Terraform: ignore_changes should support wildcards
In my particular example I have a case where I'd like to ignore a single proprety of a route, but I can't
determine the item id, since it's actually going to be route.123323232323.instance_id, and I can't predict
what that ID is going to be like.
Instead of simply doing a Prefix match, would be nice if wildcards (or regexpes, really) were also supported.
resource "aws_route_table" "private" {
lifecycle {
ignore_changes = [
# One of these should work, but they don't, so be careful if we ever need to change the routes below
#"route.*.instance_id",
#"route.instance_id",
#"instance_id",
"route",
]
}
route {
cidr_block = "0.0.0.0/0"
network_interface_id = "${aws_network_interface.private-nat.id}"
}
gozer
All 11 comments
Hi @gozer - yep this use case definitely makes sense! Tagged.
phinze
on 16 Mar 2016
Agree with @gozer. This also applies to resources like aws_db_parameter_group that takes a list of db_parameters to apply.
resource "aws_db_parameter_group" "default" {
name = "rds-pg"
family = "mysql5.6"
description = "RDS default parameter group"
parameter {
name = "character_set_server"
value = "utf8"
}
parameter {
name = "character_set_client"
value = "utf8"
}
lifecycle {
ignore_changes = [ "parameter" ]
}
}
This will ignore changes for All parameters and won't allow ignoring only say "character_set_client" parameter.
lifecycle {
ignore_changes = [ "parameter.character_set_client" ]
}
Also, I suggest there should be an _negation_ option available, something like below, to ignore changes to all parameters but character_set_client
lifecycle {
not_ignore_changes = [ "parameter.character_set_client" ]
}
geek876
on 4 Apr 2016
I am not sure what i am missing .. but I cant get ignore change to work on nested objects like https://www.terraform.io/docs/providers/aws/r/emr_cluster.html#emr_managed_master_security_group.
Its annoying that they change because they are AWS managed so they change all the time...
this is what I came up with that wont work ..
resource "aws_emr_cluster" "cluster" {
lifecycle {
ignore_changes = ["step", "ec2_attributes.0.emr_managed_master_security_group", " ec2_attributes.0.emr_managed_slave_security_group"]
}
}
Anyone has an insight into what can I do to make it work, just using "emr_managed" does not work either ..
resource "aws_emr_cluster" "cluster" {
lifecycle {
ignore_changes = ["step", "emr_managed"]
}
}
suneeta-mall
on 24 May 2018
This got a "yep this use case definitely makes sense! Tagged." but hasn't seen any implementation for over 2 years? Will this ever be supported?
rhyas
on 19 Sep 2018
@gozer you found any workaround for this issue?
yunoth
on 2 Jul 2019
Any updates on this feature request?
jdj333
on 27 Sep 2019
I'm using Cloud Custodian which makes heavy use of tags prefixed by c7n to, for example, mark resources with Security Hub finding IDs and to mark them for future operations such as stopping an EC2 instance or deleting an S3 bucket. Being able to ignore all tags prefixed with c7n would be a huge help here, since I don't think Cloud Custodian gives you much ability to customize the tag keys it uses on resources.
brianpcurran
on 3 Jan 2020
This feature would be very helpful for managing subnets that are used by EKS clusters.
I have exactly the same situation as described here, and have to ignore changes to all tags instead of using something similar to this: _kubernetes.io/cluster/*_
akonokhov
on 4 May 2020
It looks like v2.60.0 of the AWS provider includes this PR that adds provider-level ignore_tags functionality! I haven't tested it out yet, but I think that would address this feature request (or at least my use case with Cloud Custodian and Security Hub). https://github.com/terraform-providers/terraform-provider-aws/releases
brianpcurran
on 7 May 2020
I'm in a situation where I would like to use lifecycle to ignore changes to all ip_restriction blocks in the azurerm_app_service. For example:
resource "azurerm_app_service" "webapp" {
name = lower(join("-", [azurerm_resource_group.rg.location, "mytestwebapp-83749195"]))
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
app_service_plan_id = azurerm_app_service_plan.asp.id
enabled = true
site_config {
always_on = true
use_32_bit_worker_process = false
dotnet_framework_version = "v4.0"
websockets_enabled = true
}
lifecycle {
ignore_changes = [tags, app_settings, site_config.ip_restriction]
}
}
In this example, I want to be able to configure site_config in Terraform, but I don't want Terraform to change ip_restriction blocks, and in this resource, ip_restriction block exists in the site_config{} block if you refer to the azurerm_app_service documentation.
Update: I figured out how to ignore all ip_restriction changes in site_config. I had to use index reference
lifecycle {
ignore_changes = [tags, app_settings, site_config["ip_restriction"]]
}
ajklotz
on 12 Nov 2020
Here's the workaround I used to avoid resetting the tags on subnets that are used by EKS clusters. I used the new ignore_tags feature in the AWS provider:
provider "aws" {
region = var.region
ignore_tags {
key_prefixes = ["kubernetes.io"]
}
}
EronWright
on 17 Dec 2020
Related issues
sprokopiak
路
3Comments
rnowosielski
路
3Comments
zeninfinity
路
3Comments
c4milo
路
3Comments
rjinski
路
3Comments
Most helpful comment
This got a "yep this use case definitely makes sense! Tagged." but hasn't seen any implementation for over 2 years? Will this ever be supported?