I have a AWS CodePipeline configured in a terraform file, like this:
resource {
name = "Cool Pipeline"
...
stage {
name = "Source"
...
action {
name = "Source"
...
configuration {
Owner = "Me"
Repo = "<git-repo-uri>"
Branch = develop
OAuthToken = "b3287d649a28374e9283c749cc283ad74"
}
}
}
lifecycle {
ignore_changes = "OAuthToken"
}
}
The reason for ignoring the token, is that the AWS API doesn't show that token to terraform, instead AWS API outputs this with aws codepipeline get-pipeline <name>
:
"pipeline": {
"stages": {
"name": "Source",
"actions": {
"configuration": {
"OAuthToken": "****"
}
}
}
}
Result is, when I perform the terraform plan
it shows me it wants to update that token, like so:
module.modulename.aws_codepipeline.codepipeline
stage.0.action.0.configuration.%: "3" => "4"
stage.0.action.0.configuration.OAuthToken: "" => "b3287d649a28374e9283c749cc283ad74"
My question is, how can I get the ignore_changes
to take effect? I've tried this without any success:
ignore_changes = ["OAuthToken"]
ignore_changes = ["oauthtoken"]
ignore_changes = ["stage.action.configuration.OAuthToken"]
All examples I've found googling just shows how to ignore on the same block level.
(The token is this text is fake.)
This syntax, as hinted by terraform plan
output, solved the problem:
ignore_changes = [
"stage.0.action.0.configuration.OAuthToken",
"stage.0.action.0.configuration.%"
]
Another way to solve it is to add the GITHUB_TOKEN
system environment variable, with the token as the value. This way you do not need the ignore_changes
directive in the tf files.