Problem
The terraform plan command output shows unexpected resource updates, creations, or replacements.
Cause
Planned changes can occur for several reasons, but they are nearly always avoidable with adjustments to the Terraform configuration. An unexpected plan indicates a difference between your configuration, the current state of your infrastructure, and Terraform's records.
Solutions
Review the following common causes and solutions to identify the source of the unexpected changes.
Solution 1: Resolve Unintended Dependencies
When a resource or data source references another, any planned change in the referenced resource will cause a planned change in the downstream resource.
In this example, example_resource.b explicitly depends on example_resource.a.
resource "example_resource" "a" {
argument = "abc"
}
resource "example_resource" "b" {
argument = example_resource.a.id
}Dependencies can also be implicit. In the following example, module.b has an explicit depends_on meta-argument targeting module.a, which creates a dependency between the resources within them.
Directory structure:
. ├── modules │ ├── a │ │ └── a.tf │ └── b │ └── b.tf └── main.tf
main.tf:
module "a" {
source = "./modules/a"
}
module "b" {
source = "./modules/b"
depends_on = [module.a]
}modules/a/a.tf:
resource "example_resource" "a" {
argument = "abc"
}modules/b/b.tf:
data "example_datasource" "example" {
argument = "xyz"
}
resource "example_resource" "b" {
argument = data.example_datasource.example.output_value
}Because of depends_on = [module.a], any changes to module.a.example_resource.a may cause unexpected planned changes to module.b.example_resource.b. To resolve this, refactor the configuration to remove the depends_on meta-argument from the module block. Refer to the Best Practice: depends_on Meta-Argument article for the recommended pattern.
Solution 2: Avoid Apply-Time Functions in Arguments
Functions like uuid() or timestamp() execute every time Terraform runs. When used in resource or data source arguments, they will always produce a planned change.
To resolve this, avoid using these functions directly in resource arguments where stability is required.
Solution 3: Correct Incompatible Resource Configurations
Using certain provider resources at the same time can cause unexpected changes to appear on every Terraform plan. Providers typically document these incompatibilities in a note within the resource documentation.
For example, the AWS provider documentation notes an incompatibility between the aws_vpc_security_group_egress_rule and aws_vpc_security_group_ingress_rule resources when used with the aws_security_group_rule resource. You can find details in the provider documentation note on incompatible resources.
To resolve this, refactor your configuration to avoid using the incompatible resources in the same configuration.
Solution 4: Verify Provider Permissions
Some provider APIs return a 404 Not Found error instead of a 403 Forbidden error for unauthorized requests. If the credentials used by Terraform only allow CREATE but not READ permissions for a resource, Terraform can create the resource but cannot read it back to confirm its creation. This causes Terraform to plan to create the resource again on subsequent runs.
To resolve this, follow your provider's authentication documentation to configure the required permissions. You may need to import existing resources into the state file.
Solution 5: Detect and Reconcile External Changes
If a user or an external automated process modifies a resource managed by Terraform, Terraform will plan to modify the resource to match the configuration on its next run. Starting with Terraform v0.15.4, Terraform will notify you which resources have changed outside of its control.
To resolve this, review access controls to your infrastructure to prevent unplanned external changes.
Solution 6: Manage Provider Version Changes
Provider releases can include breaking changes that may cause unexpected changes in the plan.
To resolve this, manage provider versions carefully. Refer to the Managing Provider Upgrades KB Article for more details. When upgrading a provider, always follow any documented upgrade guides, such as the AWS provider's Version 5 Upgrade Guide.
Additional Information
If none of the above solutions explain the unexpected change, there may be a defect in the Terraform provider. You can investigate or report potential issues on the provider's public source repository.