Terraform: how can we update a tag only if modification is detected

Question

I implemented tags in my terraform files with a field Lastupdate like below

The problem is that whenever i apply my tf file, this field is always updated even if there is no change. I would like this tag beeing updated only if a change is detected.

Do you know how can i achieve this ?

My code looks like

resource "azurerm_app_service_plan" "terra_app_plan" {
  resource_group_name = azurerm_resource_group.terra_resource_group.name
  location            = azurerm_resource_group.terra_resource_group.location
  name                = local.app_serviceplan_name

  sku {
    size = var.app_serviceplan_size
    tier = var.app_serviceplan_tiers
  }
  tags = local.common_tags
}

And also here

locals {
  common_tags = {
    costcenter  = var.cost_center
    environment = terraform.workspace
    lastupdate  = formatdate("DD-MMM-YY hh:mm:ss ZZZ", timestamp())
  }

Maybe we could add a conditional item for parameter lastupdate but i have no idea on how do it

Thanks for all

Answer 1

EDIT/CAUTION: I found issues in this approach using remote environments for execution, such as Terraform Cloud. This works locally, but in situations where the targeted file is being created during runtime for apply, the last modified date is based on the file being created during that runtime.

A best practice is for tags to have meaningful key/values, as suggested in other answers. However, if you are faced with this being a requirement, one approach is to use the Terraform external data resource to run a shell script, capture the date, and use that in your Terraform as a value for your tags.

First, create a bash script in the Terraform module:

#!/bin/bash

LASTUPDATED=$(date -r $1)

echo '{"lastupdated":"'$LASTUPDATED'"}' | jq .

Then, within your Terraform you can use the result to apply your tag:

# so_71645084.tf
variable "costcenter" { default = "foo" }

data "external" "file_last_updated" {
  program = ["bash", "${path.module}/so_71645084.sh", "${path.module}/so_71645084.tf"]
}

locals {
  common_tags = {
    costcenter  = var.costcenter
    environment = terraform.workspace
    lastupdate  = data.external.file_last_updated.result.lastupdated
  }
}

output "common_tags" { value = local.common_tags }

Your resulting common_tags output would be:

...

 + costcenter  = "foo"
 + environment = "dev"
 + lastupdate  = "Mon Mar 28 13:32:15 UTC 2022"

In summary, the external data resource runs a date command against the targeted file you are tracking changes for. We are using the result as a data resource in our Terraform to apply a date value to our tags.

Answer 2

Tag is use for assign a meanigful name with specific version of your resources. Tag is created for particular save even if you did changes in your resouces it will not be updated. Importantly Tags are name-value pairs that are used to organize resources in Azure Porta

it's not possible to detect the last update in your resoures by tag better check Activiy logs for that particuler resource.