-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_codepipeline with Github OAuth causing persistent changes #2854
Comments
The solution is to use the environment variable |
Even when I specify the |
I'm experiencing the same issue, but managed to work around it by adding the following to my # Workaround for Terraform insisting on "updating" OAuthToken every run. In
# the event that the OAuthToken actually needs to be updated, comment out
# the `lifecycle` block, run `terraform apply`, and then restore the block.
#
# https://github.com/terraform-providers/terraform-provider-aws/issues/2854
lifecycle {
ignore_changes = [
"stage.0.action.0.configuration.OAuthToken",
"stage.0.action.0.configuration.%",
]
} The GitHub token isn't likely to change often in my use case, so the inconvenience of having to remove & restore that It doesn't address the root cause, but hopefully someone else will find this workaround useful. EDIT (2019-05-09): See my updated workaround below if you're experiencing this problem with Terraform |
The solution proposed by @michaelmoussa is good, but it is not applicable when you are using the module which, in turn, creates the It is very inconvenient to change the source code of that module to comment/uncomment Another solution is to use conditional resources i.e. |
I had a look at the provider code and it seems that the
I suspect this has been done to not store secrets in state file. However, in other resources like I suggest we change this behaviour and store the token in the state file and keep the experience consistent across resource. Moreover, the |
On further debugging, I found that the |
@sunilkumarmohanty if that is the case, then let's just store the asterisk and move on. Who cares if it's not an absolute truth, as long as it stops breaking expectations. |
Update for This is still broken in You'll first see an error saying " The following approach will work in # Workaround for Terraform insisting on "updating" OAuthToken every run. This
# will prevent *any* updates to this CodePipeline resource while in place. In
# the event that any real updates are needed, comment out the `lifecycle`
# block, run `terraform apply`, and then restore the block.
#
# https://github.com/terraform-providers/terraform-provider-aws/issues/2854
# https://www.terraform.io/docs/configuration/resources.html#ignore_changes
lifecycle {
ignore_changes = all
} NOTE: You could technically use |
You can't do |
|
I am facing the same issue. Couldn't ignore just the OAuthToken. Does anyone know of a solution? |
This is ugly but adding this in the lifecycle section worked for me
|
I was able to get as far as: However, I couldn't figure out how to specifically ignore one attribute of Ignoring the entire configuration won't work for my use case. |
i arrived at this too and its the superior workaround. however, like the doc says, maps cant be made to ignore newly added keys so clearly the issue is that the read operation doesn't grab an empty or placeholder value for the token in the action configuration (which it obviously shouldnt be able to receive); instead it presents that key as missing |
@bflad @gdavison (please forward if someone else should be looking at the CodePipeline provider). In the worst case, a hash of the OAuthToken could be stored in the state file so that we can do change-detection without having to expose the actual secret. |
As @nl-brett-stime mentioned, if we could get the hashed password stored in the state file, it will allow to check for changes and also keep secrets secure(ish) - depends on the user to keep the state file private We're experiencing this issue on the Perhaps have it optional to store the hash |
Hi folks 👋 This should be resolved, or at least now have different behavior with #14175 which was just merged and released with version 3.0.0 of the Terraform AWS Provider. If you are still having issues after upgrading to this release, please open a new issue and the maintainers will take a fresh look. 👍 |
This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Terraform Version
Terraform v0.11.1
Terraform AWS Provider v1.6.0
Affected Resource(s)
Please list the resources as a list, for example:
aws_codepipeline
Terraform Configuration Files
Expected Behavior
Subsequent executions of
terraform apply
should not result in updates to the source attributes.Actual Behavior
Running
terraform plan
/terraform apply
always results in a change:And AWS is incapable of accessing Github, even though the token is valid, tested, and with the correct scopes.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform plan
terraform apply
terraform apply
The text was updated successfully, but these errors were encountered: