Can't create a security group with lifecycle ignore_changes

[packplusplus]

If you try to create a security_group with lifecycle ignore_changes you get diffs don't match during apply. I may be misusing the feature, but in that case the docs should be updated to reflect that you have to add the lifecycle policy after creation.

resource "aws_security_group" "sg_ls_server" {
  name = "sg_ls_server"
  description = "sg_ls_server"

  vpc_id = "${aws_vpc.main.id}"

  lifecycle {
    ignore_changes = [ "ingress", "egress"]
  }
}

Output:

Error applying plan:

1 error(s) occurred:

* aws_security_group.sg_ls_server: diffs didn't match during apply. This is a bug with Terraform and should be reported.

[clstokes]

I'm able to reproduce the diffs didn't match error with 0.6.4, but not with 0.6.3. 0.6.3 applies successfully.

For easy reproducibility:

provider "aws" {
}

resource "aws_security_group" "sg_ls_server" {
  name = "sg_ls_server"
  description = "sg_ls_server"

  #vpc_id = "${aws_vpc.main.id}"

  lifecycle {
    ignore_changes = [ "ingress", "egress"]
  }
}

I'll defer to someone else if ignore_changes can work with sub-resources like you're trying.

[rgabo]

We have a similar diffs didn't match error on 0.6.4-0.6.6 that we didn't see with 0.6.3.

Removing ignore_changes from the ASG solved the problem. Here is the lifecycle block that was causing the issue:

resource "aws_autoscaling_group" "ecs" {
  name = "${var.prefix}-ecs"
  availability_zones = ["${aws_subnet.private.*.availability_zone}"]
  vpc_zone_identifier = ["${aws_subnet.private.*.id}"]
  launch_configuration = "${aws_launch_configuration.ecs.name}"
  min_size = "${var.replication_factor+1}"
  max_size = "${var.ecs_max_size}"
  desired_capacity = "${var.ecs_desired_capacity}"

  depends_on = ["aws_launch_configuration.ecs"]

  lifecycle {
    ignore_changes = ["desired_capacity"]
  }

  ...
}

Hope that helps!

[clstokes]

I think this issue is broader than just security groups but is specific to ignore_changes.

Here's an aws instance example that fails with the same diffs didn't match during apply error on an initial apply. Fails with 0.6.7 and 0.6.8:

resource "aws_instance" "main" {
  instance_type          = "t2.micro"
  ami                    = "ami-9a562df2"

  lifecycle {
    ignore_changes = ["ami"]
  }
}

[clstokes]

Most likely related:

• Issue with changing aws_instance and "diffs didn't match during apply" #3738
• aws_db_parameter_group shows diffs but doesn't apply. Ignore_changes has no effect #4045

Maybe related:

• ignore_changes doesn't seem to work #3555
• lifecycle with aws_instance causes diffs didn't match during apply #3739
• aws_db_parameter_group shows diffs but doesn't apply. Ignore_changes has no effect #4045

[scalp42]

I'm running into the same issues with autoscaling groups.

If we try to ignore desired_capacity for example, then we run into that same diff error, so we've been holding off using the flag unfortunately.

[ilijaljubicic]

same issue with

resource "aws_eip" "default" {
vpc = true
lifecycle {
ignore_changes = ["instance","network_interface"]
}
}

and

resource "aws_route_table" "private" {
vpc_id = "${aws_vpc.default.id}"
lifecycle {
ignore_changes = ["route"]
}
}

on

Terraform v0.6.9-dev (86882e3+CHANGES)

[ilijaljubicic]

It seems that resources which uses ignore_changes needs to be created without it first,
once they exist, ignore_changes can be set and then it works.

[scalp42]

@engine07 not working here, resources were created long before ignore_changes existed.

[plombardi89]

ignore_changes seems horribly broken :( Just ran into this issue with auto scaling groups.

[phinze]

Hey folks, rolling up ignore_changes problems in #5627 and tackling fixes today. Head there for updates! 🌷

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.