13

When I run

terraform plan

it shows a list of changes made out of Terraform and at the end of output, it also informs that "No changes. Your infrastructure matches the configuration.":

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # google_sql_database_instance.db1 has been changed
  ~ resource "google_sql_database_instance" "db1" {
        id                            = "db1"
        name                          = "db1"
        # (12 unchanged attributes hidden)

....
whole list of objects to update
....
....

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

No changes. Your infrastructure matches the configuration.

Your configuration already matches the changes detected above. If you'd like to update the Terraform state to match, create and apply a refresh-only plan:
  terraform apply -refresh-only

Not sure why it first says there are changes in infrastructure but also say that Configuration matches the Infrastructure. I ran a test "Apply" and Terraform did not change anything but I want to know why is it showing these two different statements and also want to ensure that nothing is changes accidentally.

nandoquintana
  • 400
  • 3
  • 14
Waqas Khan
  • 389
  • 1
  • 3
  • 8

1 Answers1

18

When Terraform creates a plan, it does two separate operations for each of your resource instances:

  • Read the latest values associated with the object from the remote system, to make sure that Terraform takes into account any changes you've made outside of Terraform.
  • Compare the updated objects against the configuration to see if there are any differences, and if so to propose actions Terraform will take in order to make the remote objects match the configuration.

The output you've shared is talking about both of those steps. Terraform first reports that when it read the latest values it detected that some things have already changed outside of Terraform, and explains what it detected. It then compared those updated objects against your configuration and found that your configuration already matches, and so Terraform doesn't need to make any additional changes to your infrastructure.

The final paragraph of the output includes "your configuration already matches the changes detected above", which suggests that you have made some changes to the objects outside of Terraform but you've also updated the configuration to match. Therefore Terraform doesn't need to make any changes to the remote objects to make them match the configuration, because something other than Terraform already updated them.

Martin Atkins
  • 62,420
  • 8
  • 120
  • 138
  • Is there an option to suppress these kind of messages since they are kind of over-verbose and have `terraform` notify the user **only** where there are going to be actual updates (`create` / `destroy` / `update`) ? – pkaramol Nov 21 '21 at 21:03
  • 1
    If you run `terraform apply -refresh-only -auto-approve` prior to whatever other Terraform command you are running then you can have Terraform incorporate all of the remote system changes into the state as a separate step first -- whose output you can hide or ignore -- and then the subsequent operation will be in terms of that updated state and thus there won't be any "changes outside of Terraform" reported on that second run. – Martin Atkins Dec 01 '21 at 19:14