Terraform, "ignore_changes" and sub-blocks

Wrench picture Wrench · Jan 13, 2018 · Viewed 9.4k times · Source

I have a AWS CodePipeline configured in a terraform file, like this:

resource {
    name = "Cool Pipeline"
    ...

    stage {
        name = "Source"
        ...

        action {
            name = "Source"
            ...

            configuration {
                Owner = "Me"
                Repo = "<git-repo-uri>"
                Branch = develop
                OAuthToken = "b3287d649a28374e9283c749cc283ad74"
            }
        }
    }

    lifecycle {
        ignore_changes = "OAuthToken"
    }
}

The reason for ignoring the token, is that the AWS API doesn't show that token to terraform, instead AWS API outputs this with aws codepipeline get-pipeline <name>:

"pipeline": {
    "stages": {
        "name": "Source",
        "actions": {
            "configuration": {
                "OAuthToken": "****"
            }
        }
    }
}

Result is, when I perform the terraform planit shows me it wants to update that token, like so:

module.modulename.aws_codepipeline.codepipeline
      stage.0.action.0.configuration.%:          "3" => "4"
      stage.0.action.0.configuration.OAuthToken: "" => "b3287d649a28374e9283c749cc283ad74"

My question is, how can I get the ignore_changes to take effect? I've tried this without any success:

ignore_changes = ["OAuthToken"]
ignore_changes = ["oauthtoken"]
ignore_changes = ["stage.action.configuration.OAuthToken"]

All examples I've found googling just shows how to ignore on the same block level.

(The token is this text is fake.)

Answer

Wrench picture Wrench · Jan 13, 2018

This syntax, as hinted by terraform plan output, solved the problem:

ignore_changes = [
    "stage.0.action.0.configuration.OAuthToken",
    "stage.0.action.0.configuration.%"
]

Another way to solve it is to add the GITHUB_TOKEN system environment variable, with the token as the value. This way you do not need the ignore_changes directive in the tf files.