Terraform-provider-aws: aws_cloudformation_stack indefinitely reapplies changes in NoEcho parameters
_This issue was originally opened by @mtb-xt as hashicorp/terraform#4335. It was migrated here as part of the provider split. The original body of the issue is below._
If a cloudformation template contains a parameter with NoEcho set to true (like a password), the parameter value is shown as asterisks "**".
Terraform 0.6.8 detects this as a parameter change and tries to reapply it on every 'plan' or 'apply':
aws_cloudformation_stack.redshift-prod: Modifying...
parameters.MasterUserPassword: "****" => "lolmegapassword"
hashibot
All 10 comments
_This comment was originally opened by @radeksimko as https://github.com/hashicorp/terraform/issues/4335#issuecomment-165519613. It was migrated here as part of the provider split. The original comment is below._
Thanks for this report too. :smiley:
A solution could be ignoring changes in NoEcho parameters coming from AWS, the only difficult part is in decoding the whole template as this attribute isn't available from the API directly.
hashibot
on 13 Jun 2017
_This comment was originally opened by @radeksimko as https://github.com/hashicorp/terraform/issues/4335#issuecomment-174700894. It was migrated here as part of the provider split. The original comment is below._
This project may be helpful here:
https://github.com/awslabs/aws-cfn-go-template
hashibot
on 13 Jun 2017
_This comment was originally opened by @bobzoller as https://github.com/hashicorp/terraform/issues/4335#issuecomment-259223340. It was migrated here as part of the provider split. The original comment is below._
Perhaps this is silly but it might also save someone from a headache: _Don't_ be like me and try to work around this by adding:
lifecycle {
ignore_changes = ["parameters.Password"]
}
All it means is that the next apply will write the **** value back to AWS (instead of your secret).
hashibot
on 13 Jun 2017
_This comment was originally opened by @dylanvaughn as https://github.com/hashicorp/terraform/issues/4335#issuecomment-277342956. It was migrated here as part of the provider split. The original comment is below._
Maybe if the parameter name ends in NoEcho then that tells Terraform to ignore it? i.e. MasterDbPasswordNoEcho
I could implement this in a PR if it seems like an acceptable solution.
hashibot
on 13 Jun 2017
_This comment was originally opened by @dylanvaughn as https://github.com/hashicorp/terraform/issues/4335#issuecomment-277493093. It was migrated here as part of the provider split. The original comment is below._
I ended up doing a slightly different approach of just checking if the old value of the parameter coming from AWS is **** - see https://github.com/hashicorp/terraform/pull/11707
hashibot
on 13 Jun 2017
Any chance this issue can get some love? We have close to a hundred cloudformation templates (long story...) and each plan results in a long list of no-ops :(
joshma
on 14 Feb 2018
We are having a similar issues. I can imagine this might be a difficult bug to fix. We are debating whether to continue using bash to manage our cloudformation templates
arturopie
on 19 Mar 2018
Also, parameter values being sent to a NoEcho parameter should be marked as sensitive by the aws provider so they are not output in the terminal.
dan-petty
on 19 Nov 2018
Any love @hashibot ?
jufemaiz
on 4 Oct 2019
Previous efforts to solve this: #9304 #11707
The best solution is to add a "use previous value" option. I thought there was an open PR for this, but can't find it now.
Currently, I set the parameter to empty, then add ignore_changes = ["paramters.MyParam"]. I can't update the CloudFormation stack with Terraform, but I can at least see the differences.
pauldraper
on 11 Mar 2020
Related issues
hazmeister
路
3Comments
andywirv
路
3Comments
carmas
路
3Comments
joelittlejohn
路
3Comments
hashibot
路
3Comments
Most helpful comment
Any love @hashibot ?