Terraform continuously detecting changes to hidden link tags – HashiCorp Help Center

Problem

When managing Azure resources with Terraform, you may encounter a persistent plan difference for tags after the initial creation. Terraform continuously detects a hidden-link tag that Azure adds automatically, and since this tag is not in your configuration, Terraform proposes to remove it on every apply.

The plan output shows that Terraform intends to remove the tag:

# azurerm_application_insights_web_test.example will be updated in-place
~ resource "azurerm_application_insights_web_test" "example" {
    id   = "/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE-GROUP-NAME>/providers/Microsoft.Insights/webTests/tf-test-appinsights-webtest"
    name = "tf-test-appinsights-webtest"
    ~ tags = {
        - "hidden-link:/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE-GROUP-NAME>/providers/Microsoft.Insights/components/tf-test-appinsights" = "Resource" -> null
      }
    # (11 unchanged attributes hidden)
  }

Plan: 0 to add, 1 to change, 0 to destroy.

Cause

Azure automatically adds a hidden-link tag to certain resources for its own integration and management purposes. Because this tag is added outside of Terraform's management and is not defined in the configuration file, Terraform's state does not match the real-world infrastructure. Consequently, Terraform generates a plan to remove the tag to align the resource with the configuration.

Solutions

There are two primary methods to resolve this issue.

Solution 1: Add the Hidden Tag to the Configuration

You can explicitly add the hidden-link tag to your resource configuration. This approach makes Terraform aware of the tag, ensuring that the configuration matches the expected state.

resource "azurerm_application_insights_web_test" "example" {
  name                    = "tf-test-appinsights-webtest"
  location                = azurerm_application_insights.example.location
  resource_group_name     = azurerm_resource_group.example.name
  application_insights_id = azurerm_application_insights.example.id

  tags = merge(var.tags, {
    "hidden-link:${azurerm_application_insights.example.id}" = "Resource"
  })
}

Solution 2: Ignore Changes to Tags

Alternatively, you can instruct Terraform to ignore any changes made to the tags attribute of the resource by using the ignore_changes lifecycle meta-argument. This tells Terraform not to report differences for this specific attribute, which is useful for values managed outside of Terraform.

resource "azurerm_application_insights_web_test" "example" {
  name                    = "tf-test-appinsights-webtest"
  location                = azurerm_application_insights.example.location
  resource_group_name     = azurerm_resource_group.example.name
  application_insights_id = azurerm_application_insights.example.id

  lifecycle {
    ignore_changes = [tags]
  }
}

Outcome

After applying one of the solutions, run terraform plan again. Terraform will no longer detect a difference in the tags, and the plan will report no changes are needed.

$ terraform plan

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Additional Information

For more context on this provider-specific behavior, see the related GitHub Issue.
To learn more about ignoring changes, refer to the lifecycle Meta-Argument Documentation.