Dynamic block not reflected in terraform plan when for_each argument is known after apply

[QBY-MauriceBaerisch]

Terraform Version

Terraform v1.7.4
on windows_386
+ provider registry.terraform.io/hashicorp/azurerm v3.0.2

Terraform Configuration Files

# Configure the Azure provider
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0.2"
    }
  }

  required_version = ">= 1.1.0"
}

provider "azurerm" {
  features {}

  skip_provider_registration = true
}

Debug Output

https://gist.github.com/QBY-MauriceBaerisch/521ff40682bebb6b43f22244063a2509

Expected Behavior

The creation of the nested dns block should be reflected in the terraform plan.

Actual Behavior

The creation of the nested dns block is not reflected in the terraform plan.

According to the terraform plan, the nested dns block will not be created.
However, if I run terraform apply, the nested dns block is indeed processed and the servers are added in Azure.

Terraform will perform the following actions:

  # azurerm_firewall_policy.example will be created
  + resource "azurerm_firewall_policy" "example" {
      + child_policies           = (known after apply)
      + firewalls                = (known after apply)
      + id                       = (known after apply)
      + location                 = "westeurope"
      + name                     = "example-policy"
      + resource_group_name      = "rg-DynamicBlocks-dev-01"
      + rule_collection_groups   = (known after apply)
      + sku                      = (known after apply)
      + threat_intelligence_mode = "Alert"
    }

  # azurerm_ip_group.example will be created
  + resource "azurerm_ip_group" "example" {
      + cidrs               = [
          + "10.0.0.0/16",
        ]
      + id                  = (known after apply)
      + location            = "westeurope"
      + name                = "example1-ipgroup"
      + resource_group_name = "rg-DynamicBlocks-dev-01"
      + tags                = {
          + "environment" = "dev"
        }
    }

  # azurerm_resource_group.example will be created
  + resource "azurerm_resource_group" "example" {
      + id       = (known after apply)
      + location = "westeurope"
      + name     = "rg-DynamicBlocks-dev-01"
    }

Steps to Reproduce

Using azurerm and the example

resource "azurerm_resource_group" "example" {
  name     = "rg-DynamicBlocks-dev-01"
  location = "westeurope"
}

resource "azurerm_ip_group" "example" {
  name                = "example1-ipgroup"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  cidrs = ["10.0.0.0/16"]

  tags = {
    environment = "dev"
  }
}

resource "azurerm_firewall_policy" "example" {
  name                = "example-policy"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  dynamic "dns" {
    for_each = azurerm_ip_group.example.id == null ? [] : [1]
    content {
      servers = ["8.8.8.8"]
    }
  }
}

where the nested dns block should be dynamically created based on the id of the ip group (which is known after apply), you will see that the dynamic block is not shown in the terraform plan.

1. terraform init
2. terraform apply

Additional Context

We try to build nested blocks based on variables known after apply. Unfortunately you cannot use the count field for nested blocks, as described in this issue

An issue for the azurerm provider has already been opened and closed. We believe this is an issue with the terraform core.

References

• Dynamically create nested blocks using the count meta-argument #33105

[jbardin]

Hi @QBY-MauriceBaerisch,

Thanks for filing the issue! If you inspect the full json plan output you should be able to see that the dns value is unknown. There does seem to be a bug in the renderer for the CLI output which is not showing that block at all when it's contents are entirely unknown.

Thanks!