provider/aws: Opsworks custom cookbooks revision field causes diff mismatch

[phindmarsh]

I have a tf file with the following aws_opsworks_stack resource:

resource "aws_opsworks_stack" "stackname" {
  name = "${var.name}"
  region = "${var.aws_primary_region}"

  configuration_manager_name = "Chef"
  configuration_manager_version = "11.10"

  service_role_arn = "arn:aws:iam::${var.aws_account_id}:role/aws-opsworks-service-role"
  default_instance_profile_arn = "arn:aws:iam::${var.aws_account_id}:instance-profile/aws-opsworks-ec2-role"
  default_os = "Ubuntu 14.04 LTS"
  default_ssh_key_name = "${var.ssh_key_name}"
  default_subnet_id = "${aws_subnet.private.0.id}"
  vpc_id = "${aws_vpc.main.id}"

  use_custom_cookbooks = true
  custom_cookbooks_source {
    url = "[email protected]:org/cookbooks-repo"
    type = "git"
    ssh_key = "${file("../files/cookbook-deploy")}"
    revision = "crontabs" # <--- If this field is different it triggers a diffs didn't match during apply
  }

  lifecycle {
    # ssh_key is filtered from AWS, so ignore changes to it here
    ignore_changes = ["custom_cookbooks_source.0.ssh_key"]
  }

  custom_json = "${file("../files/custom_stack_json.json")}"
}

If the custom_cookbooks_source.0.revision differs from the one in AWS it triggers the following when running terraform apply

* aws_opsworks_stack.stackname: diffs didn't match during apply. This is a bug with Terraform and should be reported.

Basically, the value had been changed in the OpsWorks UI in the AWS Console and unless I updates the resource to have a custom_cookbooks_source.0.revision of the same value, or I remove the value using the AWS Console the above error is raised. If the two values are the same no error is raised.

[phindmarsh]

After some further digging it seems the revision was a misnomer, and actually changes to any field would trigger the error.

I did a TF_LOG=1 (snippet of output here and noticed reason: extra attributes: custom_cookbooks_source.0.ssh_key.

There are a few issues/PRs about this in the past (#4241 and #3635) which I had been suppressing with the lifecycle block.

I had experienced this on 0.6.8, and subsequently upgraded to 0.6.9 but the ssh key is still marked as needing to be updated. However now it seems like in order to change any other field custom_cookbooks_source.0.ssh_key needs to be "" otherwise it will fail.

Steps to reproduce (mine is on an existing stack, I haven't tried provisioning a new one from scratch):

• Create an OpsWorks stack with a custom cookbooks source and ssh key.
• Every time terraform apply is run it shows modifying custom_cookbooks_source.0.ssh_key
• Edit a different field (say name) and re-run terraform apply
• Observe the error about diffs didn't match during apply.
• Set the ssh_key field to ""
• Re-run terraform apply and it will succeed.
• Changing the ssh_key field back to the actual contents will continue to work until another field changes which will trigger the diff error again.

I'm unsure if this is specific to my usage or is a more general error, but at least I can just set the field to "" to get around it for now.

[phinze]

Hi @phindmarsh - thanks for this report. I'm working on fixing up all known ignore_changes issues over in #5627. I'm going to roll this problem description up into the list of things to fix over there. 👍

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.