Ignore Tag Changes
Adds ignore_changes = [tags, tags_all] to all resources, preventing Terraform from reverting externally managed tags.
When to use this rule
Use this when: External systems (AWS Config, Service Catalog, cost tools, or manual console edits) modify tags on your resources, causing noisy plan diffs on every terraform plan.
Do not use this when: You manage all tags exclusively through Terraform and want Terraform to enforce tag values. Or you use tags for drift detection and need Terraform to report tag changes.
Why this rule exists
AWS tags are modified by many systems outside Terraform: AWS Config rules, Service Catalog, cost allocation tools, security scanners, and manual console edits. When Terraform detects a tag difference, it plans an update to revert the tag, even if the external change is intentional.
This creates a constant stream of noisy plan diffs. Teams using default_tags in the AWS provider are especially affected because tags_all includes the merged set of resource-level and provider-level tags.
Related Terraform and OpenTofu issues
| Repository | Issue | Title |
|---|---|---|
| hashicorp/terraform | #27360 | A method to override configuration and meta arguments within a module |
| hashicorp/terraform | #24188 | Support for dynamic blocks and meta-arguments |
| hashicorp/terraform-provider-aws | #19583 | Provider produced inconsistent final plan / an invalid new value for .tags_all |
Affected resources
| Resource | Service | Why |
|---|---|---|
aws_* | All AWS resources | Any resource that supports tags and tags_all attributes |
Known limits
- Does not prevent tag changes from happening. External systems can still modify tags freely.
- Does not affect the initial tag values set when a resource is first created.
- Does not cover non-AWS resources or resources from other providers.
What this rule does
Adds a lifecycle { ignore_changes = [...] } block to each matching resource. Terraform and OpenTofu will ignore external changes to the listed attributes on subsequent plans.
Ignored attributes: tags, tags_all
Before and after
resource "aws_*" "this" {
# ... resource configuration ...
tags = var.tags
}
resource "aws_*" "this" {
# ... resource configuration ...
tags = var.tags
lifecycle {
ignore_changes = [
tags,
tags_all,
]
}
}
The only change is the rule transformation. All existing arguments, outputs, and module behavior remain identical.
Real-world scenario
An AWS Config rule auto-tagged all resources with a ManagedBy: AWSConfig tag. Every terraform plan showed 47 tag diffs across the module. The platform team spent hours triaging 'changes' that were all false positives.
Compliance framework support
This rule is not a compliance control. It supports these framework objectives as an operational safeguard:
| Framework | Controls | Role |
|---|---|---|
| SOC 2 | CC6.1 | Reduces noise in change management by preventing tag drift from triggering false-positive plan diffs |
Default configuration
This rule ships with the following defaults. Custom parameterization via the registry is planned for a future release.
| Parameter | Type | Default | Description |
|---|---|---|---|
ignore_changes | list(string) | ["tags", "tags_all"] | Lifecycle attributes to ignore |
resource_types | list(string) | ["aws_*"] | Target resource type patterns |
How to enable
Add ?rules=pofix/ignore_tag_changes to your HTTPS module source:
module "example" {
source = "https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0&rules=pofix/ignore_tag_changes"
}
Configure via the compliance.tf API. See Getting Started with Operational Rules.
Failure modes
| Scenario | Result |
|---|---|
| Rule applied to a module with no taggable resources | No-op. Module delivered unchanged. |
| Tags set by Terraform at creation time are wrong | Fix the tag values in your Terraform config. The rule only ignores post-creation changes, not initial values. |
| You need Terraform to manage tags again | Remove the rule with ?rules=-pofix/ignore_tag_changes and run terraform init -upgrade. |
Terraform and OpenTofu compatible
This rule works with both Terraform (1.x+) and OpenTofu (1.6+). The generated HCL uses standard lifecycle meta-arguments supported by all versions.
Help us improve this page
Operational Rules are a new feature. We'd love your feedback on this rule page — what's useful, what's missing, what's confusing. Share feedback.