Terraform ignore_changes for Sub-Blocks: A Complete Guide

Introduction
Step-by-Step Guide
Code Example
Additional Notes
Summary
Conclusion
References

Introduction

In Terraform, the ignore_changes meta-argument allows you to specify resource attributes that Terraform should not manage. This is helpful when external factors might modify these attributes, and you want to prevent Terraform from overriding those changes. This article explains how to use ignore_changes effectively and highlights important considerations to keep in mind.

Step-by-Step Guide

The ignore_changes meta-argument in Terraform allows you to specify resource attributes that Terraform should ignore when determining if a resource needs to be updated. This is useful for situations where a resource attribute might be changed outside of Terraform, or when you want to prevent Terraform from making changes to a specific attribute.

To use ignore_changes, you include it within a lifecycle block within a resource definition. The value of ignore_changes is a list of strings, where each string is a path to an attribute within the resource.

For example, to ignore changes to the tags attribute of an AWS S3 bucket, you would use the following configuration:

resource "aws_s3_bucket" "example" {
  bucket = "my-bucket"

  lifecycle {
    ignore_changes = [tags]
  }
}

You can also use wildcards in the attribute path to ignore changes to multiple attributes. For example, to ignore changes to all attributes within the settings block of an AWS CloudFront distribution, you would use the following configuration:

resource "aws_cloudfront_distribution" "example" {
  # ... other configuration ...

  lifecycle {
    ignore_changes = ["settings.0.*]
  }
}

It's important to note that ignore_changes should be used with caution. If you ignore changes to an important attribute, it could lead to your infrastructure being out of sync with your Terraform configuration.

Here are some additional things to keep in mind when using ignore_changes:

ignore_changes only applies to changes made after it is added to the configuration. If an attribute has already been changed, Terraform will continue to manage it unless you manually revert the change.
ignore_changes does not prevent Terraform from deleting or recreating a resource. If you delete a resource that has ignore_changes configured, Terraform will recreate it with the default values for the ignored attributes.
ignore_changes can be applied to individual elements within a list by specifying the index of the element. For example, to ignore changes to the configuration block of the first action in the first stage of an API Gateway deployment, you would use the following configuration:

resource "aws_api_gateway_deployment" "example" {
  # ... other configuration ...

  lifecycle {
    ignore_changes = ["stage.0.action.0.configuration.0.*"]
  }
}

Overall, ignore_changes is a powerful feature that can be useful in certain situations. However, it's important to understand how it works and to use it with caution to avoid unintended consequences.

Code Example

The text provides examples of using the ignore_changes lifecycle argument in Terraform to manage changes to specific resource attributes. It includes examples for ignoring changes to S3 bucket tags, CloudFront distribution settings, and API Gateway configurations. The text emphasizes caution when using ignore_changes as it can lead to configuration drift if not managed properly. It also notes that ignore_changes only affects changes made after its implementation and doesn't prevent resource deletion or recreation. The text concludes by recommending thorough testing after implementing ignore_changes to avoid unexpected consequences.

Here are some examples demonstrating the use of ignore_changes in Terraform:

1. Ignoring Changes to S3 Bucket Tags:

This example shows how to ignore changes to the tags attribute of an AWS S3 bucket:

resource "aws_s3_bucket" "example" {
  bucket = "my-bucket"

  lifecycle {
    ignore_changes = [tags]
  }
}

2. Ignoring Changes to CloudFront Distribution Settings:

This example demonstrates ignoring changes to all attributes within the settings block of an AWS CloudFront distribution:

resource "aws_cloudfront_distribution" "example" {
  origin {
    domain_name = "my-bucket.s3.amazonaws.com"
    origin_id   = "S3-my-bucket"

    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "http-only"
      origin_ssl_protocols  = ["TLSv1.2"]
    }
  }

  enabled = true
  default_root_object = "index.html"

  default_cache_behavior {
    allowed_methods = ["GET", "HEAD"]
    cached_methods  = ["GET", "HEAD"]
    target_origin_id = "S3-my-bucket"

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
  }

  price_class = "PriceClass_All"
  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }

  lifecycle {
    ignore_changes = ["settings.0.*"]
  }
}

3. Ignoring Changes to Specific API Gateway Configuration:

This example illustrates ignoring changes to the configuration block of the first action in the first stage of an API Gateway deployment:

resource "aws_api_gateway_deployment" "example" {
  rest_api_id = aws_api_gateway_rest_api.example.id
  stage_name  = "prod"

  lifecycle {
    ignore_changes = ["stage.0.action.0.configuration.0.*"]
  }
}

resource "aws_api_gateway_rest_api" "example" {
  name        = "my-api"
  description = "My API Gateway"
}

Important Considerations:

Use ignore_changes cautiously as it can lead to configuration drift.
It only affects changes made after adding it to the configuration.
It doesn't prevent resource deletion or recreation.
Deleted resources with ignore_changes will be recreated with default values for ignored attributes.

Remember to thoroughly test your Terraform code and infrastructure after implementing ignore_changes to avoid unexpected consequences.

