Using lifecycle ignore_changes for attributes managed outside of terraform

rba1-source · March 24, 2022, 11:18am

Hi,

I have some deployed instances and EBS resources in AWS, all of which have EC2 tags on. I want to ensure that future changes ignore some but not all of the tags. I’ve followed the documentation but I’m getting some unexpected behaviour for tags changed outside of terrform. I’m using terraform v0.13.6 and aws provider 3.58.

The docs (The lifecycle Meta-Argument - Configuration Language | Terraform by HashiCorp) state “The ignore_changes feature is intended to be used when a resource is created with references to data that may change in the future, but should not affect said resource after its creation. In some rare cases, settings of a remote object are modified by processes outside of Terraform, which Terraform would then attempt to “fix” on the next run. In order to make Terraform share management responsibilities of a single object with a separate process, the ignore_changes meta-argument specifies resource attributes that Terraform should ignore when planning updates to the associated remote object.” Since I have processes outside of terraform that add new tags, this sounds exactly what I’m looking for.

ignore_changes seems to work with tags which are managed by terraform, but tries to set tags not managed by terraform to null.

Here’s some sample config:

resource "aws_instance" "fileserver" {
...
  lifecycle {
    ignore_changes = [
      user_data,
      tags["App_version"],
      tags["Config_version"],
      tags["hostname"],
    ]
  }
  tags = {
    "App_version"    = local.app_version
    "Config_version" = local.config_version
  }
...
}

resource "aws_ebs_volume" "volume" {
...
  lifecycle {
    ignore_changes = [
      tags["App_version"],
      tags["Config_version"],
      tags["Drive_Letter"],
    ]
  }
  tags = {
    "App_version"    = local.app_version
    "Config_version" = local.config_version
  }
}

My output is “unexpected” because if I run a tf plan where I have changed the input values for “Config_version”, this tag is ignored as expected, but the tags which are changed outside of terraform are not ignored, but instead set to null:

  # module.storage.aws_instance.fileserver will be updated in-place
  ~ resource "aws_instance" "fileserver" {
      ...
      ~ tags = {
            "App_version"    = "develop"
            "Config_version" = "feature/QWE-1234"
          - "hostname"       = "EC2AMAZ-5JJJ44G" -> null
        }
    }

  # module.storage.aws_ebs_volume.volume will be updated in-place
  ~ resource "aws_ebs_volume" "volume" {
      ...
      ~ tags = {
            "App_version"    = "develop"
            "Config_version" = "feature/QWE-1234"
          - "Drive_Letter"   = "D:" -> null
        }
    }

Are the docs wrong, is there a bug, or was this feature introduced into a later version of terraform?

Help appreciated.

Thanks.

rba1-source · April 11, 2022, 11:43am

Looks like this was fixed in v0.14.0:

github.com/hashicorp/terraform

allow ignore_changes to reference any map key

hashicorp:master ← hashicorp:jbardin/ignore-changes-map

opened 09:21PM - 29 Sep 20 UTC

jbardin

+286 -62

This change will allow specifying a `map["key"]` path in `ignore_changes` that m…ay not exist in the config or the prior value. This allows users to prevent a single map element from changing to or from being unset. This didn't work previously because the transformation always started off with the configuration, and would never encounter a key if it was not present in the configuration. We also couldn't retain the absence of a value, since the lookup wouldn't find the key in the prior value. The following configuration will now prevent the "unwanted" value from showing up in the plan if it is not originally present in the prior state. ``` resource "test_resource" "a" { map = { wanted = "value" unwanted = "added after initial apply" } lifecycle = { ignore_changes = [map["unwanted"]] } } ``` The following example will now prevent the "wanted" value from being removed if it exists the the prior state, but is removed from the configuration ``` resource "test_resource" "a" { map = { // wanted = "removed after initial apply" } lifecycle = { ignore_changes = [map["wanted"]] } } ``` While these examples use map literals for clarity, this feature would normally be used when the map is derived from another source, and not manipulated directly in the resource configuration. This also allows users in some cases to work around misbehaving legacy providers that have altered the state in conflict with the configuration.

Thanks.

Topic		Replies	Views
Dynamic lifecycle ignore_changes? Terraform	6	28062	February 23, 2020
Lifecycle ignore tags on aws_instance does not ignore root_block_device tags Terraform	3	515	November 4, 2024
Possible to 'ignore_changes' but still manage? Terraform	3	3930	April 29, 2022
What is the current status on ignoring tags? Terraform	3	6600	July 5, 2023
Ignore_changes - but only when changed outside of Terraform Terraform	2	270	September 4, 2023

Using lifecycle ignore_changes for attributes managed outside of terraform

Related topics