Update: change an attribute, read the diff

Шаги

1. 01

   Create the initial bucket with one tag

   Create the file main.tf:

   hclcopy

   resource "aws_s3_bucket" "demo" {

     bucket = "linuxlab-update-${random_id.suffix.hex}"

     tags = {

       Owner = "student"

     }

   }

   resource "random_id" "suffix" {

     byte_length = 4

   }

   Run:

   bashcopy

   cd /home/student/tf-update

   terraform init -input=false

   terraform apply -auto-approve -input=false

   After apply, state knows the bucket with one tag, Owner.

   подсказка

   If something fails: check init. And that LocalStack is alive.

   ✓ Bucket created with the tag Owner=student. Now add a second tag.

2. 02

   Add a second tag in HCL

   Open main.tf and change the tags block:

   hclcopy

   tags = {

     Owner       = "student"

     Environment = "learning"

   }

   Now run plan without apply, and you will see the diff:

   bashcopy

   terraform plan

   The output will contain a block like this:

   copy

     ~ resource "aws_s3_bucket" "demo" {

         ~ tags = {

               "Owner" = "student"

             + "Environment" = "learning"

           }

       }

     Plan: 0 to add, 1 to change, 0 to destroy.

   The ~ next to resource means update in place. No recreation. Inside: + "Environment" means the new tag will be added. Owner has no sign, so it does not change.

   See tf-plan on what the signs mean.

   подсказка

   If plan shows `-/+ resource ...`: you changed something that cannot be updated without replacement. Revert and change only tags.

   ✓ Plan showed a ~ change. Apply it: it will update without recreation.

3. 03

   Apply the change

   bashcopy

   terraform apply -auto-approve

   Apply will show:

   copy

   aws_s3_bucket.demo: Modifying...

   aws_s3_bucket.demo: Modifications complete after Xs

   Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

   The key part: 0 destroyed, 1 changed. The bucket was not recreated. The AWS provider simply sent a PutBucketTagging API request. The objects inside (if there had been any) stayed where they were.

   This is update-in-place. Your job is to structure HCL so that most changes follow this path.

   подсказка

   If you get a destroy: something besides tags changed. Check the main fields (bucket, etc): they should not be changing.

   ✓ Tag updated in place, same bucket.

   The same thing on OpenTofu

   OpenTofu keeps the CLI and state compatible with Terraform for the commands in this step: migration usually goes through mv .terraform .terraform.bak; tofu init -upgrade. On a first switch, though, make a backup of the state and do a run on a feature branch. The differences cluster in the newer features (variables in backend, state encryption, OCI registry-backed modules). See tf-opentofu-parity for the full matrix.

   • → OpenTofu parity
4. 04

   Run plan again: clean

   The main Terraform invariant: after apply, a repeated plan = No changes. If it shows changes, something is off (drift, or ignore_changes skipped something).

   Check it:

   bashcopy

   terraform plan -detailed-exitcode

   echo "exit: $?"

   It should be exit: 0. If it were 2, that means there is an inconsistency.

   -detailed-exitcode matters for CI: you can alert automatically on drift.

   подсказка

   If plan prints `No changes` in the human-readable text: everything is OK, the exit code will be 0.

   ✓ Plan is clean. Invariant holds: state == HCL.

   When apply does destroy + create (-/+)

   Some resource attributes cannot be changed without recreation. For example, availability_zone on an EC2 instance, instance_class on some RDS instances, bucket on an S3 bucket. If you change the bucket name, AWS cannot rename it, only create a new one and tear down the old one. Terraform shows this in the plan as -/+. Be careful: the data of a recreated resource is lost.

   • → lifecycle block
   • → terraform plan