Terraform v1.3.1 broke ignore_changes = all #31976
Description
Terraform Version
Terraform v1.3.1
For both windows and linux platform.Terraform Configuration Files
provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
key_vault {
purge_soft_delete_on_destroy = false
purge_soft_deleted_keys_on_destroy = false
recover_soft_deleted_key_vaults = false
}
}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "zjhe-f18563"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "zjhef18563"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
soft_delete_retention_days = 7
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Create", "Decrypt", "Delete", "Encrypt", "Get", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Verify",
"WrapKey"
]
secret_permissions = [
"Set",
]
}
}
resource "time_sleep" "wait_1_seconds" {
create_duration = "1s"
depends_on = [azurerm_key_vault.example]
}
resource "azurerm_key_vault_key" "general_use_sops_key" {
name = "zjhe-f18563"
key_type = "RSA"
key_vault_id = azurerm_key_vault.example.id
key_size = 4096
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
lifecycle {
# ignore_changes = [e, n, public_key_openssh, public_key_pem, resource_id, resource_versionless_id, version, versionless_id]
ignore_changes = all
prevent_destroy = true
}
depends_on = [
time_sleep.wait_1_seconds,
]
}Debug Output
https://gist.github.com/lonegunmanb/dd44776cd320efed85bf46151c7586e1
Expected Behavior
data.azurerm_client_config.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYjE0NWM2OC05YmRmLTQyNzktYjRjZS1mYjYxMDc2
MjVjNGI7b2JqZWN0SWQ9NjI1OWZjMjktZWUxMS00ODQwLWE1MWMtNDAzNGFhODkzZGY0O3N1YnNjcmlwdGlvbklkPTg1YjNkYmNhLTU5NzQtNDA2Ny05NjY5LTY3YTE0MTA5NWE
3Njt0ZW5hbnRJZD03MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDc=]
azurerm_resource_group.example: Refreshing state... [id=/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563]
azurerm_key_vault.example: Refreshing state... [id=/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563/provi
ders/Microsoft.KeyVault/vaults/zjhef18563]
time_sleep.wait_1_seconds: Refreshing state... [id=2022-10-10T03:44:52Z]
azurerm_key_vault_key.general_use_sops_key: Refreshing state... [id=https://zjhef18563.vault.azure.net/keys/zjhe-f18563/0c5bc6d3787842f
cbd23f13de3c922ec]
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
Actual Behavior
data.azurerm_client_config.current: Reading...
azurerm_resource_group.example: Refreshing state... [id=/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563]
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYjE0NWM2OC05YmRmLTQyNzktYjRjZS1mYjYxMDc2
MjVjNGI7b2JqZWN0SWQ9NjI1OWZjMjktZWUxMS00ODQwLWE1MWMtNDAzNGFhODkzZGY0O3N1YnNjcmlwdGlvbklkPTg1YjNkYmNhLTU5NzQtNDA2Ny05NjY5LTY3YTE0MTA5NWE
3Njt0ZW5hbnRJZD03MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDc=]
azurerm_key_vault.example: Refreshing state... [id=/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563/provi
ders/Microsoft.KeyVault/vaults/zjhef18563]
time_sleep.wait_1_seconds: Refreshing state... [id=2022-10-10T03:44:52Z]
azurerm_key_vault_key.general_use_sops_key: Refreshing state... [id=https://zjhef18563.vault.azure.net/keys/zjhe-f18563/0c5bc6d3787842f
cbd23f13de3c922ec]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
~ update in-place
Terraform will perform the following actions:
# azurerm_key_vault_key.general_use_sops_key will be updated in-place
~ resource "azurerm_key_vault_key" "general_use_sops_key" {
- e = "AQAB" -> null
id = "https://zjhef18563.vault.azure.net/keys/zjhe-f18563/0c5bc6d3787842fcbd23f13de3c922ec"
