A aws_ssm_parameter with a lifecycle ignore changes for value stores the secret in state file

[aaronbrashears]

Terraform Version

Terraform v0.11.11
+ provider.aws v1.57.0
+ provider.template v2.0.0

Terraform Configuration Files

resource "aws_ssm_parameter" "export_password" {
  name        = "/database/schema/username/password"
  type        = "SecureString"
  value       = "changeme"
  lifecycle {
    ignore_changes = [
      "value",
    ]
  }
}

Expected Behavior

I would expect that the lifecycle directives would ignore the change to the key.

Actual Behavior

The Secure string shows up in the tfstate file.

Steps to Reproduce

1. terraform apply the eariler snippet.
2. change the value of the SecureString in the console.
3. add a description.
4. terraform apply

Additional Context

I am uncertain if this is a lifecycle bug or a a provider bug. Is it expected to extract the secret from the secure store and place it in the not secured at all tfstate file?

[mildwonkey]

Hi @aaronbrashears,

"ignore_changes " is intended to direct terraform not to modify a resource if the indicated attribute changes. This does not prevent the attribute from ending up in state, however. While I'm making a bit of an educated guess here, I presume that terraform gets the new value during "refresh" and that's why you see it in state.

You can read more about sensitive secrets in terraform state here. We strongly recommend that you use a remote state background that supports encryption at rest.

This issue has a lot of good discussion and background on the topic of encrypting state.

I'm sorry I don't have a more satisfying response for you!

[tdmalone]

^ The above certainly makes sense, but I'm wondering whether we could consider this a feature request - for the ability for ignore_changes to also ignore refreshing the item / saving the value in state?

My use case: although I have an encrypted state backend, I like to provide read-only access to it in CI for the purposes of regularly reporting on drift. There are certain secret parameters that I would like to keep out of the state - and I don't need to manage those values in Terraform, but I'd still like to manage the rest of the resources without having to have those values recorded.

[apparentlymart]

Indeed, it seems like this request is mainly a re-statement of the use-case "provide a way to omit sensitive values from state", which is being covered by #516, so I'm going to close this out just to consolidate over there. ignore_changes is working as intended here -- it is not there as a mechanism to omit data from the state -- and whether the design of ignore_changes would be altered as part of a solution to omit, encrypt, or otherwise extract sensitive data from the state will be a matter for the bigger design effort around that use-case, when we get there.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.