Leveraging null_resource in Terraform for Complex Operations
By Vladimir Mikhalev · Solutions Architect · Docker Captain · IBM Champion
Let’s not kid ourselves. null_resource is the duct tape of Terraform. It doesn’t provision a VM. It doesn’t configure a VPC. And it sure as hell doesn’t play nice with cloud-native best practices. But used wisely, it’s the unsung hero of CI/CD glue code and one-off automation.
Here’s the plan. We get tactical with null_resource, walk through use cases I’ve actually shipped, then contrast it with the newer, cleaner terraform_data resource. By the end you’ll know which tool to reach for without feeling dirty about it.
Terraform Resources 101 (Quick Recap)
Terraform’s core mechanic is the resource block. It tells the provider, “Hey, make this thing exist.”
resource "azurerm_windows_function_app" "app" { name = "example-function-app" location = "East US"}That’s your bread-and-butter declaration. Define the desired state, then let Terraform do the heavy lifting.
But sometimes you don’t want to create anything in the cloud. You just want Terraform to do something. Run a script, call a webhook, poke Jenkins with a stick. That’s where null_resource comes in.
What the Hell is null_resource?
null_resource is exactly what it sounds like. A Terraform resource that manages nothing. No infrastructure, no API objects. Just logic.
But here’s the trick. It still behaves like a real resource. It supports lifecycle actions (create, destroy, etc.), it can depend on other resources, and most importantly, it supports provisioners and triggers.
resource "null_resource" "example" { triggers = { always_run = timestamp() }
provisioner "local-exec" { command = "echo 'Triggering follow-up actions'" }}This block runs every time, because timestamp() changes on every plan. Handy when you need to kick off external processes after infra changes.
Triggers: The Secret Sauce
Triggers are the magic behind null_resource. They control when it gets re-executed. Not based on resource state, but on changes to arbitrary data you hand it.
Example:
triggers = { hash = filemd5("config.json")}Now your null_resource only re-runs when config.json changes. That’s gold in CI/CD setups where you’re tracking file changes, API responses, or even environment variables.
Real-World Scenarios (Where null_resource Actually Earns Its Keep)
1. Post-Provision Webhook Pings
Say you’ve just spun up infrastructure and need to notify an external system. Triggering a GitHub Actions workflow, maybe, or pinging a Slack webhook.
resource "null_resource" "notify" { triggers = { infra_version = var.release_tag }
provisioner "local-exec" { command = "curl -X POST https://hooks.slack.com/services/XXX -d 'Terraform apply complete: ${var.release_tag}'" }}Why not just use curl in your pipeline? Because this runs inside Terraform’s dependency graph. It won’t fire unless upstream infra actually changed.
2. Conditional Execution Based on Dynamic Data
Say you’re pulling in an Azure storage account and want to trigger an action when its key changes.
data "azurerm_storage_account" "example" { name = "examplestorageaccount" resource_group_name = "my-rg"}
resource "null_resource" "trigger_on_key_change" { triggers = { key = data.azurerm_storage_account.example.primary_access_key }
provisioner "local-exec" { command = "echo 'Access key has changed, executing...'" }}Good for invalidating cache, refreshing secrets, or kicking off a rotation script. And yes, it’s hacky. It also works.
3. Smoke Testing After Apply
Spin up resources, run a curl test to confirm the service responds, fail fast when it doesn’t.
resource "null_resource" "smoke_test" { depends_on = [azurerm_function_app.example]
provisioner "local-exec" { command = "curl -sf http://example-app.azurewebsites.net/health || exit 1" }}You’d be surprised how often infra “successfully applies” while the app is dead on arrival. This catches those cases before CI marks the job green.
The Cleaner Alternative: terraform_data (1.4+)
Starting in Terraform 1.4, HashiCorp shipped a new built-in: terraform_data. It does what null_resource does, with less baggage, and without leaning on a provider plugin.
resource "terraform_data" "run_command" { provisioner "local-exec" { command = "echo 'Still works!'" }}You lose triggers, for now anyway. But it’s first-party and cleaner for one-off tasks. Reach for it when you’re scripting or injecting data during apply without pretending to be a cloud resource.
null_resource vs terraform_data: When to Use What
| Use Case | Use null_resource | Use terraform_data |
|---|---|---|
| Triggering on external data changes | ✅ | ❌ |
| One-time scripting | ✅ | ✅ |
| CI/CD glue between real resources | ✅ | ✅ |
| Need clean, future-proof setup | ❌ (plugin) | ✅ (built-in) |
| Want something to break later | ✅ | ❌ |
TL;DR: need triggers? Stick with null_resource. Everything else, migrate to terraform_data. It’s the cleaner, future-proof option.
Final Thoughts
If Terraform were a programming language, null_resource would be its eval(). Powerful, dangerous, misused 99% of the time.
But in the hands of someone who knows what they’re doing? It bridges the gap between infrastructure and orchestration. Think CI/CD pipelines, edge cases, the situations where Terraform alone just can’t model reality.
Don’t go overboard, though. If you find yourself writing a bash script inside a null_resource that runs a Python script that generates more HCL, maybe reconsider your life choices.
Pro Tip: Pair null_resource with depends_on and triggers for controlled chaos. Or use terraform_data if you want to sleep at night.
The Verdict
Inconvenient truths about shipping in the AI era
Container security, platform engineering, and the agentic shift — tested in production, argued without the hype. The verdict reaches your inbox the moment there's one worth sending.
Related Posts
- 1Terraform MCP server GA: the Apply Gate your auditor will ask aboutDevOps & Cloud · HashiCorp's Terraform MCP server is GA and IBM Bob can write production IaC. ENABLE_TF_OPERATIONS separates a safe assistant from autonomous apply.
- 2Docker supply chain hardening — from Scout D to OpenSSF 7.8 on a 730K-pull imageDevOps & Cloud · How I hardened a 730K-pull public Docker image from Scout grade D to OpenSSF Scorecard 7.8. Multi-stage build, cosign signing, SLSA provenance, non-root default, and the incident that changed how I ship attestations.
- 3Cloudflare Web Analytics on Astro — Why Removing GA4 Unlocked Lighthouse 100DevOps & Cloud · How removing Google Analytics 4 from an Astro site unlocked Lighthouse 100, why Cloudflare Web Analytics replaced it, and what the tradeoffs actually cost.
- 4Platform Engineering — The Complete, Practical Guide to Building Internal Developer Platforms That ScaleDevOps & Cloud · A deep, practical guide to Platform Engineering. Learn how to build internal developer platforms, golden paths, GitOps workflows, and scalable cloud foundations.
Random Posts
- 1Git Cheat SheetDevOps & Cloud · Fast and practical Git cheat sheet for developers. Learn essential Git commands for setup, commits, branching, merging, and more in one convenient guide.
- 2Master Container Security in 2025 — Best Practices & Live DemoDevOps & Cloud · Master container security in 2025 with proven Docker & Kubernetes best practices. Learn how to automate scans using Docker Scout & Snyk with real demos.
- 3DevOps and Platform Engineering DynamicsDevOps & Cloud · Explore the comprehensive impact of DevOps and Platform Engineering on software development, detailing key strategies, technological innovations, and future trends shaping the industry.
- 4Docker Scout is the Game-Changer in Container SecurityDevOps & Cloud · Docker Scout simplifies the often complex process of container security, providing a unified view of both direct and transitive dependencies across all image layers.