Aws_cloudformation_stack is always triggers because it detect changes in the "Password" template parameter

Related to aws_cloudformation_stack sensitive parameters always trigger update · Issue #10300 · hashicorp/terraform-provider-aws · GitHub

I’m running terraform 1.5.5 with the hashicorp/aws 5.11.0

I have a aws_cloudformation_stack and one of the parameters is called “Password” (comes from a third party cloudformation template https://dataiku-cloudstacks.s3.amazonaws.com/templates/fleet-manager/12.1.2/fleet-manager-instance.yml)

The definition of that parameter is

  Password:
    Description: Fleet Manager user password
    Type: String
    NoEcho: true
    MinLength: 1
    AllowedPattern: ^[^`\\'"\$]+$
    ConstraintDescription: |
      Password cannot be empty and cannot contain the following characters: ` ' " \ $

Every time that I run terraform plan it will detect changes on the Password field

Terraform will perform the following actions:

  # aws_cloudformation_stack.fleetmanager will be updated in-place
  ~ resource "aws_cloudformation_stack" "fleetmanager" {
        id                 = "arn:aws:cloudformation:xxxx:xxxx:stack/dataiku-fleetmanager/yyyy"
        name               = "dataiku-fleetmanager"
      ~ parameters         = {
          ~ "Password"                 = "****" -> "abcdef12354"
            # (9 unchanged elements hidden)
        }
        tags               = {}
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Is there anyway to avoid this?

I already tried to add a lifecycle ignore_changes but it does not work.

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack.html
resource "aws_cloudformation_stack" "fleetmanager" {
    name = "dataiku-fleetmanager"
    template_url = "https://dataiku-cloudstacks.s3.amazonaws.com/templates/fleet-manager/12.1.2/fleet-manager-instance.yml"
    parameters = {
        VPCId = var.VPCId
        VPCCIDR = var.VPCCIDR
        SubnetId = var.SubnetId
        AllowedCIDR = var.AllowedCIDR
        InstanceSSHKeyPairName = var.InstanceSSHKeyPairName
        RoleName = "xxxx"
        Username = var.Username
        Password = var.Password
        sslMode = "SELF_SIGNED"
        AssociatePublicIpAddress="False"
    }
    capabilities = [ "CAPABILITY_NAMED_IAM" ]
    disable_rollback = false
    lifecycle {
        ignore_changes = [parameters.Password]
    }
}

what am I doing wrong?

It’s not parameters.Password but parameters["Password"]

I added the following to the aws_cloudformation_stack resource and now it’s properly ignored:

   lifecycle {
        ignore_changes = [parameters["Password"]]
    }