All About Terraform Data Sources

Master Terraform data sources: discover what they are, when to use them, and how they make your infrastructure code dynamic, DRY, and reusable.

Sebastian Stadil

5 min read

Terraform has become a cornerstone of Infrastructure as Code (IaC), allowing teams to define and manage infrastructure with unparalleled consistency. A key feature that elevates Terraform from a static provisioning tool to a dynamic infrastructure orchestrator is Data Sources. They act as a bridge, enabling your configurations to interact with and utilize information from pre-existing infrastructure, external systems, or even other Terraform configurations.

Understanding and effectively using data sources is crucial for building flexible, maintainable, and robust infrastructure. Let's delve into what they are, why they're beneficial, and how to use them.

What Exactly Are Terraform Data Sources?

At its heart, a Terraform data source provides a read-only mechanism to fetch information. This is a critical distinction from Terraform resources, which are responsible for the creation, update, and deletion of infrastructure components. Data sources don't manage the lifecycle of the objects they query; they simply retrieve information for reference within your Terraform configuration.

Think of it this way:

  • resource blocks tell Terraform: "I want to manage this object (create, update, delete)."
  • data blocks tell Terraform: "I want to know about this existing object."

This read-only nature is fundamental. It allows Terraform to gather context about the current state of external or unmanaged entities, enabling more intelligent planning and execution without the risk of unintended modifications to those entities.

Why Should You Use Data Sources? The Strategic Advantages

Leveraging data sources brings several powerful benefits to your IaC strategy:

  1. Dynamic and Flexible Configurations: Instead of hardcoding values like AMI IDs or IP addresses, data sources fetch this information at runtime. This means your configurations can automatically adapt to changes, such as using the latest approved operating system image. Example: Always use the latest Amazon Linux 2 AMI.
  2. Minimized Hardcoding for Better Maintainability: Reducing hardcoded values makes your configurations more reusable across different environments (dev, staging, prod) and regions. When an external value changes (like a VPC ID), you often don't need to change your code; Terraform picks up the new value on the next run.
  3. Enhanced Modularity and Inter-Configuration Communication: Data sources like terraform_remote_state allow one Terraform configuration to consume outputs from another. This is vital for breaking down large infrastructures into manageable, independent modules (e.g., separate configurations for networking, applications, databases). While incredibly powerful, managing a growing number of remote state dependencies and their access controls can introduce complexity. Platforms designed to enhance Terraform workflows often provide more streamlined ways to handle these inter-workspace relationships and data sharing.
  4. Ensured Data Consistency: By fetching information in real-time (or from the latest state snapshot), data sources ensure your Terraform plans are based on current, accurate data, reducing deployment errors.
  5. Secure Integration of External Data (Especially Secrets): A major win for security is the ability to fetch sensitive data like API keys or database passwords from dedicated secrets management systems (e.g., HashiCorp Vault, AWS Secrets Manager) at runtime, rather than embedding them in your HCL code.

Getting Practical: How to Configure and Use Data Sources

Data sources are declared using a data block in HCL.

Basic Syntax:

data "<provider>_<type>" "<local_name>" {
  // Provider-specific arguments (filters/query constraints)
}
  • <provider>_<type>: Specifies the kind of data to fetch (e.g., aws_ami, azurerm_resource_group).
  • <local_name>: A unique name within your module to reference the fetched data.

Example 1: Fetching the Latest AWS Amazon Linux 2 AMI

# data.tf
data "aws_ami" "latest_amazon_linux" {
  most_recent = true
  owners      = ["amazon"] # Official Amazon-owned AMIs

  filter {
    name   = "name"
    values = ["amzn2-ami-hvm-*-x86_64-gp2"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
}

# main.tf
resource "aws_instance" "web_server" {
  ami           = data.aws_ami.latest_amazon_linux.id # Use the fetched AMI ID
  instance_type = "t3.micro"
  # ... other configurations
}

Here, data.aws_ami.latest_amazon_linux.id provides the ID of the most recent AMI matching the criteria.

