Battle-tested for Privacy & Velocity.
đ¸ Proton VPN â Network Defense
đ Proton Pass â Identity Vault
đŚ GitKraken Pro â Visual Ops
Leveraging null_resource in Terraform for Complex Operations
Letâs not kid ourselves â null_resource is the duct tape of Terraform. It doesnât provision a VM, it doesnât configure a VPC, and it sure as hell doesnât play nice with cloud-native best practices. But used wisely, itâs the unsung hero of CI/CD glue code and one-off automation.
In this post, weâll get tactical with null_resource, walk through real-world use cases, and contrast it with the newer (and cleaner) terraform_data resource â so you know when to reach for which tool without feeling dirty.
Terraform Resources 101 (Quick Recap)
Terraformâs core mechanic is the resource block â which tells the provider, âHey, make this thing exist.â
resource "azurerm_windows_function_app" "app" { name = "example-function-app" location = "East US"}Thatâs your bread-and-butter declaration: define the desired state, let Terraform do the heavy lifting.
But sometimes, you donât want to create anything in the cloud. You just want Terraform to do something â run a script, call a webhook, poke Jenkins with a stick. Thatâs where null_resource comes in.
What the Hell is null_resource?
null_resource is exactly what it sounds like: a Terraform resource that manages nothing. No infrastructure, no API objects â just logic.
But hereâs the trick: it still behaves like a real resource. It supports lifecycle actions (create, destroy, etc.), can depend on other resources, and â most importantly â supports provisioners and triggers.
resource "null_resource" "example" { triggers = { always_run = timestamp() }
provisioner "local-exec" { command = "echo 'Triggering follow-up actions'" }}This block runs every time because the timestamp() changes on every plan. Perfect for when you need to kick off external processes after infra changes.
Triggers: The Secret Sauce
Triggers are the magic behind null_resource. They control when it gets re-executed â not based on resource state, but on changes to arbitrary data.
Example:
triggers = { hash = filemd5("config.json")}Now your null_resource only re-runs when config.json changes. This is gold in CI/CD setups where youâre tracking file changes, API responses, or even environment variables.
Real-World Scenarios (Where null_resource Actually Earns Its Keep)
1. Post-Provision Webhook Pings
Say youâve just spun up infrastructure and need to notify an external system â like triggering a GitHub Actions workflow or pinging a Slack webhook.
resource "null_resource" "notify" { triggers = { infra_version = var.release_tag }
provisioner "local-exec" { command = "curl -X POST https://hooks.slack.com/services/XXX -d 'Terraform apply complete: ${var.release_tag}'" }}Why not just use curl in your pipeline? Because this runs inside Terraformâs dependency graph â meaning it wonât fire unless upstream infra actually changed.
2. Conditional Execution Based on Dynamic Data
Letâs say youâre pulling in an Azure storage account and want to trigger an action when its key changes.
data "azurerm_storage_account" "example" { name = "examplestorageaccount" resource_group_name = "my-rg"}
resource "null_resource" "trigger_on_key_change" { triggers = { key = data.azurerm_storage_account.example.primary_access_key }
provisioner "local-exec" { command = "echo 'Access key has changed, executing...'" }}This is ideal for invalidating cache, refreshing secrets, or kicking off a rotation script. And yes, itâs hacky â but it works.
3. Smoke Testing After Apply
Spin up resources, run a curl test to confirm the service responds, fail fast if it doesnât.
resource "null_resource" "smoke_test" { depends_on = [azurerm_function_app.example]
provisioner "local-exec" { command = "curl -sf http://example-app.azurewebsites.net/health || exit 1" }}Youâd be surprised how often infra âsuccessfully appliesâ but the app is dead. This catches those cases before CI marks the job green.
The Cleaner Alternative: terraform_data (1.4+)
Starting in Terraform 1.4, HashiCorp added a new built-in: terraform_data. It does what null_resource does â just with less baggage and without relying on a provider plugin.
resource "terraform_data" "run_command" { provisioner "local-exec" { command = "echo 'Still works!'" }}You lose triggers (for now), but itâs first-party and cleaner for one-off tasks. Ideal for scripting or injecting data during apply without pretending to be a cloud resource.
null_resource vs terraform_data: When to Use What
| Use Case | Use null_resource | Use terraform_data |
|---|---|---|
| Triggering on external data changes | â | â |
| One-time scripting | â | â |
| CI/CD glue between real resources | â | â |
| Need clean, future-proof setup | â (plugin) | â (built-in) |
| Want something to break later | â | â |
TL;DR: If you need triggers, stick with null_resource. Otherwise, migrate to terraform_data as the cleaner, future-proof alternative.
Final Thoughts
If Terraform were a programming language, null_resource would be its eval() â powerful, dangerous, and misused 99% of the time.
But in the hands of someone who knows what theyâre doing? It bridges the gap between infrastructure and orchestration â especially in CI/CD pipelines, edge cases, or situations where Terraform alone canât model reality.
Just donât go overboard. If you find yourself writing a bash script inside a null_resource that runs a Python script that generates more HCL⌠maybe reconsider your life choices.
Pro Tip: Pair null_resource with depends_on and triggers for controlled chaos. Or use terraform_data if you want to sleep at night.
SIGNAL & INTEL
- The Private Order: Stop being a grunt. Become an Architect. Join The Private Order.
DOCKER CAPTAIN  ¡ HASHICORP AMBASSADOR  ¡ AWS COMMUNITY BUILDER