Bird
Raised Fist0
Terraformcloud~5 mins

Remote state data source for cross-project in Terraform - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
When you manage infrastructure across multiple projects, you often need to share information between them. Remote state data source lets one Terraform project read the state data from another project safely and reliably.
When you want to use outputs from one Terraform project as inputs in another project.
When you manage infrastructure in separate projects but need to connect resources between them.
When you want to avoid duplicating resource definitions by referencing existing infrastructure state.
When you want to keep Terraform states isolated but still share data securely.
When you want to automate infrastructure deployment that depends on resources created elsewhere.
Config File - main.tf
main.tf
terraform {
  required_version = ">= 1.3.0"
}

provider "aws" {
  region = "us-east-1"
}

# Data source to read remote state from another project stored in S3

data "terraform_remote_state" "network" {
  backend = "s3"
  config = {
    bucket = "example-terraform-state-bucket"
    key    = "network/terraform.tfstate"
    region = "us-east-1"
  }
}

resource "aws_instance" "web" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"

  # Use subnet ID from remote state output
  subnet_id = data.terraform_remote_state.network.outputs.public_subnet_id

  tags = {
    Name = "web-instance"
  }
}

This Terraform file shows how to use the terraform_remote_state data source to read outputs from a remote state stored in an S3 bucket.

The data "terraform_remote_state" "network" block configures where to find the remote state file.

The aws_instance resource uses the subnet ID output from the remote state to place the instance in the correct subnet.

Commands
Initializes the Terraform working directory and downloads necessary providers and modules.
Terminal
terraform init
Expected OutputExpected
Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.54.0... - Installed hashicorp/aws v4.54.0 (signed by HashiCorp) Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work.
Shows the planned actions Terraform will take, including reading remote state outputs to configure resources.
Terminal
terraform plan
Expected OutputExpected
Refreshing Terraform state in-memory prior to plan... An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_instance.web will be created + resource "aws_instance" "web" { + ami = "ami-0c55b159cbfafe1f0" + arn = (known after apply) + instance_type = "t2.micro" + subnet_id = "subnet-0abcd1234ef567890" + tags = { + "Name" = "web-instance" } } Plan: 1 to add, 0 to change, 0 to destroy.
Applies the planned changes to create the AWS instance using the subnet from the remote state.
Terminal
terraform apply -auto-approve
Expected OutputExpected
aws_instance.web: Creating... aws_instance.web: Still creating... [10s elapsed] aws_instance.web: Creation complete after 15s [id=i-0a1b2c3d4e5f67890] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
-auto-approve - Automatically approves the apply without prompting for confirmation.
Displays the outputs of the current Terraform state, useful to verify values after apply.
Terminal
terraform output
Expected OutputExpected
No output (command runs silently)
Key Concept

If you remember nothing else from this pattern, remember: terraform_remote_state lets one project safely read outputs from another project's state to share data across projects.

Common Mistakes
Using incorrect backend configuration details like wrong bucket name or key path.
Terraform cannot find the remote state file and fails to read outputs, causing errors.
Double-check the backend config values exactly match where the remote state is stored.
Trying to access outputs that do not exist in the remote state.
Terraform throws an error because the output key is missing in the remote state file.
Verify the remote project exports the outputs you want to use and spell them correctly.
Not running terraform init after adding the terraform_remote_state data source.
Terraform does not download or configure the backend properly, causing failures.
Always run terraform init to initialize the working directory after changing backend or data sources.
Summary
Configure terraform_remote_state data source with correct backend details to read another project's state.
Use outputs from the remote state as inputs to resources in the current project.
Run terraform init, plan, and apply to deploy resources using shared state data.

Practice

(1/5)
1. What is the main purpose of using a terraform_remote_state data source in Terraform?
easy
A. To store Terraform state files locally
B. To access outputs from another Terraform project's state
C. To create new resources in a different cloud provider
D. To encrypt Terraform state files automatically

Solution

  1. Step 1: Understand remote state data source role

    The terraform_remote_state data source allows one Terraform configuration to read outputs from another configuration's state file.

  2. Step 2: Differentiate from other options

    It does not store state locally, create new resources, or encrypt state automatically; it only reads existing state outputs.

  3. Final Answer:

    To access outputs from another Terraform project's state -> Option B

  4. Quick Check:

    Remote state data source = Access outputs [OK]
Hint: Remote state data source reads outputs from other projects [OK]
Common Mistakes:
  • Confusing remote state with local state storage
  • Thinking it creates resources instead of reading state
  • Assuming it encrypts state automatically
2. Which of the following is the correct syntax to define a terraform_remote_state data source for a backend stored in an S3 bucket named my-terraform-state?
easy
A. data "terraform_remote_state" "example" { backend = "local" config = { path = "my-terraform-state" } }
B. resource "terraform_remote_state" "example" { backend = "s3" bucket = "my-terraform-state" }
C. terraform_remote_state "example" { backend = "s3" bucket = "my-terraform-state" }
D. data "terraform_remote_state" "example" { backend = "s3" config = { bucket = "my-terraform-state" key = "state.tfstate" region = "us-east-1" } }

Solution

  1. Step 1: Identify correct resource type and syntax

    The terraform_remote_state must be declared as a data block, not a resource.

