Configure terraform to keep current value for an ELB property

[Jon Evans]

I have an AWS ELB defined in terraform, but also have an external script set up to renew Letsencrypt certificates and install them into AWS Certificate Manager / the ELB.

The problem is that this external script changes the value of ssl_certificate_id for the https listener of the ELB. I'd like to be able to configure the aws_elb resource in terraform to set up the listener but leave the value of ssl_certificate_id untouched.

~ aws_elb.web

  [snip]

    listener.2944403602.ssl_certificate_id: "arn:aws:iam::*****:server-certificate/*****" => ""

  [snip]

Is there any meta syntax in terraform to tell it to leave a particular value unchanged during an update?

Cheers,

Jon

[Danny Cosson]

The ignore changes metaparameter should work for this this.

(Possibly a better solution - have you seen the AWS Certificate Manager? I believe it's free, the cert can be attached to an ELB and AWS handles renewing it automatically).

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/e18acc20-36e5-4856-bd1a-c830fbb87ff1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Danny

[David Adams]

You are looking for `lifecycle { ignore_changes = ["<attr-name>"] }` (see https://www.terraform.io/docs/configuration/resources.html).

However, I don't know how to specify a sub-sub attribute like a listener ssl-certificate-id. Possibly "listener[1].ssl_certificate_id"?

Also, beware that ignore_changes is sometimes a little flaky with dependent resources (or has been in past revisions), so always `plan` your changes and read the plan closely and be sure the "destroy" count at the bottom matches the rest of the report.

--

[Jon Evans]

On Thursday, 28 July 2016 18:43:26 UTC+1, David Adams wrote:

You are looking for `lifecycle { ignore_changes = ["<attr-name>"] }` (see https://www.terraform.io/docs/configuration/resources.html).

Thanks David,

However, I don't know how to specify a sub-sub attribute like a listener ssl-certificate-id. Possibly "listener[1].ssl_certificate_id"?

I couldn’t work out the syntax either. I tried listener[1].ssl_certificate_id and listener.*.ssl_certificate_id (ignore all listener ssl_certificate_ids), the only one I could get to work was to use the actual id which I got from a previous 'terraform plan' run, i.e. listener.987654321.ssl_certificate_id.

Cheers,

Jon 

[Jon Evans]

Hi,

On Thursday, 28 July 2016 18:37:27 UTC+1, Danny Cosson wrote:

The ignore changes metaparameter should work for this this.

Thanks for that, I wasn’t aware of that parameter.

 

(Possibly a better solution - have you seen the AWS Certificate Manager? I believe it's free, the cert can be attached to an ELB and AWS handles renewing it automatically).

Seen it and experimented with it, unfortunately we need something like 70 SANs on the certificate and AWS aren't prepared to increase the current limit of 10.

Cheers,

Jon

[David Adams]

Another way to handle it is to update the value of a variable with the certificate ID with some other process. We do this for ASG launch configurations. Our ASGs are managed with Terraform, but we update our launch configurations on a regular basis with another tool. And before ignore_changes was available (and since it can still be flaky sometimes), we set up a process by which each ASG config uses lookup() to select the correct launch config from a hash variable. The launch config lookup variable is stored in a file of its own, and then we have a script we run prior to doing a Terraform apply that rewrites that file with the correct current values. It's not pretty but it works.

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/ca4b5bd9-9d67-4119-a7db-0694b4da5b6f%40googlegroups.com.