diff --git a/modules/ssm/ssm.tf b/modules/ssm/ssm.tf
index 3f13333e68..6a7a4d9169 100644
--- a/modules/ssm/ssm.tf
+++ b/modules/ssm/ssm.tf
@@ -5,6 +5,16 @@ resource "aws_ssm_parameter" "github_app_id" {
   value  = var.github_app.id
   key_id = local.kms_key_arn
   tags   = var.tags
+
+  # The AWS provider exposes `insecure_value` as a computed/optional attribute and
+  # surfaces a "+ insecure_value = (known after apply)" diff on every plan for
+  # SecureString params (the API never returns it). `version` similarly drifts to
+  # "(known after apply)" because the provider treats it as recomputed. Neither
+  # actually changes anything on apply — ignore them to silence perpetual no-op
+  # drift for consumers of this module.
+  lifecycle {
+    ignore_changes = [insecure_value, version]
+  }
 }
 
 resource "aws_ssm_parameter" "github_app_key_base64" {
@@ -14,6 +24,10 @@ resource "aws_ssm_parameter" "github_app_key_base64" {
   value  = var.github_app.key_base64
   key_id = local.kms_key_arn
   tags   = var.tags
+
+  lifecycle {
+    ignore_changes = [insecure_value, version]
+  }
 }
 
 resource "aws_ssm_parameter" "github_app_webhook_secret" {
@@ -23,4 +37,8 @@ resource "aws_ssm_parameter" "github_app_webhook_secret" {
   value  = var.github_app.webhook_secret
   key_id = local.kms_key_arn
   tags   = var.tags
+
+  lifecycle {
+    ignore_changes = [insecure_value, version]
+  }
 }