I am trying to create aws_cloudfront_public_key resource in terraform using below mentioned code,

resource "aws_cloudfront_public_key" "key" {
  name        = "my-cf-pubkey"
  encoded_key = file("${path.module}/abcd.pem")
}

First time if terraform apply is getting executed then its getting created successfully. But all terraform apply post it trying to recreate aws_cloudfront_public_key i.e. its getting destroyed and recreate again even if public key is not getting changed, which is wrong behaviour.

How to over come this issue ?

Plan output is :

  # aws_cloudfront_public_key.documents-signing-key must be replaced
-/  resource "aws_cloudfront_public_key" "documents-signing-key" {
      ~ caller_reference = "terraform-20221218060345896500000002" -> (known after apply)
      ~ encoded_key      = <<-EOT # forces replacement
            -----BEGIN PUBLIC KEY-----
            -----END PUBLIC KEY-----
        EOT
      ~ etag             = "E1PKWHEWOCNZS4" -> (known after apply)
      ~ id               = "K15GFD3XARNT0X" -> (known after apply)
        name             = "my-cf-pubkey"
        name_prefix      = (known after apply)
        # (1 unchanged attribute hidden)
    }

CodePudding user response：

you can try using lifecycle block to prevent Terraform from attempting to recreate the resource again as shown below

resource "aws_cloudfront_public_key" "key" {
  name        = "my-cf-pubkey"
  encoded_key = file("${path.module}/abcd.pem")
  
  lifecycle {
    create_before_destroy = true
  }
}

Let me know if this will help you.

CodePudding user response：

If the encoded_key attribute of your resource is not changing between Terraform runs, then you can use the ignore_changes attribute to tell Terraform to not attempt to check for changes.

For example:

resource "aws_cloudfront_public_key" "key" {
  name        = "my-cf-pubkey"
  encoded_key = file("${path.module}/abcd.pem")
  ignore_changes = ["encoded_key"]
}

@JatinPanchal