-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a no_store meta-parameter #15797
Conversation
This partially addresses hashicorp#516. no_store is like ignore_changes but stronger. A no_store attribute isn't stored in the state file at all. Existing end users and providers shouldn't be relying on ignore_changes attributes being stored in the state file, so in principle this could be implemented without creating a new parameter. However, that wouldn't leave any migration path for anything affected by a significant change in behaviour. The new parameter has a name that better reflects its more general usage. This PR deprecates ignore_changes. no_store has been implemented with the assumption that the ignore_changes code will eventually be deleted. Because "not storing in state" is a functional requirement and not just an implementation detail, a check for this was added to the end-to-end test.
Hi @sarneaud! Thanks for working on this. It sounds like the use-case you have in mind here is to tell Terraform that although a resource exports a particular attribute, you have no use for it and would thus prefer that Terraform did not retain the record of it. For something this deep in core we generally prefer to have a design discussion before jumping to implementation, since experience tells us that changes to big assumptions like this often have knock-on effects on other parts of Terraform. So with that said, I have some design questions I'd like to dig into before we dive into discussing the code itself:
That's all the thoughts I have to start. Thanks again for working on this, and sorry for the barrage of questions; I just want to make sure that the interactions with existing subsystems are explored and that we can minimize weird edge-cases that may cause problems for users of this feature. |
Don't worry. I'm okay with reworking the PR, but I really wanted to push towards some kind of solution. (I originally raised this in a comment in #516.)
Here are some use cases for I'm currently working at a site that's generating AWS RDS instances with Terraform. The DB password is required for creation, but we don't want the password to be in the state file. As a kludge, the password is set based on The Hashicorp Vault integration is really handy, except that any secrets managed with Terraform end up copied to the state file. This is a similar scenario to the RDS password problem. |
I'd argue without this kind of parameter the Vault providers data source for generic secrets almost feels pointless. We are already limiting what we manage in Vault with Terraform because I almost don't see the point in using it if we have another system that just leaks everything out somewhere else. If we have some way of telling Terraform to not store values it retrieves, we at least can still use Vault as a datasource for secrets to pull at Terraform run and just place them in Vault out of band. |
One option for dealing with issues of provider support is for providers to specify which attributes can be |
Hi folks! I am working on addressing some older PRs - sorry for the long silence here! Based on Martin's request for a larger design conversation, and the fact that this PR touches a lot of code that's changed greatly since terraform 0.12 has released, I am going to close this PR. I encourage anyone interested in this feature to add a 👍 to #516 (or continue the conversation if you have new ideas to share). Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
This partially addresses #516
no_store is like ignore_changes but stronger. A no_store attribute
isn't stored in the state file at all.
Existing end users and providers shouldn't be relying on ignore_changes
attributes being stored in the state file, so in principle this could be
implemented without creating a new parameter. However, that wouldn't
leave any migration path for anything affected by a significant change
in behaviour. The new parameter has a name that better reflects its
more general usage.
This PR deprecates ignore_changes. no_store has been implemented with
the assumption that the ignore_changes code will eventually be deleted.
Because "not storing in state" is a functional requirement and not just
an implementation detail, a check for this was added to the end-to-end
test.