Terraform-provider-aws: AWS OpsWorks ssh_key in app_source keeps re-applying

Created on 13 Jun 2017 · 10Comments · Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @iroller as hashicorp/terraform#6648. It was migrated here as part of the provider split. The original body of the issue is below._

Hi there,

It looks like there's the same issue as https://github.com/hashicorp/terraform/issues/3635 existing in aws_opsworks_application -> app_source -> ssh_key.

Config:

resource "aws_opsworks_application" "app" {
  name        = "application"

  app_source = {
    type     = "git"
...
    ssh_key  = "${file("~/.ssh/private-key")}"
  }

On terraform plan/apply it keeps re-applying the ssh_key even though it's the same.

Also if it's filtered it shouldn't be displayed:

$ terraform plan

~ aws_opsworks_application.app
    app_source.0.ssh_key:  "*****FILTERED*****" => "-----BEGIN RSA PRIVATE KEY--- ... my-private-key-here"

Terraform Version

v0.6.15

Affected Resource(s)

aws_opsworks_application
app_source

bug servicopsworks

Source

hashibot

👍10

Most helpful comment

Note that adding to ignore_changes is not a solution, because then Terraform seems to write a blank key.

STRML on 5 Mar 2018

👍7

All 10 comments

I would like some idea on how to debug things, basically I want like a way for terraform to tell me why is it trying to recreate the resource

salimane on 24 Nov 2017

Note that adding to ignore_changes is not a solution, because then Terraform seems to write a blank key.

STRML on 5 Mar 2018

👍7

I gave up using ssh_key. Instead currently I use GitHub token from environment variable.

ryym on 14 Nov 2018

One limitation of the above solution is it only works for short keys (like API tokens). OpsWorks environment variables are limited to 256 characters, see: https://docs.aws.amazon.com/opsworks/latest/APIReference/API_EnvironmentVariable.html

If you attempt to fit a large key in an environment variable Terraform will error with:

* aws_opsworks_application.my_application: ValidationException: Environment: variables contain illegal characters
    status code: 400, request id: $GUID

xM8WVqaG on 26 Nov 2018

Any luck here or recommended workarounds?

wcampos on 5 Jul 2019

As a work around in some of our stacks, we uploaded the deployment key to SSM Parameter Store (which is free) and pass in the key name as an environment variable. Then in the deploy recipe we pull the key from SSM PS.

For the stacks without the workaround, in Terraform 11 this problem was a nuisance but as TF 11 only printed the key it wasn't that hard to ignore during the plan/apply.

$ terraform plan

~ aws_opsworks_application.app
    app_source.0.ssh_key:  "*****FILTERED*****" => "-----BEGIN RSA PRIVATE KEY--- ... my-private-key-here"

Now Terraform 12 prints the entire opsworks_application config for every application it's now become really challenging to ignore.

$ terraform plan

 # aws_opsworks_application.my_application will be updated in-place
  ~ resource "aws_opsworks_application" "my_application" {
      <9 lines of configuration>

      ~ app_source {
          + ssh_key = "-----BEGIN RSA PRIVATE KEY-----\nREDACTED\n-----END RSA PRIVATE KEY-----\n"
            type    = "git"
            url     = "REDACTED"
        }

      <91 more lines of configuration>
    }

The diffs have gone from two lines (with a blob of private key) to at least 100 lines (if you have any number of environment variables) with the blob of private key and another blob of TLS certificate if supplied.

xM8WVqaG on 8 Jul 2019

Just reproduced this issue using Terraform v0.11.10

Any workarounds?

wcampos on 12 Jul 2019

Having the same exact issue for Terraform v0.12.3 with provider.aws v2.21.0

Any workaround suggestion is highly appreciated