots failures while
also designing and building infrastructure using public clouds such as AWS.
Recently, I
have been working with Hashicorp tools such as Terraform and Packer as part of building container infrastructure such as Docker and Kubernetes and automating operations, and I
also play the role of an evangelist who speaks at external study groups and seminars.

・GitHub
https://github.com/nezumisannn

・Presentation history
https://github.com/nezumisannn/my-profile

・Presentation materials (SpeakerDeck)
https://speakerdeck.com/nezumisannn

・Certification:
AWS Certified Solutions Architect - Associate
Google Cloud Professional Cloud Architect