The core::getdatasource function
The core::getdatasource function returns a data source of the specified type that matches the filter. Terraform policy passes the filtering attributes to the provider, and returns any matching data sources from the provider. Since this function returns a single data source, you must use filters if needed to specify a single data source.
Signature
core::getdatasource(data_source_type, filter)
Arguments
| Argument | Required | Type | Description |
|---|---|---|---|
data_source_type | Yes | String | The type of data source to retrieve (For example: "aws_lambda_function", "aws_ami"). |
filter | Yes | Map | A map of attribute names and values to filter the data source. Used to identify a specific data source. |
Return value
Returns a single data source object that matches the specified type and filter. The object contains the data source's attributes as returned by the provider.
Examples
Retrieve a Lambda function by name
locals {
# Retrieve a lambda function with a specific name
function = core::getdatasource("aws_lambda_function", {
function_name = "example-function"
})
}
resource_policy "aws_lambda_permission" "function_exists" {
enforce {
condition = local.function != null
error_message = "Lambda function 'example-function' must exist before creating permissions."
}
}
Retrieve an AMI by filter
locals {
# Retrieve the latest Amazon Linux 2 AMI
amazon_linux_ami = core::getdatasource("aws_ami", {
most_recent = true
owners = ["amazon"]
filter = {
name = "name"
values = ["amzn2-ami-hvm-*-x86_64-gp2"]
}
})
}
resource_policy "aws_instance" "approved_ami" {
enforce {
condition = attrs.ami == local.amazon_linux_ami.id
error_message = "Instance must use the approved Amazon Linux 2 AMI: ${local.amazon_linux_ami.id}"
}
}
Retrieve VPC information
locals {
# Retrieve VPC by tag
production_vpc = core::getdatasource("aws_vpc", {
tags = {
Environment = "production"
}
})
}
resource_policy "aws_subnet" "production_vpc_check" {
filter = attrs.tags.Environment == "production"
enforce {
condition = attrs.vpc_id == local.production_vpc.id
error_message = "Production subnets must be in the production VPC: ${local.production_vpc.id}"
}
}
Retrieve IAM policy document
locals {
# Retrieve an IAM policy document
policy_doc = core::getdatasource("aws_iam_policy_document", {
statement = {
effect = "Allow"
actions = ["s3:GetObject"]
resources = ["arn:aws:s3:::example-bucket/*"]
}
})
}
resource_policy "aws_iam_role_policy" "policy_compliance" {
enforce {
condition = attrs.policy == local.policy_doc.json
error_message = "IAM role policy must match the approved policy document."
}
}
Retrieve availability zones
locals {
# Retrieve available AZs in the current region
available_azs = core::getdatasource("aws_availability_zones", {
state = "available"
})
}
resource_policy "aws_instance" "az_check" {
enforce {
condition = core::contains(local.available_azs.names, attrs.availability_zone)
error_message = "Instance must be in an available availability zone. Available: ${core::join(", ", local.available_azs.names)}"
}
}
Retrieve security group by name
locals {
# Retrieve a security group by name
default_sg = core::getdatasource("aws_security_group", {
name = "default"
})
}
resource_policy "aws_instance" "no_default_sg" {
enforce {
condition = !core::contains(attrs.vpc_security_group_ids, local.default_sg.id)
error_message = "Instances must not use the default security group."
}
}
Use with conditional logic
locals {
# Try to retrieve a KMS key
kms_key = core::try(
core::getdatasource("aws_kms_key", {
key_id = "alias/my-key"
}),
null
)
has_kms_key = local.kms_key != null
}
resource_policy "aws_ebs_volume" "encryption_check" {
enforce {
condition = attrs.encrypted == true
error_message = "EBS volumes must be encrypted."
}
enforce {
condition = !local.has_kms_key || attrs.kms_key_id == local.kms_key.id
error_message = "EBS volumes must use the organization's KMS key when available."
}
}
Related functions
core::getresources- Retrieve a list of resources matching the specified type and filter