- n = "qP6OTWLXSULKSnNyMlHp_5gYuM52uDtmBz6SoDLX0iaBfcZVAF_H5QGJpw0HUVKbnGQtleOTyEyNbZd0yo05356d3qziXmoh5dn6
jC6Xyw0kesJIzj6UGVwh4sVZrFWio3xJ-_mTGPHFKRA--pehicUfz2F8OOi-p6kDyQbjQ66g09AaDI8FP-lfLhOpsC_BW6_VtI6h7rn9-FCSBJEyBykv1ECQ4Skc_lTOq4N8ZAU
Q6AexpvdbJf3v-Fh3XQr8FguZKKcoxV-ZvARsafap1uHFjioy_zqWkOQdKI4A2uVobH6IrTX4RXJUNfIbDw1dAHdYpDam4zGsI9JG818rD1g1EIzKvFTJLiS1RL-5wwr7ua3dvr
5DesNmTF9HooDyt6uIV5TokyweeYvXxbX2gkbCJrup-0wtJUxaK_KD9C51evQM5ppRzDTHD0YOA5e0GjaknqkleX7Vnsl6ZAf3xFfYAn8sdLJqb5VL78-rk21cAIhOX8QKWGSsQ
gMqa0feqaCLFVF9iln-pPr958j6Y3K244BJZhFN1nDhE3oevvDoDu2MeS2naQG88Xgm3aIeArowWD1XNCY54zliEzSP4P2ow6KR-c2Eh7FhWXtbJrAXownLL3iZpM4lHWfRVr4_
VznNVdUsg0xbCAdGpgrnZmtKhSTN1AxPmKxfFkGQz60" -> null
name = "zjhe-f18563"
- public_key_openssh = <<-EOT
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCo/o5NYtdJQspKc3IyUen/mBi4zna4O2YHPpKgMtfSJoF9xlUAX8flAYmnDQdRUpucZC2V45PITI1tl3TKjTn
fnp3erOJeaiHl2fqMLpfLDSR6wkjOPpQZXCHixVmsVaKjfEn7+ZMY8cUpED76l6GJxR/PYXw46L6nqQPJBuNDrqDT0BoMjwU/6V8uE6mwL8Fbr9W0jqHuuf34UJIEkTIHKS/UQJ
DhKRz+VM6rg3xkBRDoB7Gm91sl/e/4WHddCvwWC5kopyjFX5m8BGxp9qnW4cWOKjL/OpaQ5B0ojgDa5WhsfoitNfhFclQ18hsPDV0Ad1ikNqbjMawj0kbzXysPWDUQjMq8VMkuJ
LVEv7nDCvu5rd2+vkN6w2ZMX0eigPK3q4hXlOiTLB55i9fFtfaCRsImu6n7TC0lTFor8oP0LnV69AzmmlHMNMcPRg4Dl7QaNqSeqSV5ftWeyXpkB/fEV9gCfyx0smpvlUvvz6uT
bVwAiE5fxApYZKxCAyprR96poIsVUX2KWf6k+v3nyPpjcrbjgElmEU3WcOETeh6+8OgO7Yx5LadpAbzxeCbdoh4CujBYPVc0JjnjOWITNI/g/ajDopH5zYSHsWFZe1smsBejCcs
veJmkziUdZ9FWvj9XOc1V1SyDTFsIB0amCudma0qFJM3UDE+YrF8WQZDPrQ==
EOT -> null
- public_key_pem = <<-EOT
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqP6OTWLXSULKSnNyMlHp
/5gYuM52uDtmBz6SoDLX0iaBfcZVAF/H5QGJpw0HUVKbnGQtleOTyEyNbZd0yo05
356d3qziXmoh5dn6jC6Xyw0kesJIzj6UGVwh4sVZrFWio3xJ+/mTGPHFKRA++peh
icUfz2F8OOi+p6kDyQbjQ66g09AaDI8FP+lfLhOpsC/BW6/VtI6h7rn9+FCSBJEy
Bykv1ECQ4Skc/lTOq4N8ZAUQ6AexpvdbJf3v+Fh3XQr8FguZKKcoxV+ZvARsafap
1uHFjioy/zqWkOQdKI4A2uVobH6IrTX4RXJUNfIbDw1dAHdYpDam4zGsI9JG818r
D1g1EIzKvFTJLiS1RL+5wwr7ua3dvr5DesNmTF9HooDyt6uIV5TokyweeYvXxbX2
gkbCJrup+0wtJUxaK/KD9C51evQM5ppRzDTHD0YOA5e0GjaknqkleX7Vnsl6ZAf3
xFfYAn8sdLJqb5VL78+rk21cAIhOX8QKWGSsQgMqa0feqaCLFVF9iln+pPr958j6
Y3K244BJZhFN1nDhE3oevvDoDu2MeS2naQG88Xgm3aIeArowWD1XNCY54zliEzSP
4P2ow6KR+c2Eh7FhWXtbJrAXownLL3iZpM4lHWfRVr4/VznNVdUsg0xbCAdGpgrn
ZmtKhSTN1AxPmKxfFkGQz60CAwEAAQ==
-----END PUBLIC KEY-----
EOT -> null
- resource_id = "/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563/providers/Microsoft.K
eyVault/vaults/zjhef18563/keys/zjhe-f18563/versions/0c5bc6d3787842fcbd23f13de3c922ec" -> null
- resource_versionless_id = "/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563/providers/Microsoft.K
eyVault/vaults/zjhef18563/keys/zjhe-f18563" -> null
tags = {}
- version = "0c5bc6d3787842fcbd23f13de3c922ec" -> null
- versionless_id = "https://zjhef18563.vault.azure.net/keys/zjhe-f18563" -> null
# (4 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run
"terraform apply" now.
Steps to Reproduce
terraform initterraform apply -auto-approve
For those two steps, I used Terraform v1.3.1 on windows.
docker run --rm -v ${pwd}:/src -w /src -it -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET -e ARM_SUBSCRIPTION_ID -e ARM_ TENANT_ID hashicorp/terraform:1.3.1 plan
Additional Context
You can easily get the expected output by using v1.3.0 image:
docker run --rm -v ${pwd}:/src -w /src -it -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET -e ARM_SUBSCRIPTION_ID -e ARM_
TENANT_ID hashicorp/terraform:1.3.0 planThis issue only occurs with ignore_changes = all, if we assigned affected attributes explicitly then the plan will skip update.
References
No response