[mauflows]

> as if you're "doing it right" you don't even know what values it's going to apply until after it's applied them. It can't be idempotent because Terraform

what do you mean by this? 'terraform apply' runs plan first, and tells me the diff from the expected state. Then it asks me if I want to reconcile it.

I agree with the rest tho

[lukevp]

Not all values are known to you or terraform until after the apply. For example, on AWS, publishing a new version of lambda might have the ARN as known after apply since it includes the version # as part of the string. Or something like the calculated hash of an S3 object that would be known after apply. You can still reference these values in other parts of your terraform, and it will propagate the < ‘known after apply’ state there too. These dependencies are built into a graph to determine which items should be applied first, so all references to unknown data can be resolved in the correct order.

[0xbadcafebee]

Have you seen it say "Old Value X" -> (known after apply) ? If you use most of Terraform's features, a good deal of the new values are (known after apply). If any of a value requires looking something up at apply time - say, from a backend, a data source, a local, the creation/modification/deletion of a different resource, a name_prefix, an internal function, etc - Terraform can't (or more precisely, won't) tell you what the new value is or could be. So often you have no idea what the result is going to be until it's done.