Is there a way to utilize Terraform to modify part of a resource while leaving the rest as its found in the remote state? The use case is that there is a subset of the fields on a resource that need to be actuated as part of a Terraform configuration, but the rest of the resource might be changed out-of-band by other users and should be left alone.
resource "some_resource" "my_resource" {
field_i_care_about = "my_value"
// all other fields get left alone
}
While that would not cause a change to be seen for plan/apply for the ignored attributes it wouldn’t help if something did trigger a change - the ignored attributes would still be updated to be whatever the code had them set to.
Terraform isn’t really designed for this partial case. Resources should be either totally controlled by Terraform or totally controlled by something else. As a result some providers support different ways of expressing the same set of objects (for example you can set AWS security group rules as individual resources or as part of the security group itself). Using those you can then have partial control (for example some SG rules are defined in Terraform but others are managed by something else and don’t appear in the code at all).
the ignored attributes would still be updated to be whatever the code had them set to
So what you’re saying is that there’s no protection per se from ignored attributes being added to the Terraform config and therefore clobbering whatever was there?
Unfortunately I’m trying to use off-the-shelf resources here so creating a custom resource just to control a specific field within an API isn’t particularly an option. Thanks for the ignore_changes suggestion, that might get me further along at least!