Multi-Context Deployments with OpenTofu's Provider for_each

Learn to leverage OpenTofu’s provider for_each for multi-context deployments, with concise code samples and key pitfalls to avoid.

Sebastian Stadil

4 min read

Managing infrastructure across multiple regions, accounts, or environments is a common challenge in today's cloud-native world. Infrastructure as Code (IaC) tools like OpenTofu provide the building blocks, but traditionally, configuring providers for each distinct context could lead to verbose and repetitive code. OpenTofu's introduction of the for_each meta-argument for provider blocks offers a more elegant solution.

While for_each significantly simplifies the OpenTofu configuration for these scenarios, managing the underlying credentials, ensuring consistent application of policies, and maintaining visibility across numerous dynamic environments, especially at enterprise scale, is where platforms like Scalr can offer significant leverage by providing a robust management and governance layer.

Understanding Provider Iteration with for_each

At its core, for_each in a provider block allows you to create multiple instances of a provider configuration from a single block, based on a map or a set of strings. This is invaluable when you need to interact with a provider under various, slightly different contexts—think deploying to multiple AWS regions or managing different Kubernetes clusters.

Key Syntax Elements:

  • for_each: Takes a map or a set of strings. For each item, a provider instance is created.
  • each.key / each.value: Inside the provider block, each.key gives you the map key (or set item), and each.value gives you the map value (or set item).
  • alias (Mandatory & Static): You must provide a static alias for the group of provider instances. This alias acts as a base name, and individual instances are referenced using this alias and a key (e.g., aws.my_regional_providers["us-east-1"]). It cannot be dynamic or use each.key.

Let's look at a fundamental example:

variable "provider_contexts" {
  type = map(object({
    region_name  = string
    api_endpoint = optional(string) # Example of another context-specific attribute
  }))
  default = {
    "context_a" = { region_name = "us-east-1" }
    "context_b" = { region_name = "eu-west-2" }
  }
}

provider "aws" {
  alias    = "per_context" // Static alias
  for_each = var.provider_contexts

  region = each.value.region_name // Using the value from the map
  # Other provider-specific arguments can use each.key or each.value
  # e.g., default_tags { tags = { "ContextKey" = each.key } }
}

This single provider "aws" block will generate two AWS provider instances, aliased under per_context, configured for us-east-1 and eu-west-2 respectively.

Referencing Iterated Providers in Resources

Once defined, these iterated provider instances must be explicitly referenced in your resource or data blocks using the provider meta-argument. They are considered alternate provider configurations and are never selected automatically.

resource "aws_vpc" "example_vpc" {
  for_each = var.provider_contexts // Assuming var.provider_contexts drives VPC creation too

  provider = aws.per_context[each.key] // Explicitly selecting the provider

  cidr_block = "10.0.0.0/16" // Example CIDR, likely make this dynamic too
  tags = {
    Name   = "vpc-${each.key}"
    Region = each.value.region_name
  }
}

Failure to specify the provider will lead OpenTofu to attempt using the default (unaliased) provider, potentially causing errors if it's not defined or misconfigured.

Powering Up with Modules

The real power of provider iteration shines when combined with OpenTofu modules. You can instantiate a module multiple times, once for each provider context, by passing the specific iterated provider instance to each module instance via the providers map.

# Assuming the 'provider "aws" "per_context"' block from above

module "regional_app_stack" {
  source   = "./modules/app-stack" // Your reusable application stack module
  for_each = var.provider_contexts

  providers = {
    # Inside the child module, 'aws' will refer to the specific iterated instance
    aws = aws.per_context[each.key]
  }

  # Other module inputs
  environment_name = each.key
  vpc_cidr_block   = "10.0.0.0/16" // Example, make dynamic as needed
}

The child module (./modules/app-stack) would then use this passed-in aws provider for its resources.

Key Benefits of Provider for_each

Adopting for_each for providers brings several advantages:

  • Conciseness: Drastically reduces boilerplate code compared to defining multiple aliased provider blocks manually.
  • Scalability: Easily add or remove provider contexts by modifying the input map or set. This is a significant win for dynamic environments.
  • Maintainability: Centralizes the core logic of provider configuration. Updates can often be made in one place.
  • Data-Driven Infrastructure: Encourages managing your environments (regions, accounts, etc.) as data, separating the "what" from the "how."

As configurations grow with many dynamic provider instances, maintaining visibility, ensuring consistent credential management, and enforcing organizational policies across an enterprise becomes crucial. This is an area where centralized management platforms like Scalr can provide significant value, offering features such as environment-scoped credentials, hierarchical configuration models, and robust policy enforcement that build upon OpenTofu's foundational capabilities.

for_each vs. Multiple alias Blocks: A Quick Comparison

Feature/Aspect

for_each on Providers

Multiple Static alias Blocks

Number of Instances

Ideal for many or variable instances

Better for a very small, fixed number (e.g., 2-3)

Dynamism (Add/Remove)

Easy: modify input data (map/set)

Manual: add/remove entire provider blocks

Code Conciseness

High: logic defined once

Low: repetitive with many instances

Configuration Management

Centralized by input data

Distributed, each block is separate

Lifecycle (Destroy)

Requires care: two-step removal often needed

More explicit removal, but dependencies still matter

Typical Use

N regions/accounts/projects from a list/map

Few specific alternates (e.g., primary/DR)

Important Considerations

  • Static alias and for_each Value: The alias must be a static string, and the value for for_each must be known at plan time (no dependencies on apply-time attributes).
  • Lifecycle Management: When removing a provider instance from the for_each iteration, ensure resources managed by it are destroyed or re-parented first. This often means a two-step apply:
    1. Remove/reconfigure dependent resources, then tofu apply.
    2. Remove the entry from the provider's for_each map/set, then tofu apply.
  • Explicit Referencing: Always use the provider meta-argument in resources/data sources to point to the correct iterated provider instance.
  • Module Design: For iterated modules, design them to receive provider configurations via the providers map rather than defining providers internally.

Conclusion

OpenTofu's for_each meta-argument for providers is a powerful feature that significantly simplifies the management of multi-context infrastructure. It promotes cleaner, more scalable, and maintainable IaC. By understanding its mechanics and adhering to best practices, teams can effectively automate deployments across diverse environments.

For organizations looking to harness this power effectively across multiple teams, complex projects, and stringent compliance landscapes, pairing OpenTofu's flexibility with a robust infrastructure automation and collaboration platform like Scalr can unlock further efficiencies. Scalr can help manage the complexity of numerous provider configurations by offering features like centralized state management, environment-specific variable and credential injection, and fine-grained access controls, ensuring that your dynamic infrastructure remains secure, compliant, and manageable at scale.