terraform ignore_changes lifecycle to avoid re-creation
1 min readDec 4, 2020
If you create an aws_directory_service_directory and change password parameter, terraform will destroy and create AD resource.
provider "aws" {
region = "us-west-2"
}resource "random_password" "mypassword" {
length = 20
special = true
override_special = "_$%"
min_special = 1}resource "aws_directory_service_directory" "mysimplead" {
name = "test.simplead"
type = "SimpleAD"
description = "my simple AD"
password = random_password.mypassword.result
alias = "mysimple"
size = "Small"vpc_settings {
vpc_id = "vpc-005d9xyz2658a45"
subnet_ids = ["subnet-015fcx166c80407", "subnet-0d0f1x6d5919b8"]
}}
I just edited mypassword values then run terraform apply
# aws_directory_service_directory.mysimplead must be replaced
-/+ resource "aws_directory_service_directory" "mysimplead" {
~ access_url = "mysimple.awsapps.com" -> (known after apply)
alias = "mysimple"# random_password.mypassword must be replaced
-/+ resource "random_password" "mypassword" {
~ id = "none" -> (known after apply)
~ length = 20 -> 15 # forces replacement
lower = true
min_lower = 0
min_numeric = 0
min_special = 1
min_upper = 0
number = true
override_special = "_$%"
~ result = (sensitive value)
special = true
upper = true
}Plan: 2 to add, 0 to change, 2 to destroy.Do you want to perform these actions?Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.Enter a value: yesaws_directory_service_directory.mysimplead: Destroying... [id=d-92670bef7d]
aws_directory_service_directory.mysimplead: Still destroying... [id=d-92670bef7d, 10s elapsed]aws_directory_service_directory.mysimplead: Still destroying... [id=d-92670bef7d, 20s elapsed]aws_directory_service_directory.mysimplead: Still destroying... [id=d-92670bef7d, 30s elapsed]
To avoid deletion on password change, you can add the following policy to resource “aws_directory_service_directory”
lifecycle {
ignore_changes = [password]
}Ismail YENIGUL
Devops Engineer
