TrademarkTrademark
Features
Documentation
Pricing
About
Get Started
All articles

Understanding the Terraform ignore_changes Lifecycle Block

Learn how and when to use the ignore_changes life cycle block.
Ryan FeeJanuary 5, 2026Updated March 31, 2026
Understanding the Terraform ignore_changes Lifecycle Block

The lifecycle block in Terraform is a powerful meta-argument that allows you to control how Terraform manages the resources in your state file, overriding its default behavior. Among its arguments, ignore_changes is one of the most critical for platform stability and flexibility, enabling you to manage infrastructure that evolves both inside and outside of your HCL code.

In essence, ignore_changes tells Terraform: "When you run a plan, do not consider changes to these specific attributes, even if the state value no longer matches the HCL value."

What Problem Does ignore_changes Solve?

Terraform’s core function is to ensure that the actual state of your infrastructure matches the desired state defined in your HCL code. When these two don't match, Terraform plans an update to correct the drift.

ignore_changes is essential for three common scenarios where this drift is harmless or intentional:

  1. Computed Defaults: When a cloud provider automatically sets an attribute after creation (e.g., a default security policy or a unique ID), and you don't define that attribute in your HCL. Without ignore_changes, Terraform will constantly try to remove or reset the attribute, creating noise in your plan.
  2. External Modifications: When a cloud service, a separate automation script, or a human administrator makes changes to an attribute (like updating a tag, or changing a database setting) outside of your Terraform workflow. You want the resource to remain managed by Terraform, but you want to ignore this specific attribute change.
  3. Module Upgrades/Refactoring: After importing existing infrastructure or refactoring a module, using ignore_changes can temporarily suppress false positives, allowing you to gradually update the HCL without risking an immediate, destructive apply.

How to Use the ignore_changes Block

The lifecycle block is placed inside a resource block. The ignore_changes argument accepts a list of attribute names that should be excluded from drift detection.

Syntax

resource "resource_type" "resource_name" {
  # Standard resource configuration...

  lifecycle {
    # Provide a list of attribute names to ignore.
    ignore_changes = [
      attribute_one,
      attribute_two,
      # You can also use the special keyword 'all'
      # all,
    ]
  }
}

Example: Ignoring Tags and Network Rules

Imagine you have an AWS EC2 instance. You want Terraform to manage its type and AMI, but you allow your monitoring team to update certain tags and a separate tool manages the user data script after the instance is running.

resource "aws_instance" "web_server" {
  ami           = "ami-0abcdef1234567890"
  instance_type = "t2.micro"

  # Standard tags managed by Terraform
  tags = {
    Project = "MyWebApp"
    Owner   = "Team Alpha"
  }

  lifecycle {
    # Ignore tags_all, allowing external automation to add/remove tags without 
    # triggering a plan difference for this resource.
    # Also ignore 'user_data' if a bootstrap tool modifies it post-launch.
    ignore_changes = [
      tags_all,
      user_data,
    ]
  }
}

Key Considerations and Best Practices

The tags vs. tags_all Dilemma

Most cloud providers have a tags argument (explicitly managed) and a tags_all argument (the complete set of tags, including provider-default tags).

  • If you use ignore_changes = [tags], Terraform will ignore only the tags you explicitly defined. This is rarely what you want.
  • If you use ignore_changes = [tags_all], Terraform ignores all tag changes on the resource. This is often the safest choice if you want to allow external tag management, but it means Terraform can never enforce a specific tag set.

Using all

The special keyword all ignores changes to every attribute on the resource.

  lifecycle {
    ignore_changes = all
  }

While this prevents any resource drift, it effectively turns the resource into a read-only resource for Terraform. Any changes you make to that resource's block in HCL (e.g., changing instance_type from t2.micro to t2.medium) will be ignored by Terraform. Use all only when the resource is managed entirely by another system, and you only need Terraform to prevent its accidental destruction.

State-Only vs. Configuration-Based Changes

ignore_changes works by comparing the current state (what Terraform read from the cloud) against the configuration (what is written in your HCL). It only suppresses the plan output; the actual change still exists in the cloud.

If you change an attribute in your HCL and also use ignore_changes for that attribute, Terraform will ignore your HCL change on the next apply. You must remove the attribute from the ignore_changes list, run apply, and then optionally add it back.

for_each and Dynamic Attributes

You can use a for loop inside the ignore_changes block to dynamically generate a list of attributes to ignore, but only when ignoring attributes on a set of resources created with count or for_each.

For example, to ignore the description on a set of security group rules:

resource "aws_security_group_rule" "ingress" {
  # ... configuration using count or for_each

  lifecycle {
    ignore_changes = [
      for i in range(0, length(aws_security_group_rule.ingress)) : ingress[i].description
    ]
  }
}

Using ignore_changes with Drift

The ignore_changes lifecycle meta-argument is your primary tool for managing and controlling configuration drift on specific attributes of a resource. Drift occurs when the actual state of a resource in the cloud no longer matches the desired configuration defined in your HCL code.

By using ignore_changes, you instruct Terraform to stop tracking changes to a specific set of attributes on a given resource, effectively preventing planned updates that would otherwise be generated to correct the drift.

For example, you manage an EC2 instance, but we want to allow an external system to update the tags and user data without Terraform constantly detecting and trying to revert those changes.

resource "aws_instance" "web" {
  ami           = "ami-0abcdef1234567890"
  instance_type = "t2.micro"

  # Standard configuration that Terraform WILL manage
  subnet_id     = aws_subnet.public.id 

  lifecycle {
    # 1. Ignore the 'user_data' field, allowing a separate script to modify it.
    # 2. Ignore 'tags_all', which prevents Terraform from trying to remove
    #    any tags added by non-Terraform systems.
    ignore_changes = [
      user_data,
      tags_all,
    ]
  }
}

This blog has been verified for Terraform and OpenTofu

About the author
Ryan Feedirector of platform engineering at Scalr
Ryan Fee is the director of platform engineering at Scalr, with over 15 years of experience improving infrastructure experiences at companies large and small.
Part of
Thumbnail of The Developer's Guide to HCL

The Developer's Guide to HCL

What is HCL? Learn the basics of HashiCorp Configuration Language, its purpose, design goals, and how it compares to JSON and YAML for Infrastructure as Code.
Sebastian Stadil
March 9, 2026
More on this topic
Terraform moved blocks: refactoring without pain
A Concise Guide to terraform_data Resource
How to Use terraform chdir
Advanced Terraform Workflows with terraform_data
Terraform Resource Dependencies Explained
The Three Stages of Terraform's Lifecycle Meta Argument