Lifecycle ignore quirks

Working on ignoring some annoying state drift as described in

I have a diff like this:

  ~ resource "kubernetes_namespace" "foo" {
        id = "monitoring"

      ~ metadata {
          ~ annotations      = {
              + "kustomize.toolkit.fluxcd.io/checksum" = "14a362dcb6a8defbb391483cc98dcacd1e9c33f9"
            }
          ~ labels           = {
              + "kustomize.toolkit.fluxcd.io/name"      = "apps"
              + "kustomize.toolkit.fluxcd.io/namespace" = "flux-system"
            }
            name             = "monitoring"
          ~ resource_version = "13420693" -> "13424059"
            # (2 unchanged attributes hidden)
        }
    }

If I add this:

  metadata {
    name = "monitoring"
  }

  lifecycle {
    ignore_changes = [
      metadata.0.annotations["kustomize.toolkit.fluxcd.io/checksum"],
      metadata.0.labels["kustomize.toolkit.fluxcd.io/name"],
      metadata.0.resource_version,
    ]
  }
}

I can get it to ignore all of the changes except the namespace one, however, if I add metadata.0.labels["kustomize.toolkit.fluxcd.io/namespace"] to the list, all the items now show up as changed (i.e., the lifecycle block doesn’t work at all). I can’t add a second lifecycle or ignore_changes as a workaround, as it throws an error. Is this a known issue? Is there any workaround?

ps: the following seems to work fine, so I’m thinking it’s because of the ‘name’ / ‘namespace’ in the final part of the key?

      metadata.0.labels["app.kubernetes.io/instance"],
      metadata.0.labels["app.kubernetes.io/part-of"],
      metadata.0.labels["app.kubernetes.io/version"],

Hi @wyardley,

That does sound strange. Map keys are compared as whole values, so the content of the name vs namespace should not be able to affect the outcome. Before we try to investigate further, can you confirm you are using the latest terraform version?

yeah, on 1.0.5:

% terraform -version -json
{
  "terraform_version": "1.0.5",
  "platform": "darwin_amd64",
  "provider_selections": {},
  "terraform_outdated": false
}

I’m not sure how much of the logic is in Terraform core vs. the provider (I’m assuming the former). I did see a similar issue with the kubectl provider as well, though it has a kind of weird workaround to provide similar functionality (in that case, it’s not clear that the provider has yet been updated for 1.x; not sure if that’s related)

Thanks. I’m still not sure what exactly you are seeing, is there any way to provide a complete example, or at least the complete config and output?

Are you certain you are looking at the plan changes in all cases here, and not the “changes outside of terraform”? The ignore_changes feature is specifically for ignoring changes between configuration and prior state, and cannot affect drift reported by the provider.

@jbardin that’s a good point - the changes outside of terraform section may definitely be a big part of it, and are definitely the cause of at least some of what I’m seeing.

The behavior about which ones show up / don’t show up in the plan is still pretty wacky, but I think I’m getting somewhere; thanks for the help so far.