`terraform import` does not respect `ignore_changes`

[rquadling]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform -v
Terraform v1.0.1
on darwin_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v2.21.0
+ provider registry.terraform.io/hashicorp/aws v3.44.0
+ provider registry.terraform.io/hashicorp/external v2.1.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0

Your version of Terraform is out of date! The latest version
is 1.0.3. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

• aws_ssm_parameter But I suspect any resource with an ignore_changes entry in the lifecycle block would experience the same issue.

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_ssm_parameter" "PrivateKey" {
  name        = "/PRIVATE/KEY"
  description = "A private key whose value should not be present in the repo or TFstate."
  type        = "String"
  value       = ""

  lifecycle {
    ignore_changes = [value]
  }
}

Debug Output

Panic Output

Expected Behavior

Output whatever the assigned default is in the .tf file, which in this example should be:

""

Actual Behavior

The value outputted by terraform show (after terraform import) is the value I had manually assigned to the Parameter Store entry and was expecting to never see in the tfstate.

"dummy"

Steps to Reproduce

As this relates to terraform import and then terraform show, you'll need a pre-existing SSM Parameter Store entry. For the issue I'm reporting, I've created one called /PRIVATE/KEY with a value of dummy.

When executing:

terraform import --var-file terraform.tfvars 'aws_ssm_parameter.parameter["PrivateKey"]' '/PRIVATE/KEY'
terraform show | jq '.values.root_module.resources[] | select(.address  | contains("PrivateKey")).values.value'

the output should be something other than the value in the SSM Parameter Store. As I've said in the .tf file, the value is "", then that would be what I would expect to see in the output of the terraform show command.

Important Factoids

References

• 2570 mentions this issue (different resources but fundamentally the same issue)

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.