28

I have a AWS CodePipeline configured in a terraform file, like this:

resource {
    name = "Cool Pipeline"
    ...

    stage {
        name = "Source"
        ...

        action {
            name = "Source"
            ...

            configuration {
                Owner = "Me"
                Repo = "<git-repo-uri>"
                Branch = develop
                OAuthToken = "b3287d649a28374e9283c749cc283ad74"
            }
        }
    }

    lifecycle {
        ignore_changes = "OAuthToken"
    }
}

The reason for ignoring the token, is that the AWS API doesn't show that token to terraform, instead AWS API outputs this with aws codepipeline get-pipeline <name>:

"pipeline": {
    "stages": {
        "name": "Source",
        "actions": {
            "configuration": {
                "OAuthToken": "****"
            }
        }
    }
}

Result is, when I perform the terraform planit shows me it wants to update that token, like so:

module.modulename.aws_codepipeline.codepipeline
      stage.0.action.0.configuration.%:          "3" => "4"
      stage.0.action.0.configuration.OAuthToken: "" => "b3287d649a28374e9283c749cc283ad74"

My question is, how can I get the ignore_changes to take effect? I've tried this without any success:

ignore_changes = ["OAuthToken"]
ignore_changes = ["oauthtoken"]
ignore_changes = ["stage.action.configuration.OAuthToken"]

All examples I've found googling just shows how to ignore on the same block level.

(The token is this text is fake.)

Wrench
  • 4,070
  • 4
  • 34
  • 46

3 Answers3

30

This syntax, as hinted by terraform plan output, solved the problem:

ignore_changes = [
    "stage.0.action.0.configuration.OAuthToken",
    "stage.0.action.0.configuration.%"
]

Another way to solve it is to add the GITHUB_TOKEN system environment variable, with the token as the value. This way you do not need the ignore_changes directive in the tf files.

Wrench
  • 4,070
  • 4
  • 34
  • 46
  • 2
    Glad that you found a way to solve this but this is a bug in the resource and should be raised as an issue. You can raise it [here](https://github.com/terraform-providers/terraform-provider-aws/issues) if you're happy to do that so it fixes it for other people and means you can remove your `ignore_changes` stanza. – ydaetskcoR Jan 14 '18 at 19:26
  • Since I wrote this question, I found from documentation that you can also use the `GITHUB_TOKEN` system environment which then stops it from happening. I mean, AWS doesn't give you the value of the github token, for security reasons, so how would terraform know the value has not been changed? – Wrench Jan 14 '18 at 23:38
  • 2
    This helped me solve a problem with Azure app services getting lots of app settings added by the infrastructure (for example, Azure DevOps deployments) that i don't want to be affect TF plans. Adding the filtered this setting out of plan diffs `lifecycle { ignore_changes = [ "app_settings.APPINSIGHTS_PROFILERFEATURE_VERSION" ] }` – gabe Mar 27 '19 at 19:32
11

This syntax is deprecated

ignore_changes = [
    "stage.0.action.0.configuration.OAuthToken",
    "stage.0.action.0.configuration.%"
]

But the new one is ignored in v1.0.0 for some reason

ignore_changes = [
  stage[0].action[0].configuration.OAuthToken,
  stage[0].action[0].configuration,
]
Artur Yarosh
  • 111
  • 1
  • 3
  • 1
    I can confirm that I'm also experiencing an issue with ignore_changes not being taken into consideration so I've opened a Github issue https://github.com/hashicorp/terraform/issues/28953 – Bogdan Emil Mariesan Jun 14 '21 at 14:31
1

I have encountered a similar case and I resolved as follows:

ignore_changes = [
   stage[0].action[0].configuration["OAuthToken"]
]
Luca Motta
  • 231
  • 2
  • 12