Option to display "Objects have changed outside of Terraform" section, hide it by default.

[lra]

This is a followup to #28803

• Before terraform 0.15.4, plan and apply only showed the "Terraform will perform the following actions" section.
• Since terraform 0.15.4, plan and apply now show both "Terraform will perform the following actions" and "Objects have changed outside of Terraform".

We want an option to hide the "Objects have changed outside of Terraform" part of the plan and apply commands, because this is verbose, confusing, and only needed when we want to understand an issue.

#28803 (comment) is not satisfactory, we understand what is being proposed, and that is not what is being asked.

The ask is simple: Hide the "Objects have changed outside of Terraform" by default and provide an option to display it when we want to.

[llamahunter]

Alternatively, leave the current behavior as the default, but provide an option to suppress the 'changed outside of terraform' output.

[dominics]

As a workaround that solves this particular request, this sed line mentioned in the original thread looks pretty good: #28803 (comment)

I know it has the potential to be flaky in the future, under output formatting changes, ANSI codes, etc. - but at least it currently provides a way to get the functionality we're looking for without waiting for the large cross-cutting changes that the core team proposed in the original thread. Provided you're in a context where you can wrap the execution of course.

I do think the original thread was taken far, far off course by the repeated mentions of ignore_changes, and heuristics for whether to show a particular resource change.

I think it's worth having this separate issue to track who would be interested in always showing none of them when using terraform show -some-flag (as compared to a solution that will make the ones that are displayed more selective when doing a default terraform plan - that's much, much harder)

[tomharrisonjr]

The problem with the current output is that it's almost always noise ... but not always. We see entire IAM policies in which the order of two items flip-flops, every Github commit results in a new etag, and similar.

So having read about this before, apparently there's some issue with using lifecycle directives. That would be what I would look for, at least in the github etags case.

Here's the case of the flip-flopping policy:

  # module.role.aws_iam_role.role[0] has been changed
  ~ resource "aws_iam_role" "role" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = "sts:AssumeRole"
                        Effect    = "Allow"
                        Principal = {
                            Service = [
                                "ec2.amazonaws.com",
                                "glue.amazonaws.com",
                            ]
                        }
                        Sid       = ""
                    },
                  ~ {
                      ~ Principal = {
                          ~ AWS = [
                              - "arn:aws:iam::123456789012:role/kiam-server",        #### This entry in this position flipflops with 
                                "arn:aws:iam::123456789012:role/nodes.us-west-1.dev-2.k8s",
                              + "arn:aws:iam::123456789012:role/kiam-server",       #### the same entry in this position
                                "arn:aws:iam::2468101214161:root",
                            ]
                        }
                        # (3 unchanged elements hidden)
                    },
                    {
                        Action    = "sts:AssumeRoleWithSAML"
                        Condition = {
                            StringEquals = {
                                SAML:aud = "https://signin.aws.amazon.com/saml"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            Federated = "arn:aws:iam::123456789012:saml-provider/Okta"
                        }
                        Sid       = ""
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        id                    = "product-analytics-development"
        name                  = "product-analytics-development"
        tags                  = {
            "app"         = "product-analytics"
            "environment" = "development"
        }
        # (9 unchanged attributes hidden)
 
        # (3 unchanged blocks hidden)
    }

and here's a case of the github tags:

# module.app.module.repo.github_team_repository.cd-robots has been changed
   ~ resource "github_team_repository" "cd-robots" {
       ~ etag       = "W/\"5feb9667b8530c035348abe87267fdaddcb4195b9888fd5972390818ab3ec6bd\"" -> "W/\"09e6fedc2ce4ae83b71b2a1d254d05a5285ad8ef17df289fad40be2c1de7ba97\""
       id         = "2174681:company"
       # (3 unchanged attributes hidden)
   }
   # module.app.module.repo.github_branch_protection.master[0] has been changed
       ~ resource "github_branch_protection" "master" {
      id                      = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMTU2NzkxNg=="
      + required_linear_history = false
      # (7 unchanged attributes hidden)
    
      ~ required_pull_request_reviews {
      + restrict_dismissals             = false
      # (4 unchanged attributes hidden)
   }
    
   # (1 unchanged block hidden)
   }
   # module.app.module.repo.github_team_repository.developers has been changed
      ~ resource "github_team_repository" "developers" {
      ~ etag       = "W/\"000f9c964d349b48730e7a86d46d52c1390affafc24d21ba37b4d14aa8264cd5\"" -> "W/\"9ace9ad8d4e91a9ade9f2548808417256c986c53a12435a0b7871ccb6d56599c\""
      id         = "1161217:company"
      # (3 unchanged attributes hidden)
   }
   # module.app.module.repo.github_team_repository.owners has been changed
      ~ resource "github_team_repository" "owners" {
      ~ etag       = "W/\"cfb668865f2023663513e2a14b52c4f765bca076f917677bde88a218df854463\"" -> "W/\"e9cb61f9d59b1d6d7d1d10d4fbaf504e65ff4c391d532a482024cb0e75790989\""
      id         = "1082472:company"
      # (3 unchanged attributes hidden)
   }
   # module.app.module.repo.github_repository.repo has been changed
      ~ resource "github_repository" "repo" {
      + allow_auto_merge       = false
      ~ etag                   = "W/\"065b6b273d687dc0df54138d74ff4a6468935240b2bbc8a099b3b08385a74c68\"" -> "W/\"3bfb27712de48495abbcb9d9f428e80ef70459007100e9e28a8f9159bbe5aace\""
      id                     = "company"
      name                   = "company"
      # (25 unchanged attributes hidden)
   }

But just after the above, there was an actual drift detected, but it's buried in the noise of the above.

Having drift detection is a big step forward. Having usable drift detection will make the feature complete.

[apparentlymart]

Quite some time ago we changed the behavior to only show "Objects have changed outside of Terraform" entries if they describe a change to something that is also described in the "Terraform will perform the following actions" section, because that neatly achieves only the original goal (explaining why those changes are being proposed) while being quiet about it in any case where the changes outside of Terraform did not cause a proposed change (which includes when the proposed change has been suppressed using ignore_changes).

Therefore I think this is fixed as closely as it's going to be fixed, and so I'm going to close this issue. Instead of offering an option, Terraform just uses a better heuristic to avoid showing the message unless it appears to be relevant.

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.