  2. Step 2: Check backend and config structure

    For S3 backend, the config requires bucket, key, and region inside a config map.

  3. Final Answer:

    data "terraform_remote_state" "example" { backend = "s3" config = { bucket = "my-terraform-state" key = "state.tfstate" region = "us-east-1" } } -> Option D

  4. Quick Check:

    Correct syntax = data "terraform_remote_state" "example" { backend = "s3" config = { bucket = "my-terraform-state" key = "state.tfstate" region = "us-east-1" } } [OK]
Hint: Use data block with backend and config map for remote state [OK]
Common Mistakes:
  • Using resource instead of data block
  • Missing required config keys like key or region
  • Using wrong backend type like local for S3
3. Given this Terraform snippet accessing remote state:
data "terraform_remote_state" "network" {
  backend = "gcs"
  config = {
    bucket = "tf-state-bucket"
    prefix = "network"
  }
}

output "vpc_id" {
  value = data.terraform_remote_state.network.outputs.vpc_id
}

What will output.vpc_id contain?
medium
A. The entire remote state file content as a string
B. An error because prefix is not a valid config key for GCS backend
C. The VPC ID output from the remote state stored in the GCS bucket under prefix 'network'
D. Null because outputs cannot be accessed from remote state

Solution

  1. Step 1: Understand remote state data source usage

    The data source reads the remote state from the GCS bucket with the given prefix, making outputs available.

  2. Step 2: Confirm output access

    The output vpc_id is accessed correctly via data.terraform_remote_state.network.outputs.vpc_id, so it returns the VPC ID value.

  3. Final Answer:

    The VPC ID output from the remote state stored in the GCS bucket under prefix 'network' -> Option C

  4. Quick Check:

    Remote output access = VPC ID value [OK]
Hint: Remote state outputs accessed via data.<name>.outputs.<key> [OK]
Common Mistakes:
  • Confusing prefix usage for GCS backend (it is valid)
  • Expecting entire state file instead of outputs
  • Assuming outputs cannot be read remotely
4. You have this Terraform remote state data source:
data "terraform_remote_state" "app" {
  backend = "azurerm"
  config = {
    resource_group_name = "rg-state"
    storage_account_name = "stterraform"
    container_name = "tfstate"
    key = "app.terraform.tfstate"
  }
}

When running terraform plan, you get an error: Failed to load remote state. What is the most likely cause?
medium
A. Incorrect or missing permissions to access the Azure storage account
B. The backend type should be s3 instead of azurerm
C. The key parameter is not supported in azurerm backend
D. Terraform remote state data source cannot be used with Azure

Solution

  1. Step 1: Verify backend and config correctness

    The backend azurerm with given config keys is valid for Azure Blob Storage remote state.

  2. Step 2: Identify common causes of load failure

    Most common cause is missing or incorrect permissions to access the storage account or container.

  3. Final Answer:

    Incorrect or missing permissions to access the Azure storage account -> Option A

  4. Quick Check:

    Access permissions issue = Load failure [OK]
Hint: Check storage permissions if remote state load fails [OK]
Common Mistakes:
  • Assuming backend type is wrong when it is correct
  • Thinking key parameter is unsupported in azurerm backend
  • Believing remote state cannot be used with Azure
5. You manage two Terraform projects: network and app. The network project stores its state remotely in an S3 bucket with key network/terraform.tfstate. You want the app project to use the VPC ID output from network. Which configuration correctly sets up the remote state data source in app to access network outputs securely and follows best practices?
hard
A. data "terraform_remote_state" "network" { backend = "s3" config = { bucket = "my-tf-state-bucket" key = "network/terraform.tfstate" region = "us-west-2" } }
B. data "terraform_remote_state" "network" { backend = "s3" config = { bucket = "my-tf-state-bucket" key = "app/terraform.tfstate" region = "us-west-2" } }
C. data "terraform_remote_state" "network" { backend = "local" config = { path = "../network/terraform.tfstate" } }
D. resource "terraform_remote_state" "network" { backend = "s3" config = { bucket = "my-tf-state-bucket" key = "network/terraform.tfstate" region = "us-west-2" } }

Solution

  1. Step 1: Confirm correct backend and key for remote state

    The remote state is stored in S3 bucket with key network/terraform.tfstate, so the data source must match this.

  2. Step 2: Ensure data source type and security best practices

    Use a data block (not resource) with backend = "s3", specify region, and avoid incorrect keys.

  3. Final Answer:

    Data source with backend s3, correct bucket/key, and region -> Option A

  4. Quick Check:

    Correct backend and secure config = data "terraform_remote_state" "network" { backend = "s3" config = { bucket = "my-tf-state-bucket" key = "network/terraform.tfstate" region = "us-west-2" } } [OK]
Hint: Match backend/key exactly and use data block [OK]
Common Mistakes:
  • Using wrong key path for remote state
  • Using resource block instead of data block
  • Using local backend instead of remote S3
  • Omitting region config