	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Terraform and IaC > Terraform Basics > Terraform Data Sources

Terraform Data Sources

Author: Venkata Sudhakar

A Terraform data source reads information about existing infrastructure that Terraform did not create and does not manage. While a resource block creates and manages a cloud resource, a data block fetches read-only information about something that already exists - a VPC created manually, a secret stored in Secret Manager, the latest AMI ID, or an existing DNS zone. This lets your Terraform configuration reference existing infrastructure without importing it into state or creating a dependency on another module.

Data sources are declared with the data keyword and follow the pattern data.TYPE.NAME.ATTRIBUTE. They are resolved during terraform plan, before any resources are created. Common uses: look up the latest approved AMI or container image version, read a secret from Vault or Secret Manager rather than hardcoding it, reference a VPC or subnet that was created by a different team, or get the current GCP project number to build resource paths.

The below example shows three practical data source uses: looking up an existing VPC, reading a secret from GCP Secret Manager, and fetching the current GCP project.

# data source 1: look up an existing VPC by name (created outside Terraform)
data "google_compute_network" "existing_vpc" {
  name    = "production-vpc"
  project = var.project_id
}

# data source 2: read the current GCP project metadata
data "google_project" "current" {}

# data source 3: read a secret from GCP Secret Manager
data "google_secret_manager_secret_version" "db_password" {
  secret  = "prod-db-password"
  version = "latest"
}

# Now use the data sources in resource blocks
resource "google_container_cluster" "gke" {
  name    = "app-cluster"
  project = data.google_project.current.project_id

# Reference the existing VPC - not managed by this config
  network    = data.google_compute_network.existing_vpc.id
  subnetwork = "${data.google_compute_network.existing_vpc.id}/subnetworks/app-subnet"
}

resource "google_sql_database_instance" "postgres" {
  name             = "app-db"
  database_version = "POSTGRES_15"

settings {
    tier = "db-f1-micro"
    # Use the secret value - never hardcoded in Terraform
    # (store connection string in app, not in Terraform outputs)
  }
}

output "project_number" {
  value = data.google_project.current.number
}

It gives the following output during plan,

terraform plan

data.google_project.current: Reading...
data.google_project.current: Read complete [id=myproject]

data.google_compute_network.existing_vpc: Reading...
data.google_compute_network.existing_vpc: Read complete [id=projects/myproject/global/networks/production-vpc]

data.google_secret_manager_secret_version.db_password: Reading...
data.google_secret_manager_secret_version.db_password: Read complete

Outputs:
  project_number = "123456789012"

Plan: 2 to add, 0 to change, 0 to destroy.
# Data sources are READ ONLY - they never appear in the plan as changes

It gives the following output,

data.google_container_engine_versions.gke_versions: Reading...
data.google_container_engine_versions.gke_versions: Read complete

Outputs:
  gke_version_used = "1.28.8-gke.1095000"

# The data source fetches the current latest 1.28.x version at plan time
# No hardcoded version in your config - always picks up the latest patch

Data sources are powerful for bridging separately-managed infrastructure. Use them when: a resource was created by hand or by another team, you want to reference a value that changes over time (like latest AMI), or you need to read a secret without storing it in Terraform state. Never use a data source to read a resource that your current configuration also manages - use the resource reference directly instead (google_compute_network.my_vpc.id not data.google_compute_network.my_vpc.id) to get the correct dependency graph.

Send your comments, suggestions or queries regarding this site to [email protected].