4.6. Reflection Checkpoint

Key Takeaways

• resource blocks tell Terraform to manage an object; data blocks tell it to read one — removing a resource destroys it, removing a data block only stops the lookup.
• Terraform builds dependencies implicitly from references; reserve depends_on for hidden relationships a reference can't express.
• Variables are module inputs (with a defined precedence — command line wins), outputs are module return values (the only way data leaves a child module), and locals are private computed values.
• Configuration is dynamic through types, expressions (conditional/for/splat/dynamic), and built-in functions — you compose built-ins; you can't define your own core functions.
• Custom conditions (validation, pre/postconditions block; check blocks warn) enforce correctness; for secrets, sensitive only hides display while ephemeral values and write-only arguments actually keep values out of state.

Connecting Forward

Phase 5 takes everything you've learned about configuration and packages it for reuse: modules. You'll see how the variable/output interface you just studied becomes a module's public API, where modules come from, and how to version them safely — the foundation for sharing infrastructure code across a team.

Self-Check Questions

• Explain the difference between resource and data using the consequences of deleting each block.
• Trace why referencing aws_vpc.main.id in a subnet both passes a value and guarantees creation order — and when you'd instead need depends_on.
• A secret is set in a sensitive variable and also read from Vault via a data source. Where does that secret end up, and what would you change to keep it out of state?