Example 2: Sharing Data Between Configurations with terraform_remote_state

Imagine you have a separate Terraform configuration managing your network (VPCs, subnets) and another for your application servers.

# In the application server configuration:
# data.tf
data "terraform_remote_state" "network_config" {
  backend = "remote" # Could also be "s3", "azurerm", "gcs", etc.

  config = {
    organization = "your-org-name" # Specific to HCP Terraform or Terraform Enterprise
    workspaces = {
      name = "production-network-setup"
    }
  }
}

# main.tf
resource "aws_instance" "app_server" {
  instance_type = "t3.medium"
  ami           = "ami-xxxxxxxxxxxxxxxxx" # Or use another data source
  subnet_id     = data.terraform_remote_state.network_config.outputs.private_app_subnet_id
  # ... other configurations
}

This allows the app server configuration to use the private_app_subnet_id output from the production-network-setup workspace. While terraform_remote_state is a foundational tool for this, as your infrastructure scales, managing potentially numerous remote state backends, their configurations, and access permissions can become an operational challenge. Centralized IaC management platforms can often simplify these cross-workspace dependencies and offer more granular control over shared data.

Data Sources vs. Other Terraform Constructs: A Quick Comparison

It's important to distinguish data sources from other HCL constructs used for managing values:

Feature

Input Variables (variable {})

Data Sources (data {})

Resource Outputs (output {})

Local Values (locals {})

Primary Purpose

Parameterize module/configuration.

Fetch info about existing/external resources.

Expose info from a module/configuration.

Assign a short name to an expression for reuse within a module; simplify complex logic.

Data Flow

Into module (from caller/env).

Into module (from external systems/APIs/other states).

Out of module (to caller/CLI).

Within a module.

Value Source

User-defined or defaults.

Read-only from pre-existing external data.

Derived from managed resources or other module values.

Computed from expressions (vars, resources, other locals, data source outputs).

Lifecycle Interaction

Set before/at plan start.

Read during plan (if possible) or apply (if deferred).

Generated after apply completes for dependent resources.

Calculated during plan (if all components are known).

Typical Use

Instance counts, sizes, tags.

Existing VPC/subnet IDs, AMI IDs, remote state outputs, secrets.

Resource IDs, IPs, DNS names for parent modules or other configs.

Creating complex names, combining strings, reusable calculations.

Reference Syntax

var.name

data.<TYPE>.<NAME>.<ATTRIBUTE>

module.child.output_name

local.name

Advanced Considerations and Best Practices

  • Error Handling: Use lifecycle blocks with precondition and postcondition checks within your data source blocks to validate assumptions and the integrity of fetched data. This is the modern, recommended approach over older, potentially undocumented attributes.
  • Performance: Be mindful of numerous unique data source lookups, as each can result in an API call. Use specific, efficient filters. Terraform does cache results for identical calls within a plan.
  • Dependencies: Terraform usually infers dependencies. Use depends_on sparingly, as explicit dependencies can make the configuration graph more rigid.
  • Security: Always adhere to the principle of least privilege for credentials used by Terraform to query data sources. For secrets, always integrate with a dedicated secrets manager via a data source. When using terraform_remote_state, be aware it grants access to the entire remote state; more granular sharing mechanisms or platforms that offer finer-grained output sharing might be preferable for sensitive states.

Conclusion: Data Sources are Key to Mature IaC

Terraform Data Sources are indispensable for building mature, dynamic, and resilient infrastructure. They empower your configurations to be context-aware, reducing manual effort and increasing automation reliability. By fetching information about existing resources, integrating with external systems, and enabling communication between configurations, data sources allow you to move beyond static definitions to truly adaptive infrastructure.

As your use of Terraform grows and your infrastructure becomes more complex—spanning multiple environments, regions, and teams—the ability to dynamically reference and share data becomes even more critical. Effectively managing these data flows, dependencies, and the associated governance at scale is where the true power of a well-architected IaC practice, potentially augmented by a comprehensive management platform, really shines.