Dependency errors when executing Terraform resources

FAQs
, ,
1

Problem statement

When trying to provision our tenant configuration using Terraform, we received a dependency error.

Symptoms

We have race condition issues because a client_app is created before the tenant flags are updated.

Solution

This is happening because it is needed to use the depends_on argument in the main.tf file, as explained in this hashicorp docs:

resource "aws_iam_role" "example" {
  name = "example"

  # assume_role_policy is omitted for brevity in this example. Refer to the
  # documentation for aws_iam_role for a complete example.
  assume_role_policy = "..."
}

resource "aws_iam_instance_profile" "example" {
  # Because this expression refers to the role, Terraform can infer
  # automatically that the role must be created first.
  role = aws_iam_role.example.name
}

resource "aws_iam_role_policy" "example" {
  name   = "example"
  role   = aws_iam_role.example.name
  policy = jsonencode({
    "Statement" = [{
      # This policy allows software running on the EC2 instance to
      # access the S3 API.
      "Action" = "s3:*",
      "Effect" = "Allow",
    }],
  })
}

resource "aws_instance" "example" {
  ami           = "ami-a1b2c3d4"
  instance_type = "t2.micro"

  # Terraform can infer from this that the instance profile must
  # be created before the EC2 instance.
  iam_instance_profile = aws_iam_instance_profile.example

  # However, if the software running in this EC2 instance needs access
  # to the S3 API in order to boot properly, there is also a "hidden"
  # dependency on the aws_iam_role_policy that Terraform cannot
  # automatically infer, so it must be declared explicitly:
  depends_on = [
    aws_iam_role_policy.example
  ]
}

Below argument cannot be missed:

 depends_on = [
    <resource>.<resource_name>
  ]

However, in some cases the depend_on argument cannot be used. For instance, you are using terraform custom Modules and resources at the same time. In that case, we suggest the following:

  1. Put all resources needed to follow some hierarchy inside the same module and use the depends_on meta argument there.
  2. Ask Hashicorp if this is supported at this point or if it is in the roadmap to support that

Having said that, please be noted that this is not something on Auth0’s support scope but Terraform’s implementation scope.

2