[Bug]: ignore_tags and default_tags not working for nested root_block_device

[xpac1985]

Terraform Core Version

1.6.0

AWS Provider Version

5.20.0

Affected Resource(s)

aws_instance

Expected Behavior

My aws provider is configured with default_tags and ignore_tags settings.
I would expect a root volume auto-created while deploying an aws_instance to inherit the default_tags, and on a subsequent run to not remove tags that are mentioned in ignore_tags.

Actual Behavior

The root_block_device lacks the default_tags. On a subsequent terraform plan, terraform shows the ignore_tags as tags it is going to remove.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

provider "aws" {
  default_tags {
    tags = {
      "terraform_managed" = "true"
    }
  }
  ignore_tags {
    keys = [
      "myspecialtag"
    ]
  }
}

resource "aws_instance" "whatever" {
...
}

Steps to Reproduce

Have terraform create the aws_instance.
Notice that the auto-created block device has no tags attached.
Manually add tag myspecialtag with any value to the block device.
Run terraform plan, see how terraform does not ignore that tag, but schedules it for deletion.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

This bug was already filed in January 2021 in #17257 but incorrectly closed as fixed, it still exists today.

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jpriebe]

This doesn't help with your ignore_tags issue, but the default_tags on root_block_device is a long-standing bug: #19890

Edit: but apparently, it's been fixed in 5.39.0 of the provider?

[xpac1985]

This doesn't help with your ignore_tags issue, but the default_tags on root_block_device is a long-standing bug: #19890

Edit: but apparently, it's been fixed in 5.39.0 of the provider?

...was, as it seems :D

Edit: yay, respond to the notification email and don't see the edit... :D

[Tethik]

I'm not sure this is working as intended. When I apply with default_tags set I get the following changes on one of my EC2 instances. After apply the changes and the same changes show up again on next plan/apply. (version 5.47.0)

      ~ root_block_device {
          ~ tags                  = {
              + "SystemID"          = "security-gym"
              + "Team"              = "Secure Development"
                # (1 unchanged element hidden)
            }
            # (10 unchanged attributes hidden)
        }

[IrmantasMarozas]

I am getting a perpetual change for tags when using default tags, this breaks our drift detection mechanism as it always shows change.

root_block_device {
    volume_size           = each.value.root_volume_size
    volume_type          = each.value.root_volume_type
    delete_on_termination = each.value.root_volume_delete_on_instance_termination
    encrypted              = true
    kms_key_id           = var.kms_key_id

    tags = {
      owner       = var.owner
      terraformed = true
      repo        = var.repo
      product     = var.product
      env         = var.env
      type        = "root"
    }
  }

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.47.0"
    }
}

provider "aws" {
  region  = "my-region"

  assume_role {
    role_arn            = "role-arn"
    session_name = "my-session"
  }

  default_tags {
    tags = local.tags
  }
}

      ~ root_block_device {
          ~ tags                  = {
              + "env"         = "prod"
              + "owner"       = "[email protected]"
              + "product"     = "my-product"
                "repo"        = "my-repo"
              + "terraformed" = "true"
                "type"        = "root"
            }
            # (10 unchanged attributes hidden)
        }