If I use the random_id, (like below), it will create the random value once and then never change it

resource "random_id" "example" {
  ...
}

resource "aws_*" "example" {
  tags = { 
    ...
    random_id = resource.random_id.example.hex
  }
}

I would like the same sort of behaviour, but with a non-random value - something like a git-sha. Maybe it would look something like this, or maybe it would just be a terraform built-in?

resource "hypothetical_static_value" "example" {
  value = var.git_sha
}

resource "aws_*" "example" {
  tags = { 
    ...
    created_sha = resource.hypothetical_static_value.example.value
  }
}

There are a few workarounds that probably sort-of work, but are too convoluted:

• I think I might be able to use the random_id to get this, since it takes a prefix, and I could have a local that strips off the random value off the end and effectively then just uses the prefix.
• I could probably add a lifecycle { ignore_changes = [tags["created_sha"] } to the resource - but that would need to be added to every resource.
• I might be able to add a secret or an ssm parameter that would store the git-sha as a value and then use data lookup to reference that in my individual resources. But this then takes up resources and space in the cloud that are unnecessary (since the same is stored in state and then we'd have to sync with them on every plan and apply). I think that resource probably needs lifecycle rules too.
• for anyone wanting just a timestamp instead of a git-sha, there is a time_static resource that works

Is there a good, simple way to handle this?

If I use the random_id, (like below), it will create the random value once and then never change it

resource "random_id" "example" {
  ...
}

resource "aws_*" "example" {
  tags = { 
    ...
    random_id = resource.random_id.example.hex
  }
}

I would like the same sort of behaviour, but with a non-random value - something like a git-sha. Maybe it would look something like this, or maybe it would just be a terraform built-in?

resource "hypothetical_static_value" "example" {
  value = var.git_sha
}

resource "aws_*" "example" {
  tags = { 
    ...
    created_sha = resource.hypothetical_static_value.example.value
  }
}

There are a few workarounds that probably sort-of work, but are too convoluted:

• I think I might be able to use the random_id to get this, since it takes a prefix, and I could have a local that strips off the random value off the end and effectively then just uses the prefix.
• I could probably add a lifecycle { ignore_changes = [tags["created_sha"] } to the resource - but that would need to be added to every resource.
• I might be able to add a secret or an ssm parameter that would store the git-sha as a value and then use data lookup to reference that in my individual resources. But this then takes up resources and space in the cloud that are unnecessary (since the same is stored in state and then we'd have to sync with them on every plan and apply). I think that resource probably needs lifecycle rules too.
• for anyone wanting just a timestamp instead of a git-sha, there is a time_static resource that works

Is there a good, simple way to handle this?

• terraform

• I would probably pass the current git SHA in as an input variable to Terraform, and simply use that value directly as the created_sha tag, and also add the lifecycle ignore_changes thing like you mentioned in your 2nd bullet point to every resource. That's the cleanest way I can think of to handle this. – Mark B Commented Mar 3 at 17:03

1 Answer 1

Terraform does not have any built-in way to retrieve information about any Git repository that might contain the source code it is working with, and so any solution here will involve a provider plugin that is able to query that information.

I don't know if there's a provider already available that directly interacts with Git, but you could potentially do it with the external data source from the hashicorp/external provider, which treats an external command as a Terraform data source. To do that you will need to write an external program or script that runs Git to find out what it thinks the current commit ID is and then prints a JSON object where the commit ID is included as one of the property values.

You could then use the result of that data source to populate your tag, and use ignore_changes as you described to avoid every tag on every resource being updated each time you make a new Git commit.