Changing variable used for sensitive value in Terraform without rebuilding the resource
I have a Terraform module that sets the administrator password based on a variable
admin_password = "${var.local_admin_password}"
However, var.local_admin_password
is no longer the only place that the password can come from. I need to change the logic to be something along these lines:
admin_password = "${var.local_admin_password != "" ? var.local_admin_password : module.secrets.local_admin_password}"
If local_admin_password
is supplied it uses that, but if that is not supplied then it should get a password from a secrets module.
This works great for new resources. But applying this to old resources triggers a change to the sensitive variable of admin_password
which triggers a new resource. Old resources will all have local_admin_password
supplied, so the value is not actually changing.
Is there a way to make this change in a way that Terraform recognises that the data is actually the same and not trigger a resource change?
Solution 1:
You could try using ignore_changes
within a lifecycle
configuration block for the specific resource. Note, this cannot be done at the module level, but only per-resource.
An example of how it could be used is as follows, where the attribute "acl" would be ignored after initial resource creation:
resource "aws_s3_bucket" "bucket" {
name = "test-bucket"
acl = "private"
lifecycle {
ignore_changes = ["acl"]
}
}
This behavior is outlined here: https://www.terraform.io/docs/configuration/resources.html#ignore_changes