Lifecycle ignore_changes for aws_vpn_connection vgw_telemetry

yshollander-selerity · July 28, 2023, 4:51pm

Hi, all,

I’ve got an aws_vpn_connection resource defined and running, but terraform plan complains about vgw_telemetry because AWS bounced the VPN tunnels so the last_status_change timestamp changed outside of Terraform’s control.

# module.myvpn_connection.aws_vpn_connection.vpn_connection has changed
  ~ resource "aws_vpn_connection" "vpn_connection" {
        id                                   = "<vpnid redacted>"
        tags                                 = {
            "Name" = "MYVPN"
        }
      ~ vgw_telemetry                        = [
          - {
              - accepted_route_count = 14
              - certificate_arn      = ""
              - last_status_change   = "2023-07-07T05:17:20Z"
              - outside_ip_address   = "a.b.c.d"
              - status               = "UP"
              - status_message       = "14 BGP ROUTES"
            },
          + {
              + accepted_route_count = 14
              + certificate_arn      = ""
              + last_status_change   = "2023-07-25T03:36:31Z"
              + outside_ip_address   = "e.f.g.h"
              + status               = "UP"
              + status_message       = "14 BGP ROUTES"
            },
            # (1 unchanged element hidden)
        ]
        # (56 unchanged attributes hidden)


        # (2 unchanged blocks hidden)
    }

I tried using lifecycle/ignore_changes to ignore changes to the entire vgw_telemetry block:

  lifecycle {
    ignore_changes = [
      vgw_telemetry,
    ]
  }

but Terraform still complains about last_status_timestamp. Is there a way to ignore_changes for an entire block?

jbardin · July 28, 2023, 8:28pm

Hi @yshollander-selerity,

I think part of the confusion here is that ignore_changes is meant to ignore changes in the configuration, it cannot prevent updates from the remote system. I’m not sure though what is going on without more details about the configuration and update that happened.

Using ignore_changes = [vgw_telemetry] should ignore any changes that would be imposed by the configuration on the resource within that block. What do you mean that Terraform “complains about last_status_timestamp”?

yshollander-selerity · July 30, 2023, 1:46am

I mean that the only piece of vgw_telemetry that is different in the output in my OP is the last_update_timestamp. Everything else is the same – the VPN is up, same # of BGP routes learned, etc. I figured that must be why Terraform claimed that something changed.

And as you point out, this should have been enough to suppress the warning:

  lifecycle {
    ignore_changes = [
      vgw_telemetry,
    ]
  }

Not sure what other information I can provide…

yshollander-selerity · July 30, 2023, 1:48am

I should also note that I made a mistake sanitizing the output above. a.b.c.d and e.f.g.h are the same address. The only difference is last_update_timestamp.

jbardin · July 31, 2023, 12:59pm

Can you show the output of a complete plan showing that terraform plans to update the ignored block values? The original output here appears to be from only refreshing the resource, and is reporting “vpn_connection has changed” outside of Terraform, which Terraform cannot control.

yshollander-selerity · July 31, 2023, 1:42pm

Issue resolved. This behavior was fixed some time after TF 1.1.7. I didn’t realize I was using an old TF release. Upgraded to latest, and terraform plan does not complain about vgw_telemetry changes.

Thanks for the quick responses!