Additional Notes

Configuration Drift: While ignore_changes is useful, it can lead to configuration drift where your Terraform code no longer accurately reflects the actual state of your infrastructure. Regularly review resources with ignore_changes to ensure they haven't deviated from your intended configuration. Consider using tools or scripts to help you detect and reconcile drift.
Alternatives to ignore_changes: Before using ignore_changes, explore alternative solutions. For instance:
- External Data Sources: If external systems manage specific attributes, use Terraform data sources to fetch and utilize those values instead of managing them directly.
- Modularization: Break down your infrastructure into smaller, reusable modules. This can help isolate resources with external dependencies and make your codebase more manageable.
Partial Attribute Management: You can't use ignore_changes to ignore changes to a specific part of a complex attribute (like a single key in a map). If you need this level of granularity, consider refactoring your Terraform code or using external tools to manage those specific attributes.
State Manipulation: Avoid manually modifying the Terraform state to work around ignore_changes issues. This can lead to inconsistencies and make your infrastructure harder to manage. If you need to make changes outside of Terraform, update your code to reflect those changes as soon as possible.
Testing: Thoroughly test your Terraform code, including scenarios where external changes might occur to resources with ignore_changes. This helps ensure your infrastructure behaves as expected and minimizes the risk of unexpected consequences.
Documentation: Clearly document why you're using ignore_changes for specific resources and attributes. This helps other team members understand your reasoning and avoid accidental modifications.

Summary

Feature	Description
Purpose	Instructs Terraform to disregard changes made to specific resource attributes, preventing unnecessary updates.
Implementation	Add a `lifecycle` block with an `ignore_changes` argument to the desired resource definition.
Syntax	`ignore_changes = [<list of attribute paths>]`
Attribute Paths	Use strings to specify attribute paths. Wildcards (`*`) can target multiple attributes.
Examples	- `ignore_changes = ["tags"]` ignores changes to the `tags` attribute. - `ignore_changes = ["settings.0.*]` ignores changes to all attributes within the first element of the `settings` block.
Cautions	- Use sparingly as it can lead to infrastructure drift. - Only affects changes made after its implementation. - Doesn't prevent resource deletion/recreation (defaults will be used for ignored attributes).
Advanced Usage	Target specific list elements using their index: `ignore_changes = ["stage.0.action.0.configuration.0.*"]`

In essence: ignore_changes provides granular control over Terraform's change management, but requires careful consideration to avoid configuration discrepancies.

Conclusion

The ignore_changes meta-argument in Terraform is a powerful tool for managing resource attributes that might be modified outside of Terraform's control. By using ignore_changes, you can prevent Terraform from overriding changes made by external systems or users. However, it's crucial to use this feature judiciously. Ignoring changes to critical attributes can lead to configuration drift and inconsistencies between your infrastructure and Terraform code. Always carefully consider the potential implications before using ignore_changes, and prioritize alternative solutions like data sources or modularization when possible. Remember to thoroughly test your code, document your decisions, and regularly review resources with ignored changes to ensure your infrastructure remains consistent and manageable.

References

Ability to ignore changes of parameters in a set of blocks · Issue ... | Terraform Version Terraform v1.1.9 on linux_amd64 Terraform Configuration Files resource "aws_cloudfront_distribution" "distribution" { # ... omitted ... lifecycle { ignore_changes = [origin.0.orig...
How to Use Ignore_Changes in Terraform Lifecycle | Learn how to use the ignore_changes argument in the Terraform lifecycle meta-arguments. See examples for tags and all changes.
Terraform not ignoring changes in sub config block · Issue #24719 ... | Hi there, Terraform not ignoring changes in configurations of a sub-block in the EMR cluster resources. I would like to ignore changes in master_instance_group["instance_count"] and core_instance_g...
How do I have the ignore_changes part of a lifecycle block ignore ... | Posted by u/MohnJaddenPowers - 1 vote and 9 comments
The lifecycle Meta-Argument - Configuration Language | Terraform ... | The arguments available within a lifecycle block are create_before_destroy, prevent_destroy, ignore_changes, and replace_triggered_by.
Ignore Changes in sub properties : r/Terraform | Posted by u/vennemp - 6 votes and 10 comments
amazon web services - Terraform ignore_changes block on JSON ... | Dec 8, 2020 ... There is no way to ignore changes to only part of a string, because Terraform implements ignore_changes by taking the previous value of that ...
Use lifecycle.ignore_changes on dynamic block - Terraform ... | Hi everyone! Last time when I had quite specific problem this community really help me, therefore I have some challenge for you! I had created initiative on Azure, but I need to put inside “definition_references” empty dictionary in “parameter_values”. I can’t type “null”, because inside “azurerm_policy_set_definition” I have to use dynamic block for provide more then one “definition_references” inside. Forcing “null” variable there respond an error when I have defined parameter somewhere else...
Terraform - Understanding the Lifecycle Block - DEV Community | DevOps - Terraform - Understanding the Lifecycle Block