Terraform lifecycle ignore_changes applies to all keys for azurerm_linux_web_app.site_config, although only one key is selected

This is my first post - after several years of reading, so hopefully I do not miss something.

I’m using terraform azurerm_linux_web_app to deploy some app services.
As their content is deployed via ci pipelines there are some attributes I want/have to ignore during terraform plan / apply

So my tf module has the following lifecycle:

  lifecycle {
    ignore_changes = [

On a first glance this is working like a charm. But now I added some allowed regions to site_config.cors like:

  site_config {
    cors {
      allowed_origins = var.frontendWebAppURis  # a list of strings
      support_credentials = false

When I run terraform plan there are no changes to be made.
If I remove site_config["app_command_line"] from ignore list the plan will contain all entries to add.

What am I missing in “ignore_changes” syntax for map keys ?


PS: This is a repost of my question on stackoverflow. Initially I expected a fast reaction time there which did not happen. I will gladly share the anser there as well.

Did you figure out how to overcome this issue? I am facing this problem now.