Consider a Terraform resource with the ignore_changes lifecycle rule applied to the tags attribute. What happens when you manually update the tags of this resource outside Terraform and then run terraform apply?
resource "aws_instance" "example" { ami = "ami-123456" instance_type = "t2.micro" tags = { Environment = "dev" } lifecycle { ignore_changes = ["tags"] } }
Think about what ignore_changes means for attributes changed outside Terraform.
The ignore_changes lifecycle rule tells Terraform to ignore changes to specified attributes made outside Terraform. So manual changes to tags will not be overwritten during terraform apply.
Which of the following Terraform resource lifecycle blocks correctly uses ignore_changes to ignore changes to the metadata and labels attributes?
Remember how lists of strings are written in Terraform HCL.
The ignore_changes attribute expects a list of strings, so the attribute names must be quoted and enclosed in square brackets.
You manage multiple environments (dev, staging, prod) with Terraform. You want to allow manual changes to the description attribute of a resource in the dev environment only, without Terraform overwriting it on apply. How should you configure ignore_changes to achieve this?
variable "environment" { type = string } resource "aws_s3_bucket" "example" { bucket = "my-bucket-${var.environment}" description = "Managed by Terraform" lifecycle { ignore_changes = var.environment == "dev" ? ["description"] : [] } }
Think about how to conditionally apply lifecycle rules based on variables.
Using a conditional expression in ignore_changes allows ignoring changes only in the dev environment, while other environments remain fully managed by Terraform.
What is a potential security risk when using ignore_changes on sensitive attributes like password or access_key in Terraform resources?
Consider what happens if Terraform ignores changes to secrets made outside its control.
Using ignore_changes on sensitive attributes means manual changes outside Terraform are not detected or reverted, which can lead to security drift and unmanaged secrets.
You have a resource with a nested attribute settings.network. You want Terraform to ignore changes only to the network nested block but still manage other parts of settings. Which ignore_changes configuration is correct?
resource "example_resource" "test" { settings = { network = { cidr_block = "10.0.0.0/16" dns = "8.8.8.8" } logging = true } lifecycle { ignore_changes = ["settings.network"] } }
Think about how Terraform references nested blocks in ignore_changes.
Using "settings.network" tells Terraform to ignore changes to the entire nested network block but still manage other parts of settings. Ignoring settings would ignore all nested attributes.