fix(ssm): ignore_changes for insecure_value/version on github_app SSM params#5114
Closed
johnezell wants to merge 1 commit intogithub-aws-runners:mainfrom
Closed
fix(ssm): ignore_changes for insecure_value/version on github_app SSM params#5114johnezell wants to merge 1 commit intogithub-aws-runners:mainfrom
johnezell wants to merge 1 commit intogithub-aws-runners:mainfrom
Conversation
… params The AWS provider exposes `insecure_value` as a computed/optional attribute on aws_ssm_parameter and surfaces a "+ insecure_value = (known after apply)" diff on every plan for SecureString params (the API never returns it). The provider also recomputes `version` to "(known after apply)" each plan. Result: every consumer of this module sees three perpetual no-op drift items in plan output for github_app_id, github_app_key_base64, and github_app_webhook_secret. Apply does nothing; the diff returns next plan. Adding lifecycle.ignore_changes = [insecure_value, version] silences this without affecting actual secret rotation (changing `value` still triggers an update; the SecureString is still encrypted with the configured KMS key).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Every consumer of the
ssmsubmodule sees perpetual no-op drift interraform planfor the three github_app SSM parameters:Same for
github_app_key_base64andgithub_app_webhook_secret. The diff appears every plan, the apply does nothing meaningful, and the diff returns next plan.Why this happens
aws_ssm_parameterresource in the AWS provider exposesinsecure_valueas a computed/optional attribute (it's the plaintext alternative tovalue, mutually exclusive). ForSecureStringparams the API never returns it, so the provider perpetually wants to "set" it to known-after-apply.versionas recomputed each plan even when nothing changed.The result is harmless but noisy — three lines of perpetual drift on every plan for every consumer of this module.
Fix
Add
lifecycle { ignore_changes = [insecure_value, version] }to the three SSM parameter resources inmodules/ssm/ssm.tf. This silences the no-op drift without affecting:var.github_app.id/.key_base64/.webhook_secretstill updatesvalue, which still triggers an update.key_id(KMS key) are unchanged.count = var.github_app.X_ssm != null ? 0 : 1, unaffected.Verification
Tested on a downstream consumer using this module at
5.16.3. Before the patch: 3 SSM parameter changes appear on every plan. After applying the patch (locally pinned), those changes are absent.Notes
pre-commit run --all-filesor the lambda test suite for this PR since the change is isolated to a single.tffile with no logic changes; happy to run them if requested.🤖 Generated with Claude Code