Prevent terraform from recreating aws access keys

400 views
Skip to first unread message

Mir Ammar Ahmed Irshad

unread,
May 21, 2019, 11:55:14 AM5/21/19
to Terraform
Hi

Is it possible to prevent terraform from updating the aws access keys if IAM user has permission to change there keys themselves.

I am having issues every time a user changes a key from AWS console and when I run terraform plan to apply other changes the terraform plan shows create the keys for the same user.

Thanks,
Ammar

David Adams

unread,
May 21, 2019, 11:59:07 AM5/21/19
to terrafo...@googlegroups.com
We have found it's better not to manage our IAM users, and definitely not their access keys, with Terraform, precisely because of this sort of thing. Unless you need to feed the access key and secret to other TF resources, we have found there's little to no benefit to attempting to manage them with Terraform, especially for IAM users that are intended for use by humans. YMMV.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/6fb16c87-3c6a-4662-9303-7130317fd20a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

⁞ Fernando Miguel

unread,
May 21, 2019, 12:38:03 PM5/21/19
to terrafo...@googlegroups.com
Add a ignore changes block to it 
Or terraform rm it 

--
Fernando Miguel

--

Chamila de Alwis

unread,
May 21, 2019, 6:02:45 PM5/21/19
to terrafo...@googlegroups.com
Agree with David above. This is terraform just doing it's job IMO.

If there's a need to manage IAM keys with terraform then ideally they shouldn't be changed through manual means. On the other hand, the credentials that terraform should work with should not be created by terraform itself. They should be created and provided to terraform as input. This would make policy based restriction so much simpler than making terraform code figure that out.

Regards,
Chamila de Alwis
Committer and PMC Member - Apache Stratos



To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAM7yfUAnkAevUcC2Pr2rGFw%2BivcVzWVQGMT98h9%2BFH648JuU6A%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages