From 0a5e2756e647dfbf0952891380a4d665eec5825b Mon Sep 17 00:00:00 2001
From: johnezell <johne@truefirestudios.com>
Date: Thu, 30 Apr 2026 15:26:50 -0400
Subject: [PATCH] fix(ssm): ignore_changes for insecure_value/version on
 github_app SSM params

The AWS provider exposes `insecure_value` as a computed/optional attribute
on aws_ssm_parameter and surfaces a "+ insecure_value = (known after apply)"
diff on every plan for SecureString params (the API never returns it). The
provider also recomputes `version` to "(known after apply)" each plan.

Result: every consumer of this module sees three perpetual no-op drift
items in plan output for github_app_id, github_app_key_base64, and
github_app_webhook_secret. Apply does nothing; the diff returns next plan.

Adding lifecycle.ignore_changes = [insecure_value, version] silences this
without affecting actual secret rotation (changing `value` still triggers
an update; the SecureString is still encrypted with the configured KMS key).
---
 modules/ssm/ssm.tf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/modules/ssm/ssm.tf b/modules/ssm/ssm.tf
index 3f13333e68..6a7a4d9169 100644
--- a/modules/ssm/ssm.tf
+++ b/modules/ssm/ssm.tf
@@ -5,6 +5,16 @@ resource "aws_ssm_parameter" "github_app_id" {
   value  = var.github_app.id
   key_id = local.kms_key_arn
   tags   = var.tags
+
+  # The AWS provider exposes `insecure_value` as a computed/optional attribute and
+  # surfaces a "+ insecure_value = (known after apply)" diff on every plan for
+  # SecureString params (the API never returns it). `version` similarly drifts to
+  # "(known after apply)" because the provider treats it as recomputed. Neither
+  # actually changes anything on apply — ignore them to silence perpetual no-op
+  # drift for consumers of this module.
+  lifecycle {
+    ignore_changes = [insecure_value, version]
+  }
 }
 
 resource "aws_ssm_parameter" "github_app_key_base64" {
@@ -14,6 +24,10 @@ resource "aws_ssm_parameter" "github_app_key_base64" {
   value  = var.github_app.key_base64
   key_id = local.kms_key_arn
   tags   = var.tags
+
+  lifecycle {
+    ignore_changes = [insecure_value, version]
+  }
 }
 
 resource "aws_ssm_parameter" "github_app_webhook_secret" {
@@ -23,4 +37,8 @@ resource "aws_ssm_parameter" "github_app_webhook_secret" {
   value  = var.github_app.webhook_secret
   key_id = local.kms_key_arn
   tags   = var.tags
+
+  lifecycle {
+    ignore_changes = [insecure_value, version]
+  }
 }