Changing variable used for sensitive value in Terraform without rebuilding the resource

I have a Terraform module that sets the administrator password based on a variable

admin_password = "${var.local_admin_password}"

However, var.local_admin_password is no longer the only place that the password can come from. I need to change the logic to be something along these lines:

admin_password = "${var.local_admin_password != "" ? var.local_admin_password : module.secrets.local_admin_password}"

If local_admin_password is supplied it uses that, but if that is not supplied then it should get a password from a secrets module.

This works great for new resources. But applying this to old resources triggers a change to the sensitive variable of admin_password which triggers a new resource. Old resources will all have local_admin_password supplied, so the value is not actually changing.

Is there a way to make this change in a way that Terraform recognises that the data is actually the same and not trigger a resource change?

Solution 1:

You could try using ignore_changes within a lifecycle configuration block for the specific resource. Note, this cannot be done at the module level, but only per-resource.

An example of how it could be used is as follows, where the attribute "acl" would be ignored after initial resource creation:

resource "aws_s3_bucket" "bucket" {
  name = "test-bucket"
  acl  = "private"

  lifecycle {
    ignore_changes = ["acl"]
  }
}

This behavior is outlined here: https://www.terraform.io/docs/configuration/resources.html#ignore_changes