How to iterate over all aws_instances in terraform?

Question

I'm relatively new to terraform and I'm trying to iterate over all aws_instances to apply a null_resource. Can you use multiple splats to access all instances, regardless of their names?

The EC2 instances are broken down by three types:

aws_instance.web.* (3 instances)
aws_instance.app.* (3 instances)
aws_instance.db.*  (2 instances)

Here's my attempt to apply a null_resource to all eight aws_instances:

resource "null_resource" "install_security_package" {

  #count = "${length(aws_instance)}" #terraform error: resource count can't reference variable: aws_instance
  #count = "${length(aws_instance.*)}" #terraform error: resource variables must be three parts: TYPE.NAME.ATTR
  count = "${length(aws_instance.*.*)}" #terraform error: unknown resource 'aws_instance.*'

  connection {
    type        = "ssh"
    host        = "${element(aws_instance.*.private_ip, count.index)}"
    user        = "${lookup(var.user, var.platform)}"
    private_key = "${file("${var.private_key_path}")}"
    timeout     = "2m"
  }

  provisioner "remote-exec" {
    inline = [
      "sudo rpm -Uvh http://www.example.com/security/repo/security_baseline.rpm",
    ]
  }
}

Answer 1

It is not currently possible to match all resources of a given type. The "splat" syntax, as you've seen, only allows selecting all of the instances created from a particular resource block.

The closest you can get to this with Terraform today is to concatenate together the different resources:

concat(aws_instance.web.*.private_ip, aws_instance.app.*.private_ip, aws_instance.db.*.private_ip)

In the current version of Terraform as of this answer it is necessary to use some of the workarounds shared in github issue #4084 in order to avoid duplicating that complex expression in multiple places. A forthcoming feature called Local Values will make this simpler in the near future, allowing the list to be given an name to be re-used in multiple places:

# Won't work until Terraform PR#15449 is merged and released
locals {
  aws_instance_addrs = "${concat(aws_instance.web.*.private_ip, aws_instance.app.*.private_ip, aws_instance.db.*.private_ip)}"
}

resource "null_resource" "install_security_package" {

  count = "${length(local.aws_instance_addrs)}"

  connection {
    type        = "ssh"
    host        = "${local.aws_instance_addrs[count.index]}"
    user        = "${lookup(var.user, var.platform)}"
    private_key = "${file("${var.private_key_path}")}"
    timeout     = "2m"
  }

  provisioner "remote-exec" {
    inline = [
      "sudo rpm -Uvh http://www.example.com/security/repo/security_baseline.rpm",
    ]
  }
}