Terraform plan refresh issue with aws_ssm_parameter resource

Terraform Providers AWS
1

I have imported some pre-existing AWS SSM parameter store parameters using terraform import. I also created the terraform code to generate these parameters :

resource "aws_ssm_parameter" "resource_foo" {
  name = "resource_foo"
  description = "Lorem ipsum"
  type = "String"
  value = "foo_value"
  tags = {
    "Project" = "foo_project",
    "aws:cloudformation:stack-name" = "foo_project_stack",
    "aws:cloudformation:logical-id" = "foo_project_logical-id",
    "aws:cloudformation:stack-id" = "arn:aws:cloudformation:xxx:xxx",

  }
}

The imported state looks like this (first issue):

    {
      "mode": "managed",
      "type": "aws_ssm_parameter",
      "name": "resource_foo",
      "provider": "provider.aws",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "allowed_pattern": "",
            "arn": "arn:aws:ssm:xxx:xxx",
            "description": "Lorem ipsum",
            "id": "resource_foo",
            "key_id": "",
            "name": "resource_foo",
            "overwrite": null,
            "tags": {
              "Project": "foo_project"
            },
            "tier": "Standard",
            "type": "String",
            "value": "foo_value",
            "version": 2
          }
        }
      ]
    },

So naturally, when I run terraform plan, terraform says:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_ssm_parameter.resource_foo will be updated in-place
  ~ resource "aws_ssm_parameter" "resource_foo" {
        arn         = "arn:aws:ssm:xxx:xxxx"
        description = "Lorem ipsum"
        id          = "resource_foo"
        name        = "resource_foo"
      ~ tags        = {
            "Project"                       = "foo_project"
          + "aws:cloudformation:logical-id" = "foo_project_logical-id"
          + "aws:cloudformation:stack-id"   = "arn:aws:cloudformation:xxx:xxx"
          + "aws:cloudformation:stack-name" = "foo_project_stack"
        }
        tier        = "Standard"
        type        = "String"
        value       = (sensitive value)
        version     = 2
    }

I even tried manually adding the missing tags in the statefile, and if I then proceed to do terraform plan -refresh=false terraform then says everything is up to date.

If I do a normal terraform plan it does a state refresh, and then thinks that the three extra tags are missing…

Is this a bug? Should I report it as such?

2

Hi @denisbr,

In AWS the tag prefix aws: is reserved for tags created automatically by AWS services, so Terraform isn’t able to manage those tags. I think if you remove those three tags from your configuration then you should see the plan produce no action for this resource instance.

It may be a bug that the AWS provider didn’t detect those invalid tag names in your configuration and report an explicit error; I’m not personally familiar with how the AWS SSM API behaves and tags unfortunately tend to have slightly different behavior depending on the underlying AWS service. If you would like to report the absense of an error as a bug, you could create a new issue in the AWS provider repository.

1 Like
3

@apparentlymart Thanks for the clarification! This makes sense :slight_smile: