Production-tested. Partner links.
🛸 Proton VPN – Encrypted tunnel
🔐 Proton Pass – Zero-knowledge vault
🦑 GitKraken Pro – Visual Git client
🐧 Linux Foundation – Code: VALDEMAR
Leveraging null_resource in Terraform for Complex Operations
By Vladimir Mikhalev · Solutions Architect · Docker Captain · IBM Champion
Let’s not kid ourselves. null_resource is the duct tape of Terraform. It doesn’t provision a VM. It doesn’t configure a VPC. And it sure as hell doesn’t play nice with cloud-native best practices. But used wisely, it’s the unsung hero of CI/CD glue code and one-off automation.
Here’s the plan. We get tactical with null_resource, walk through use cases I’ve actually shipped, then contrast it with the newer, cleaner terraform_data resource. By the end you’ll know which tool to reach for without feeling dirty about it.
Terraform Resources 101 (Quick Recap)
Terraform’s core mechanic is the resource block. It tells the provider, “Hey, make this thing exist.”
resource "azurerm_windows_function_app" "app" { name = "example-function-app" location = "East US"}That’s your bread-and-butter declaration. Define the desired state, then let Terraform do the heavy lifting.
But sometimes you don’t want to create anything in the cloud. You just want Terraform to do something. Run a script, call a webhook, poke Jenkins with a stick. That’s where null_resource comes in.
What the Hell is null_resource?
null_resource is exactly what it sounds like. A Terraform resource that manages nothing. No infrastructure, no API objects. Just logic.
But here’s the trick. It still behaves like a real resource. It supports lifecycle actions (create, destroy, etc.), it can depend on other resources, and most importantly, it supports provisioners and triggers.
resource "null_resource" "example" { triggers = { always_run = timestamp() }
provisioner "local-exec" { command = "echo 'Triggering follow-up actions'" }}This block runs every time, because timestamp() changes on every plan. Handy when you need to kick off external processes after infra changes.
Triggers: The Secret Sauce
Triggers are the magic behind null_resource. They control when it gets re-executed. Not based on resource state, but on changes to arbitrary data you hand it.
Example:
triggers = { hash = filemd5("config.json")}Now your null_resource only re-runs when config.json changes. That’s gold in CI/CD setups where you’re tracking file changes, API responses, or even environment variables.
Real-World Scenarios (Where null_resource Actually Earns Its Keep)
1. Post-Provision Webhook Pings
Say you’ve just spun up infrastructure and need to notify an external system. Triggering a GitHub Actions workflow, maybe, or pinging a Slack webhook.
resource "null_resource" "notify" { triggers = { infra_version = var.release_tag }
provisioner "local-exec" { command = "curl -X POST https://hooks.slack.com/services/XXX -d 'Terraform apply complete: ${var.release_tag}'" }}Why not just use curl in your pipeline? Because this runs inside Terraform’s dependency graph. It won’t fire unless upstream infra actually changed.
2. Conditional Execution Based on Dynamic Data
Say you’re pulling in an Azure storage account and want to trigger an action when its key changes.
data "azurerm_storage_account" "example" { name = "examplestorageaccount" resource_group_name = "my-rg"}
resource "null_resource" "trigger_on_key_change" { triggers = { key = data.azurerm_storage_account.example.primary_access_key }
provisioner "local-exec" { command = "echo 'Access key has changed, executing...'" }}Good for invalidating cache, refreshing secrets, or kicking off a rotation script. And yes, it’s hacky. It also works.
3. Smoke Testing After Apply
Spin up resources, run a curl test to confirm the service responds, fail fast when it doesn’t.
resource "null_resource" "smoke_test" { depends_on = [azurerm_function_app.example]
provisioner "local-exec" { command = "curl -sf http://example-app.azurewebsites.net/health || exit 1" }}You’d be surprised how often infra “successfully applies” while the app is dead on arrival. This catches those cases before CI marks the job green.
The Cleaner Alternative: terraform_data (1.4+)
Starting in Terraform 1.4, HashiCorp shipped a new built-in: terraform_data. It does what null_resource does, with less baggage, and without leaning on a provider plugin.
resource "terraform_data" "run_command" { provisioner "local-exec" { command = "echo 'Still works!'" }}You lose triggers, for now anyway. But it’s first-party and cleaner for one-off tasks. Reach for it when you’re scripting or injecting data during apply without pretending to be a cloud resource.
null_resource vs terraform_data: When to Use What
| Use Case | Use null_resource | Use terraform_data |
|---|---|---|
| Triggering on external data changes | ✅ | ❌ |
| One-time scripting | ✅ | ✅ |
| CI/CD glue between real resources | ✅ | ✅ |
| Need clean, future-proof setup | ❌ (plugin) | ✅ (built-in) |
| Want something to break later | ✅ | ❌ |
TL;DR: need triggers? Stick with null_resource. Everything else, migrate to terraform_data. It’s the cleaner, future-proof option.
Final Thoughts
If Terraform were a programming language, null_resource would be its eval(). Powerful, dangerous, misused 99% of the time.
But in the hands of someone who knows what they’re doing? It bridges the gap between infrastructure and orchestration. Think CI/CD pipelines, edge cases, the situations where Terraform alone just can’t model reality.
Don’t go overboard, though. If you find yourself writing a bash script inside a null_resource that runs a Python script that generates more HCL, maybe reconsider your life choices.
Pro Tip: Pair null_resource with depends_on and triggers for controlled chaos. Or use terraform_data if you want to sleep at night.
Related Posts
- 1Docker supply chain hardening — from Scout D to OpenSSF 7.8 on a 730K-pull imageDevOps & Cloud · How I hardened a 730K-pull public Docker image from Scout grade D to OpenSSF Scorecard 7.8. Multi-stage build, cosign signing, SLSA provenance, non-root default, and the incident that changed how I ship attestations.
- 2Cloudflare Web Analytics on Astro — Why Removing GA4 Unlocked Lighthouse 100DevOps & Cloud · How removing Google Analytics 4 from an Astro site unlocked Lighthouse 100, why Cloudflare Web Analytics replaced it, and what the tradeoffs actually cost.
- 3Platform Engineering — The Complete, Practical Guide to Building Internal Developer Platforms That ScaleDevOps & Cloud · A deep, practical guide to Platform Engineering. Learn how to build internal developer platforms, golden paths, GitOps workflows, and scalable cloud foundations.
- 4Amazon Q vs DevOps Chaos — Can This AI Fix AWS Faster Than You?DevOps & Cloud · Fix AWS issues faster with Amazon Q, the AI assistant built for DevOps. Real-world examples, limitations, and how it compares to ChatGPT.
Random Posts
- 1Install Homebox Using Docker ComposeSelf-Hosting · Step-by-step guide to install Homebox with Docker Compose and Traefik. Secure your home inventory system with HTTPS using Let's Encrypt.
- 2Install Bitwarden on Ubuntu Server 20.04 LTSSelf-Hosting · Step-by-step guide to install Bitwarden on Ubuntu Server 20.04 LTS using Docker and Let's Encrypt. Secure your passwords with this open-source solution.
- 3Install Confluence Using Docker ComposeSelf-Hosting · Learn how to install Confluence using Docker Compose with Traefik and Let's Encrypt. Step-by-step setup for secure, self-hosted Atlassian documentation.
- 4Install Exchange Server 2013SysAdmin & IT Pro · Step-by-step guide to install Exchange Server 2013 on Windows Server 2012 R2, including prerequisites, AD preparation, and full installation walkthrough.