How come a local "terraform plan" shows a change to a file but when running directly on TF Cloud it doesn't

We have a file located in a sub folder called scripts, the file is called ssvm.ps1 and we don’t alter it.

In our main code we have the resource azurerm_automation_runbook. Code looks like this

resource "azurerm_automation_runbook" "ssvm_patching" {
  name                    = "Auto-patching-start-stop"
  location                = module.global_logging.logging_rg_location
  resource_group_name     = module.global_logging.logging_rg_name
  automation_account_name = module.fmg-tf-patching-module.automation_name
  log_verbose             = "true"
  log_progress            = "true"
  description             = "This Run Book is used to start and stop VM during patching"
  runbook_type            = "PowerShell"
  content                 = file("scripts/ssvm.ps1",)

We use Windows workstations

Before we push our code upstream we always run a “Terraform Plan” to confirm that the code appears valid.

When we run the Terraform Plan on our local machine, noting that it is still using TF Cloud as the backend we always see

# azurerm_automation_runbook.ssvm_patching will be updated in-place
  ~ resource "azurerm_automation_runbook" "ssvm_patching" {
      ~ content                  = <<-EOT

                [parameter(Mandatory = $true)]

            #Import the Modules
            Import-Module 'Az.Accounts'
            Import-Module 'Az.Compute'

            #Authenticating through identity
            Connect-AzAccount -Identity

            # Ensures you do not inherit an AzContext in your runbook
            Disable-AzContextAutosave -Scope Process

            # set and store context

            Set-AzContext -Subscription $subscriptionid

            #Turning on the VM which are in deallocated state with the tag vlaue third sunday
            $VMs = Get-AzVM -Status | Where-Object PowerState -eq "VM deallocated"
            foreach ($VM in $VMs) {
                [Hashtable]$VMTag = (Get-AzVM -ResourceGroupName $VM.ResourceGroupName -Name  $VM.Name).Tags
                foreach ($h in $VMTag.GetEnumerator()) {
                    if (($h.Name -eq "updateGroup") -and ($h.value -eq "thirdsunday")) {
                        Write-Output "VM with tags updateGroup:thirdsunday are" $($VM.Name)
                        Write-Output "Starting virtual machine...$($VM.Name)"
                        Start-AzVM -ResourceGroupName $VM.ResourceGroupName -Name $VM.Name



            Start-Sleep -Seconds 9000
            #returning the VM to its last known state
            foreach ($VM in $VMs) {

                if ($VMs.PowerState -eq "VM deallocated") {

                    Write-Output "Stopping virtual machine...$($VM.Name)"
                    Stop-AzVM -ResourceGroupName $VM.ResourceGroupName -Name $VM.Name -Force
        id                       = "/subscriptions/c2ed245c-85dc-4179-aeb4-a637a3cf96db/resourceGroups/fzanzcspdrgp002/providers/Microsoft.Automation/automationAccounts/franzgnpdaa001/runbooks/Auto-patching-start-stop"
        name                     = "Auto-patching-start-stop"
        tags                     = {
            "costCentre"  = "CoreInfrastructure"
            "deployType"  = "Terraform"
            "description" = "start & stop third sunday VM patching runbook"
            "source"      = ""
        # (9 unchanged attributes hidden)

Yet if we run a “plan and apply” or “plan only” from directly TF Cloud we don’t see this.

The only thing I can think off is that it has something to do with Our windows machines knowing the TF Cloud use Linux but I can’t verify this.

Does anyone else know why this could be the case?

Hi @john.ward,

If the file is checked in to version control to ensure there are no changes, the usual culprit is having git configured to automatically convert line endings for windows machines. It does this by inserting the extra \r characters on checkout, then filtering them back out on commit. This leaves certain files which were detected as text altered in the working directory, and Terraform will see changes in those files.

1 Like

Spot on, I thought it was going to be something like that but was thinking it was more when the code was running and not that GitHub was making the changes when the Repo was cloned, hence why running from the Windows WSL environment didn’t work either as the repo had already been cloned to my local machine using windows.

A quick run of

git config --global core.autocrlf false

turned it off, I then recloned the repo and tested.

I might look more at a .gitattributes file as I’m sure this will have negative effects for other repos

Thanks again.

To resolve this for us.
We created a .gitattributes file in the root folder of the module with these values

  • text=auto

*.ps1 text eol=lf
*.sh text eol=lf