I have a AWS CodePipeline configured in a terraform file, like this:

resource {
    name = "Cool Pipeline"
    ...

    stage {
        name = "Source"
        ...

        action {
            name = "Source"
            ...

            configuration {
                Owner = "Me"
                Repo = "<git-repo-uri>"
                Branch = develop
                OAuthToken = "b3287d649a28374e9283c749cc283ad74"
            }
        }
    }

    lifecycle {
        ignore_changes = "OAuthToken"
    }
}

The reason for ignoring the token, is that the AWS API doesn't show that token to terraform, instead AWS API outputs this with aws codepipeline get-pipeline <name>:

"pipeline": {
    "stages": {
        "name": "Source",
        "actions": {
            "configuration": {
                "OAuthToken": "****"
            }
        }
    }
}

Result is, when I perform the terraform planit shows me it wants to update that token, like so:

module.modulename.aws_codepipeline.codepipeline
      stage.0.action.0.configuration.%:          "3" => "4"
      stage.0.action.0.configuration.OAuthToken: "" => "b3287d649a28374e9283c749cc283ad74"

My question is, how can I get the ignore_changes to take effect? I've tried this without any success:

ignore_changes = ["OAuthToken"]
ignore_changes = ["oauthtoken"]
ignore_changes = ["stage.action.configuration.OAuthToken"]

All examples I've found googling just shows how to ignore on the same block level.

(The token is this text is fake.)

This syntax, as hinted by terraform plan output, solved the problem:

ignore_changes = [
    "stage.0.action.0.configuration.OAuthToken",
    "stage.0.action.0.configuration.%"
]

Another way to solve it is to add the GITHUB_TOKEN system environment variable, with the token as the value. This way you do not need the ignore_changes directive in the tf files.