CODEWITHSUNDEEP
amazon-web-servicesterraformaws-codepipeline
Wrench
Wrench

Reputation: 4940

Terraform, "ignore_changes" and sub-blocks

I have a AWS CodePipeline configured in a terraform file, like this:

resource {
    name = "Cool Pipeline"
    ...

    stage {
        name = "Source"
        ...

        action {
            name = "Source"
            ...

            configuration {
                Owner = "Me"
                Repo = "<git-repo-uri>"
                Branch = develop
                OAuthToken = "b3287d649a28374e9283c749cc283ad74"
            }
        }
    }

    lifecycle {
        ignore_changes = "OAuthToken"
    }
}

The reason for ignoring the token, is that the AWS API doesn't show that token to terraform, instead AWS API outputs this with aws codepipeline get-pipeline <name>:

"pipeline": {
    "stages": {
        "name": "Source",
        "actions": {
            "configuration": {
                "OAuthToken": "****"
            }
        }
    }
}

Result is, when I perform the terraform planit shows me it wants to update that token, like so:

module.modulename.aws_codepipeline.codepipeline
      stage.0.action.0.configuration.%:          "3" => "4"
      stage.0.action.0.configuration.OAuthToken: "" => "b3287d649a28374e9283c749cc283ad74"

My question is, how can I get the ignore_changes to take effect? I've tried this without any success:

ignore_changes = ["OAuthToken"]
ignore_changes = ["oauthtoken"]
ignore_changes = ["stage.action.configuration.OAuthToken"]

All examples I've found googling just shows how to ignore on the same block level.

(The token is this text is fake.)

Upvotes: 34

Views: 41776

Answers (3)

Luca Motta
Luca Motta

Reputation: 331

I have encountered a similar case and I resolved as follows:

ignore_changes = [
   stage[0].action[0].configuration["OAuthToken"]
]

Upvotes: 3

Artur Yarosh
Artur Yarosh

Reputation: 171

This syntax is deprecated

ignore_changes = [
    "stage.0.action.0.configuration.OAuthToken",
    "stage.0.action.0.configuration.%"
]

But the new one is ignored in v1.0.0 for some reason

ignore_changes = [
  stage[0].action[0].configuration.OAuthToken,
  stage[0].action[0].configuration,
]

Upvotes: 17

Wrench
Wrench

Reputation: 4940

This syntax, as hinted by terraform plan output, solved the problem:

ignore_changes = [
    "stage.0.action.0.configuration.OAuthToken",
    "stage.0.action.0.configuration.%"
]

Another way to solve it is to add the GITHUB_TOKEN system environment variable, with the token as the value. This way you do not need the ignore_changes directive in the tf files.

Upvotes: 32

Related Questions