Persistent diff with ignore_tags when the config applies a matching/ignored tag

[lorengordon]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform -v
Terraform v0.14.8
+ provider registry.terraform.io/hashicorp/aws v3.32.0

Affected Resource(s)

• provider.ignore_tags

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

provider "aws" {
  ignore_tags {
    keys = ["Test"]
    key_prefixes = ["foo/"]
  }
}


resource "aws_vpc" "keys" {
  cidr_block = "10.0.0.0/16"

  tags = {
    Name = "testing-ignore-tags-keys"
    Test = "testing"
  }
}

resource "aws_vpc" "key_prefixes" {
  cidr_block = "10.0.0.0/16"

  tags = {
    Name      = "testing-ignore-tags-key-prefixes"
    "foo/bar" = "testing"
  }
}

Expected Behavior

Expected to apply the config, and that a subsequent plan would not display a diff.

Actual Behavior

Terraform wants to re-apply the matching ignored tags even when they are actually specified in the config.

$ terraform plan
aws_vpc.keys: Refreshing state... [id=vpc-0205908ff10822f9d]
aws_vpc.key_prefixes: Refreshing state... [id=vpc-079e089fa0b2b0dd1]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_vpc.key_prefixes will be updated in-place
  ~ resource "aws_vpc" "key_prefixes" {
        id                               = "vpc-xxxxxx"
      ~ tags                             = {
          + "foo/bar" = "testing"
            # (1 unchanged element hidden)
        }
        # (14 unchanged attributes hidden)
    }

  # aws_vpc.keys will be updated in-place
  ~ resource "aws_vpc" "keys" {
        id                               = "vpc-xxxxxx"
      ~ tags                             = {
          + "Test" = "testing"
            # (1 unchanged element hidden)
        }
        # (14 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Steps to Reproduce

1. terraform apply
2. terraform plan

References

I checked but didn't see related issues or documentation.

[lorengordon]

Expanding a little on the use case... What happens is that we have a team that manages the "account boundary." That involves setting up the IAM, Security, and Networking functions. Users in the account have the ability to do most anything else, as long as it does not modify resources that are part of that boundary. Tag-based policy conditions (wherever possible) restrict the users' ability to modify those boundary resources, so users cannot tag the VPC. However, the service roles can tag the VPC. So if a user configures EKS, for example, the service applies the kubernetes tags to the VPC. But if a user is playing with a self-hosted Kubernetes distro, such as Open Shift, they put in a request to the boundary team to apply the tags to the VPC. So we end up in this situation where sometimes the terraform config is applying the tags, and sometimes the AWS service applies the tags (on the user's behalf). And this may be in the same account, with different VPCs!

So we would like to propose that if the terraform config specifies a tag that also matches the ignore_tags attributes, then the tag should not be ignored. It should be managed, as the config seems to represent the intent pretty clearly (to me). But if this is implemented as a new attribute in the ignore_tags block to support both behaviors, that would be fine also. Or at the very least, the persistent diff should be suppressed 😄.

[franklinlevi]

I faced same issue while using "ignore_tags". When there is no change on specific TAG which is part of Ignore_tags, the actual change on AWS resource is not applied, however in a log it shows that the change will take place and "update in-place" will take place. On some resources it's a time consuming operation
Please advise when this issue will be fixed?

[kbratanis]

Hi there,

I came across the same issue. However, it is stated in the documentation that it is the expected behaviour.

"If any resource configuration still has a tag matching one of the prefixes configured in the tags argument, it will display a perpetual difference until the tag is removed from the argument or ignore_changes is also used."

So we will always get a "+" for tags that exist in ignore_tags (keys, or prefix) AND in the Terraform resource configuration, unless we add the tag in the ignore_changes for that resource.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!