Fix handling of ignore_changes #26387
Conversation
jbardin
force-pushed
the
jbardin/ignore-changes-2
branch
from
29e5843 to
f5f8951
Compare
Codecov Report
|
| @@ -563,32 +555,32 @@ func (n *EvalDiff) Eval(ctx EvalContext) (interface{}, error) { | |||
| return nil, nil | |||
| } | |||
|
|
|||
| func (n *EvalDiff) processIgnoreChanges(prior, proposed cty.Value) (cty.Value, tfdiags.Diagnostics) { | |||
| func (n *EvalDiff) processIgnoreChanges(prior, config cty.Value) (cty.Value, tfdiags.Diagnostics) { | |||
There was a problem hiding this comment.
I extra-approve this part, thank you ❤️
|
I've confirmed that the primary use case for providers using There are 2 cases in the normal plan+apply cycle which need to be covered to allow this type of drift:
One hypothetical case where this would cause additional errors is when the provider is altering the plan itself (which would be done through Since the errors in the typical cases above could only be generated during apply, and existing providers are exempt from these errors, we should be able to update the internal behavior while also giving providers time find solutions to handling fields. |
ignore_changes should only exclude changes to the resource arguments, and not alter the returned value from PlanResourceChange. This would effect very few providers, since most current providers don't actively create their plan, and those that do should be generating computed values here rather than modifying existing ones.
This ensures the mock provider behaves like the shimmed legacy SDK providers.
In order to ensure all the starting values agree, and since ignore_changes is only meant to apply to the configuration, we need to process the ignore_changes values on the config itself rather than the proposed value. This ensures the proposed new value and the config value seen by providers are coordinated, and still allows us to use the rules laid out by objchange.AssertPlanValid to compare the result to the configuration.
Ensure that ignore_changes only refers to arguments set in the configuration.
When replacing an instance, we have to be sure to use the original configuration which hasn't been processed with ignore_changes.
jbardin
force-pushed
the
jbardin/ignore-changes-2
branch
from
f5f8951 to
a8981a9
Compare
See this for more details - hashicorp/terraform#26387
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked as resolved and limited conversation to collaborators
Ignore changes was intended to only ignore changes happening within the configuration, and should not be applied to values set by the provider. We were previously re-applying this to the planned value for compatibility, but intended to remove the patch in a major release version.
It also turned out that we should have been applying
ignore_changesdirectly to the configuration, rather than the proposed value created for the plan. Doing this ensures that the configuration used for comparison internally, the proposed value, and the configuration passed to the provider all show the same starting data minus the ignored changes. Without this change, because providers are required to create their plan based on the proposed value,AssertPlanValidwould always show errors when comparing the planned value against the config, though they are currently only reported as warnings for legacy providers.While there still are many documented cases in the providers' docs,
ignore_changesis not something that providers can use to prevent changes to their configured values. In future versions of providers that are no longer in the legacy protocol exception, altering configuration values will be a hard error, so future providers cannot intentionally cause "drift" to configured values, andignore_changeswould not be useful in that configuration in the first place.This PR also adds some basic validation to the
ignore_changesargument, preventing users from setting references to arguments not set in the configuration, which prevents the case of mistakingly trying to ignore changes to computed values.The following configuration for example will result in the error below: