amazon-web-servicesjdbcterraformaws-glueaws-glue-connection

Terraform glue connection that avoids overwriting connection_properties upon apply

I have a Terraform resource for an AWS Glue Connection, like this:

resource "aws_glue_connection" "some-connection-name" {
  name = "some-connection-name"
  physical_connection_requirements {
    availability_zone = var.availability_zone
    security_group_id_list = var.security_group_id_list
    subnet_id = var.subnet_id
  }
  connection_properties = {
    JDBC_CONNECTION_URL = "jdbc:postgresql://change_host_name:5432/db_name"
    JDBC_ENFORCE_SSL    = "false"
    PASSWORD            = "change_password"
    USERNAME            = "change_username"
  }
}

For context, this resource was imported, not created originally with Terraform. I have been retrofitting Terraform to an existing project by iteratively importing, planning, and applying.

Of course I do not want to save the credentials in the Terraform file. So I used placeholder values, as you can see above. After deployment, I assumed, I would be able to change the username, password, and connection URL by hand.

When I run terraform plan I get this indication that Terraform is preparing to change the Glue Connection:

~ connection_properties = (sensitive value)

Terraform plans to modify the connection_properties because they differ (intentionally) from the live configuration. But I don't want it to. I want to terraform apply my script without overwriting the credentials. Periodically applying is part of my development workflow. As things stand I will have to manually restore the credentials after every time I apply.

I want to indicate to Terraform not to to overwrite the remote credentials with my placeholder credentials. I tried simply omitting the connection_properties argument but the problem remains. Is there another way to coax Terraform not to overwrite the host, username, and password upon apply?

Solution

  • Based on the comments.

    You could use ignore_changes. Thus, the could could be:

    resource "aws_glue_connection" "some-connection-name" {
  name = "some-connection-name"
  physical_connection_requirements {
    availability_zone = var.availability_zone
    security_group_id_list = var.security_group_id_list
    subnet_id = var.subnet_id
  }
  connection_properties = {
    JDBC_CONNECTION_URL = "jdbc:postgresql://change_host_name:5432/db_name"
    JDBC_ENFORCE_SSL    = "false"
    PASSWORD            = "change_password"
    USERNAME            = "change_username"
  }

  lifecycle {
    ignore_changes = [
      connection_properties,
    ]
  }


}