Resource dependencies
Terraform builds a dependency graph from your configuration to determine the correct order for creating, updating, and destroying resources.
When Terraform runs, it analyzes your configuration and builds a dependency graph. This graph determines the order in which resources are created and identifies which resources can be provisioned in parallel. The following configuration creates an ECS instance along with its required networking resources:
provider "alicloud" {
# Configure your Alibaba Cloud credentials and region.
# To avoid exposing sensitive credentials, use environment variables:
# export ALICLOUD_ACCESS_KEY="<Your Alibaba Cloud AccessKey>"
# export ALICLOUD_SECRET_KEY="<Your Alibaba Cloud SecretKey>"
region = "cn-hangzhou"
}
# Create a VPC.
resource "alicloud_vpc" "my_vpc" {
vpc_name = "main-vpc"
cidr_block = "10.0.0.0/16"
}
# Create a vSwitch.
resource "alicloud_vswitch" "my_vswitch" {
vpc_id = alicloud_vpc.my_vpc.id
cidr_block = "10.0.1.0/24"
zone_id = "cn-hangzhou-h"
vswitch_name = "main-vswitch"
}
# Create a security group.
resource "alicloud_security_group" "my_sg" {
vpc_id = alicloud_vpc.my_vpc.id
name = "main-security-group"
}
# Add a security group rule to allow SSH access.
resource "alicloud_security_group_rule" "allow_ssh" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "22/22"
priority = 1
security_group_id = alicloud_security_group.my_sg.id
cidr_ip = "0.0.0.0/0"
}
# Create an ECS instance.
resource "alicloud_instance" "my_instance" {
instance_name = "Ubuntu20-Instance"
image_id = "ubuntu_20_04_x64_20G_alibase_20240508.vhd" # Ubuntu 20.04 image ID.
instance_type = "ecs.c6.large" # 2 vCPUs and 4 GiB of memory.
security_groups = [alicloud_security_group.my_sg.id]
vswitch_id = alicloud_vswitch.my_vswitch.id
internet_charge_type = "PayByTraffic"
instance_charge_type = "PostPaid"
system_disk_category = "cloud_efficiency"
password = "Abc@12345" # Replace with your logon password.
internet_max_bandwidth_out = 10 # Set to a value greater than 0 to assign an internet IP address automatically.
tags = {
Name = "ubuntu20"
}
}
In this configuration, the ECS instance depends on the security group and the vSwitch — established through the security_groups and vswitch_id property references. For resources with no dependencies between them, Terraform runs provisioning in parallel to reduce total deployment time.
Dependencies
Terraform supports two types of dependencies: implicit and explicit. Implicit dependencies are detected automatically. Explicit dependencies must be declared manually using the depends_on meta-argument.
Implicit dependencies
When a resource references an attribute of another resource, Terraform infers the relationship as an implicit dependency.
In this example:
The vSwitch and security group depend on the VPC.
The ECS instance depends on both the vSwitch and the security group.
The security group rule depends on the security group.
All of these are implicit dependencies — Terraform detects them through attribute references in property assignments.
For example, the vswitch_id parameter for my_instance references alicloud_vswitch.my_vswitch.id. This reference creates an implicit dependency from the instance to the vSwitch, so Terraform knows to create the vSwitch first.
The creation order for this configuration is:
my_vpcis created first.my_vswitchandmy_sgare created in parallel (both depend only onmy_vpc).my_instanceis created last (depends on bothmy_vswitchandmy_sg).
After all resources are created, Terraform saves their properties to the state file. It sets vpc_id in my_vswitch and my_sg to the ID of my_vpc, and sets vswitch_id and security_groups in my_instance using the IDs from my_vswitch and my_sg.
Explicit dependencies
Use depends_on to handle hidden dependencies — cases where a resource relies on another resource's behavior but does not reference any of its attributes. Because Terraform cannot infer these relationships automatically, you must declare them explicitly.
depends_on accepts a list of references to other resources or modules in the same configuration.
For example, suppose you need to add security group rules for ports 443 and 8080, and the rule for port 8080 must be created only after the rule for port 443. Because no attribute reference connects these two rules, Terraform cannot detect this ordering requirement. Use depends_on to declare it:
With depends_on declared, Terraform creates the port 443 rule before the port 8080 rule when you run terraform apply.
The order in which you define resources in your configuration files does not affect execution order. Organize your configuration files in whatever way best suits your team.
Best practices
Prefer implicit dependencies. When possible, use attribute references to express resource relationships. Implicit dependencies are automatically detected and require no extra maintenance.
Use depends_on as a last resort. depends_on can cause Terraform to generate more conservative execution plans — treating more values as unknown (known after apply) and potentially replacing more resources than necessary. This effect is especially pronounced when depends_on is used with modules. Use it only when a hidden dependency cannot be expressed through an attribute reference.
Document your explicit dependencies. When you add depends_on, include a comment explaining why it is necessary. This helps teammates understand the intent and avoids the dependency being removed inadvertently. For example:
resource "alicloud_security_group_rule" "allow_8080" {
# ...
depends_on = [
# The port 8080 rule must be created after the port 443 rule
# because the upstream service performs a health check on 443 first.
alicloud_security_group_rule.allow_443,
]
}
Run terraform plan before applying. Use terraform plan to verify that the dependency graph produces the expected creation order before committing changes.