Understanding the Terraform ignore_changes Lifecycle Block
Learn how and when to use the ignore_changes life cycle block.
The lifecycle block in Terraform is a powerful meta-argument that allows you to control how Terraform manages the resources in your state file, overriding its default behavior. Among its arguments, ignore_changes is one of the most critical for platform stability and flexibility, enabling you to manage infrastructure that evolves both inside and outside of your HCL code.
In essence, ignore_changes tells Terraform: "When you run a plan, do not consider changes to these specific attributes, even if the state value no longer matches the HCL value."
What Problem Does ignore_changes Solve?
Terraform’s core function is to ensure that the actual state of your infrastructure matches the desired state defined in your HCL code. When these two don't match, Terraform plans an update to correct the drift.
ignore_changes is essential for three common scenarios where this drift is harmless or intentional:
- Computed Defaults: When a cloud provider automatically sets an attribute after creation (e.g., a default security policy or a unique ID), and you don't define that attribute in your HCL. Without
ignore_changes, Terraform will constantly try to remove or reset the attribute, creating noise in your plan. - External Modifications: When a cloud service, a separate automation script, or a human administrator makes changes to an attribute (like updating a tag, or changing a database setting) outside of your Terraform workflow. You want the resource to remain managed by Terraform, but you want to ignore this specific attribute change.
- Module Upgrades/Refactoring: After importing existing infrastructure or refactoring a module, using
ignore_changescan temporarily suppress false positives, allowing you to gradually update the HCL without risking an immediate, destructiveapply.
How to Use the ignore_changes Block
The lifecycle block is placed inside a resource block. The ignore_changes argument accepts a list of attribute names that should be excluded from drift detection.
Syntax
resource "resource_type" "resource_name" {
# Standard resource configuration...
lifecycle {
# Provide a list of attribute names to ignore.
ignore_changes = [
attribute_one,
attribute_two,
# You can also use the special keyword 'all'
# all,
]
}
}
Example: Ignoring Tags and Network Rules
Imagine you have an AWS EC2 instance. You want Terraform to manage its type and AMI, but you allow your monitoring team to update certain tags and a separate tool manages the user data script after the instance is running.
resource "aws_instance" "web_server" {
ami = "ami-0abcdef1234567890"
instance_type = "t2.micro"
# Standard tags managed by Terraform
tags = {
Project = "MyWebApp"
Owner = "Team Alpha"
}
lifecycle {
# Ignore tags_all, allowing external automation to add/remove tags without
# triggering a plan difference for this resource.
# Also ignore 'user_data' if a bootstrap tool modifies it post-launch.
ignore_changes = [
tags_all,
user_data,
]
}
}
Key Considerations and Best Practices
The tags vs. tags_all Dilemma
Most cloud providers have a tags argument (explicitly managed) and a tags_all argument (the complete set of tags, including provider-default tags).
- If you use
ignore_changes = [tags], Terraform will ignore only the tags you explicitly defined. This is rarely what you want. - If you use
ignore_changes = [tags_all], Terraform ignores all tag changes on the resource. This is often the safest choice if you want to allow external tag management, but it means Terraform can never enforce a specific tag set.
Using all
The special keyword all ignores changes to every attribute on the resource.
lifecycle {
ignore_changes = all
}
While this prevents any resource drift, it effectively turns the resource into a read-only resource for Terraform. Any changes you make to that resource's block in HCL (e.g., changing instance_type from t2.micro to t2.medium) will be ignored by Terraform. Use all only when the resource is managed entirely by another system, and you only need Terraform to prevent its accidental destruction.
State-Only vs. Configuration-Based Changes
ignore_changes works by comparing the current state (what Terraform read from the cloud) against the configuration (what is written in your HCL). It only suppresses the plan output; the actual change still exists in the cloud.
If you change an attribute in your HCL and also use ignore_changes for that attribute, Terraform will ignore your HCL change on the next apply. You must remove the attribute from the ignore_changes list, run apply, and then optionally add it back.
for_each and Dynamic Attributes
You can use a for loop inside the ignore_changes block to dynamically generate a list of attributes to ignore, but only when ignoring attributes on a set of resources created with count or for_each.
For example, to ignore the description on a set of security group rules:
resource "aws_security_group_rule" "ingress" {
# ... configuration using count or for_each
lifecycle {
ignore_changes = [
for i in range(0, length(aws_security_group_rule.ingress)) : ingress[i].description
]
}
}Using ignore_changes with Drift
The ignore_changes lifecycle meta-argument is your primary tool for managing and controlling configuration drift on specific attributes of a resource. Drift occurs when the actual state of a resource in the cloud no longer matches the desired configuration defined in your HCL code.
By using ignore_changes, you instruct Terraform to stop tracking changes to a specific set of attributes on a given resource, effectively preventing planned updates that would otherwise be generated to correct the drift.
For example, you manage an EC2 instance, but we want to allow an external system to update the tags and user data without Terraform constantly detecting and trying to revert those changes.
resource "aws_instance" "web" {
ami = "ami-0abcdef1234567890"
instance_type = "t2.micro"
# Standard configuration that Terraform WILL manage
subnet_id = aws_subnet.public.id
lifecycle {
# 1. Ignore the 'user_data' field, allowing a separate script to modify it.
# 2. Ignore 'tags_all', which prevents Terraform from trying to remove
# any tags added by non-Terraform systems.
ignore_changes = [
user_data,
tags_all,
]
}
}