AWS OpsWorks custom_cookbooks_source ssh_key keeps reapplying

[lancehudson]

I have

resource "aws_opsworks_stack" "main" {
    name = "thing"
    region = "${var.AWS_REGION}"
    service_role_arn = "${aws_iam_role.opsworks.arn}"
    default_instance_profile_arn = "${aws_iam_instance_profile.opsworks.arn}"
    berkshelf_version = "3.2.0"
    color = "rgb(186, 65, 50)"
    configuration_manager_name = "Chef"
    configuration_manager_version = "11.10"
    custom_cookbooks_source = {
      type = "git"
      url = "[email protected]:lancehudson/cookbooks.git"
      ssh_key = "*****FILTERED*****"
      /*ssh_key =  <<EOF
-----BEGIN RSA PRIVATE KEY-----
HA
-----END RSA PRIVATE KEY-----
EOF*/
      revision = "master"
    }
    default_os = "Amazon Linux 2015.09"
    default_root_device_type = "ebs"
    default_ssh_key_name = "${aws_key_pair.test.key_name}"
    default_subnet_id = "${aws_subnet.private_a.id}"
    hostname_theme = "Greek_Deities_and_Titans"
    manage_berkshelf = true
    use_custom_cookbooks = true
    use_opsworks_security_groups = false
    vpc_id = "${aws_vpc.main.id}"
    custom_json = "${file("opsworks.json")}"
    # TODO: Not Implemented Yet
    #agent_version = "LATEST"
}

Once the stack is created the key is correct and everything is fine. On subsequent runs it updates the key again. The state file lists the key as "****FILTERED****". I'm not sure there is a good way to tell when to and when not to update this. But I'm hoping there is an option other than updating every single time.

[apparentlymart]

In the OpsWorks API there are a number of "write-only" attributes that return garbage like that on read. The Terraform support is supposed to skip these on Read, as is done for the the write-only attributes on layers.

I missed this one in the docs when I was implementing. I think the fix could be as simple as removing the code that assigns this, but I'm not near my Terraform dev environment to test this right now. I'll take a look when I get a chance, unless someone else feels like attacking it in the mean time.

[lancehudson]

You can't just remove the setter. The write-only support has not been added to opsworks-stack, only classes that inherit from opsworks-layers. (Which puts it slightly beyond my midnight go coding abilities)

[apparentlymart]

"Write-only" is a concept that was invented just for those attributes, to enable code sharing between all of the layers. Since there's only one "stack" resource type, such generalization shouldn't be needed there. All that write-only flag does is cause the value to be skipped during Read, which is why I expected that removing the equivalent thing in the layer implementation would work.

I'll try to dig in some more during the week.

[lancehudson]

Ahh, I'll try some more this week then, assuming I can find time. What I saw after removing those lines was it trying to set it anyhow, but the state file having no setting for that item.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.