[Bug]: ignore_changes = [ebs_block_device] doesn't work for aws_instance

Terraform Core Version

1.1-1.5

AWS Provider Version

5.20.0

Affected Resource(s)

aws_instance, aws_ebs_volume, aws_volume_attachment

Expected Behavior

When added field

  lifecycle {
    ignore_changes = [ebs_block_device]
  }

to "aws_instance" configuration, "ebs_block_device" changes have to be skipped during the second run terraform apply/plan

Actual Behavior

When I deploy EC2 instance with additional EBS volume(s) (via aws_ebs_volume + aws_volume_attachment). The second terraform plan/apply adding ebs_block_device configuration for the EBS volumes to the EC2 instance. This fails idempotency for our terraform module.

Relevant Error/Panic Output Snippet

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # aws_instance.ec2 has changed
  ~ resource "aws_instance" "ec2" {
***
      + ebs_block_device {
          + delete_on_termination = false
          + device_name           = "/dev/sdg"
          + encrypted             = true
          + iops                  = 100
          + throughput            = 0
          + volume_id             = "vol-***"
          + volume_size           = 50
          + volume_type           = "io2"
        }
***

Terraform Configuration Files

# --------------------
# EC2 INSTANCE
# --------------------
#tfsec:ignore:aws-ec2-enforce-http-token-imds
resource "aws_instance" "ec2" {
  ami                         = var.ami
  instance_type               = var.instance_type
  ebs_optimized               = var.ebs_optimized
  iam_instance_profile        = var.iam_instance_profile
  key_name                    = var.key_name
  subnet_id                   = var.subnet_id
  vpc_security_group_ids      = var.vpc_security_group_ids
  availability_zone           = var.availability_zone
  associate_public_ip_address = false
  private_ip                  = var.private_ip
  monitoring                  = var.monitoring
  tenancy                     = var.tenancy != "" ? lower(var.tenancy) : null # "host" can't be imported
  disable_api_termination     = var.disable_api_termination
  get_password_data           = var.get_password_data

  root_block_device {
    volume_type           = lower(var.root_volume_type)
    volume_size           = var.root_volume_size
    iops                  = var.root_iops
    delete_on_termination = var.root_delete_on_termination
    encrypted             = true
    kms_key_id            = local.kms_key_id

  }

  user_data = var.user_data
  tags      = merge({ "Name" = local.ec2_naming }, local.cloudname_tag)
  lifecycle {
    ignore_changes = [ebs_block_device]
  }
}

# --------------------
# EBS
# --------------------
resource "aws_ebs_volume" "ebs" {
  for_each             = var.ebs_block_device
  availability_zone    = aws_instance.ec2.availability_zone
  iops                 = try(each.value.iops, null)
  size                 = try(each.value.size, null)
  type                 = try(each.value.type, "")
  multi_attach_enabled = try(each.value.multi_attach_enabled, false)
  snapshot_id          = try(each.value.snapshot_id, "")
  outpost_arn          = try(each.value.outpost_arn, "")
  throughput           = try(each.value.throughput, null)
  encrypted            = true
  kms_key_id           = local.kms_key_id

}

# --------------------
# EBS Attachment
# --------------------
resource "aws_volume_attachment" "ebs_attachment" {
  for_each    = var.ebs_block_device
  device_name = try(each.value.device_name, "")
  volume_id   = aws_ebs_volume.ebs[each.key].id
  instance_id = aws_instance.ec2.id
}

Steps to Reproduce

Run terraform apply for the first time -> all recourses will be created. Run terraform apply/plan a second time, tf will discover "new resources" and add to instance configuration.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

hashicorp / terraform-provider-aws