Terraform continuously detecting changes to hidden link tags

Avatar
Matthew Albert
  • Updated

Introduction

Problem

A user may encounter Terraform continually detecting changes to an Azure resource's tags after creation. Please find an example below:

 # azurerm_application_insights_web_test.example will be updated in-place
  ~ resource "azurerm_application_insights_web_test" "example" {
        id                      = "/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE-GROUP-NAME>/providers/Microsoft.Insights/webTests/tf-test-appinsights-webtest"
        name                    = "tf-test-appinsights-webtest"
      ~ tags                    = {
          - "hidden-link:/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE-GROUP-NAME>/providers/Microsoft.Insights/components/tf-test-appinsights" = "Resource" -> null
        }
        # (11 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Cause

Terraform is detecting a change to the resource's tags because Azure has implemented a hidden-link tag on certain resources for integration purposes. This tag is not created through Terraform and is not in the configuration, so Terraform will continue to try to remove it on each future apply.

Overview of possible solutions

Solutions:

1. Add the hidden link tag to the configuration

resource "azurerm_application_insights_web_test" "example" {
   name = "tf-test-appinsights-webtest"
   location = azurerm_application_insights.example.location
   resource_group_name = azurerm_resource_group.example.name
   application_insights_id = azurerm_application_insights.example.id
   
   tags = merge(var.tags,{"hidden-link:${azurerm_application_insights.example.id}":"Resource"})
}

2. Use the ignore_changes lifecycle block

resource "azurerm_application_insights_web_test" "example" {
   name = "tf-test-appinsights-webtest"
   location = azurerm_application_insights.example.location
   resource_group_name = azurerm_resource_group.example.name
   application_insights_id = azurerm_application_insights.example.id
   
   lifecycle {
     ignore_changes = [tags] 
   }
}

Outcome:

Once the configuration has been updated to use one of the solutions above, run an apply and validate no changes are detected. 

No Changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed

Additional Information

Articles in this section

See more

Related articles