Merge pull request #211 from andrew-womeldorf/issue/210-load-balancers

Ignore changes to load balancers in vault-cluster ASG

modules/vault-cluster/main.tf

@@ -84,11 +84,21 @@ resource "aws_autoscaling_group" "autoscaling_group" {
   }
 
 
-  # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means
-  # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors
-  # when you try to do a terraform destroy.
   lifecycle {
+    # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means
+    # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors
+    # when you try to do a terraform destroy.
     create_before_destroy = true
+
+    # As of AWS Provider 3.x, inline load_balancers and target_group_arns
+    # in an aws_autoscaling_group take precedence over attachment resources.
+    # Since the vault-cluster module does not define any Load Balancers,
+    # it's safe to assume that we will always want to favor an attachment
+    # over these inline properties.
+    #
+    # For further discussion and links to relevant documentation, see
+    # https://github.com/hashicorp/terraform-aws-vault/issues/210
+    ignore_changes = [load_balancers, target_group_arns]
   }
 }
 
@@ -343,9 +353,9 @@ data "aws_iam_policy_document" "vault_dynamo" {
 }
 
 resource "aws_iam_role_policy" "vault_dynamo" {
-  count  = var.enable_dynamo_backend ? 1 : 0
-  name   = "vault_dynamo"
-  role   = aws_iam_role.instance_role.id
+  count = var.enable_dynamo_backend ? 1 : 0
+  name  = "vault_dynamo"
+  role  = aws_iam_role.instance_role.id
   policy = element(
     concat(data.aws_iam_policy_document.vault_dynamo.*.json, [""]),
     0,