provider "vault" {
version = "~> 2.7.0"
address = var.vault_addr
auth_login {
path = "auth/approle/login"
parameters = {
role_id = var.approle_roleid
secret_id = var.approle_secretid
}
}
}
resource "vault_aws_secret_backend" "this" {
#access_key = ""
#secret_key = ""
path = join("-", [var.team, var.env, var.account_name, "aws"])
default_lease_ttl_seconds = var.lease_ttl
max_lease_ttl_seconds = var.lease_max_ttl
depends_on = [null_resource.validator]
lifecycle {
ignore_changes = [access_key, secret_key]
}
}
Given the above statement, both with the access_key
/ secret_key
lines commented and uncommented, new Terraform plans want to destroy the secret_key
on every apply.
I’m lost. I thought using empty quotes would make sure there was no value in the field only on the first run, and that any subsequent runs, the lifecycle.ignore_changes
would make sure that Terraform didn’t touch the field. What am I missing here?
This is what appears in the plan output:
# module.modulename.vault_aws_secret_backend.this will be updated in-place
~ resource "vault_aws_secret_backend" "this" {
- access_key = (sensitive value)
default_lease_ttl_seconds = 3600
id = "team-prd-modulename-aws"
max_lease_ttl_seconds = 7200
path = "team-prd-modulename-aws"
region = "us-east-1"
}
(where the -
indicates an action Terraform will take to destroy the indicated parameter)