How to fix Error: keepers value has changed in Terraform

TerraformINTERMEDIATEHIGH

The "keepers value has changed" error occurs when a random resource's keeper values are modified between Terraform plan and apply phases. This causes Terraform to detect inconsistency and fail. Understanding when and why keepers change is critical for reliable infrastructure code.

What this error means

In Terraform's random provider, the `keepers` argument is a map of arbitrary key-value pairs used to control when a random value should be regenerated. By design, random values are deterministic—once generated, they remain the same across multiple terraform plan and apply cycles unless the keepers themselves change. When you see "keepers value has changed," it means the keeper values that Terraform recorded during the plan phase differ from their values during the apply phase. This creates an inconsistency because the random resource was told to keep its value stable based on certain conditions, but those conditions changed mid-execution. This error typically indicates one of three problems: (1) keeper values are dynamic and change between plan and apply, (2) there's a circular dependency preventing proper evaluation order, or (3) referenced values in keepers haven't been computed yet when Terraform tries to use them.

How to fix "Error: keepers value has changed"

1Verify your keepers reference stable, pre-existing values

Examine the keepers block in your random resource configuration. Keepers should only reference values that exist before Terraform starts the apply phase and won't change afterward.

Good example—reference a pre-existing input variable:

hcl

resource "random_id" "instance" {
  keepers = {
    ami_id = var.ami_id  # Input variable, stable across plan/apply
  }
  byte_length = 8
}

Bad example—reference a computed resource attribute:

hcl

resource "random_id" "instance" {
  keepers = {
    file_hash = filemd5("./config.txt")  # May differ between plan and apply
  }
  byte_length = 8
}

Identify any keepers that reference computed outputs, file operations, or attributes of resources created in the same run.

2Remove dynamic or computed values from keepers

Replace any computed keeper values with stable references. If you need to regenerate a random value based on a resource's attribute, use depends_on instead.

Replace file hashes with static content if possible:

hcl

# Bad: file hash changes during apply
keepers = {
  config_hash = filemd5("./config.txt")
}

# Better: reference a static input variable
keepers = {
  config_version = var.config_version
}

After editing keepers, run:

bash

terraform plan

The plan should now show consistent keeper values without proposing replacement.

3Break circular dependencies by restructuring resources

If the error persists, check for circular references where:
1. Random resource's keepers reference ResourceA
2. ResourceA depends on the random resource's output

This creates a cycle that Terraform can't resolve. Fix it by restructuring your configuration.

Example of a circular dependency:

hcl

# WRONG: Circular dependency
resource "random_id" "bucket_id" {
  keepers = {
    bucket_name = aws_s3_bucket.my_bucket.id  # Depends on S3 bucket
  }
}

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-bucket-${random_id.bucket_id.hex}"  # Depends on random_id
}

Fix it by breaking the cycle:

hcl

# CORRECT: No circular dependency
resource "random_id" "bucket_id" {
  keepers = {
    prefix = var.bucket_prefix  # Reference input variable only
  }
  byte_length = 8
}

resource "aws_s3_bucket" "my_bucket" {
  bucket = "${var.bucket_prefix}-${random_id.bucket_id.hex}"
}

Re-run terraform plan to confirm the cycle is resolved.

4Use depends_on for resource ordering when needed

If you need the random value to regenerate when another resource changes, use depends_on instead of adding that resource's attributes to keepers.

Good practice:

hcl

resource "random_id" "new_id" {
  keepers = {
    # Only reference stable values
    seed = var.regenerate_seed
  }
  depends_on = [
    aws_instance.app  # Ensures proper ordering
  ]
  byte_length = 8
}

This tells Terraform to respect the dependency without creating inconsistency in keeper values.

5Trigger replacement on demand if you need a new value

If you genuinely need a new random value, don't try to force it through changing keepers. Instead, use the replace option:

bash

terraform apply -replace=random_id.bucket_id

This explicitly tells Terraform to destroy and recreate that resource, generating a new random value. This is safer and clearer than trying to manipulate keepers.

Alternatively, you can change a keeper variable manually:

bash

terraform apply -var="regenerate_seed=2"

This changes the keeper value uniformly during apply, avoiding inconsistency errors.

6Check Terraform version and update if necessary

This issue has been partially addressed in newer versions of Terraform and the random provider. Ensure you're running a recent version:

bash

terraform version

Update to the latest Terraform and random provider:

bash

terraform init -upgrade

Check your .terraform/versions or terraform.lock.hcl to see which version of the random provider you're using. Consider upgrading to the latest:

hcl

terraform {
  required_providers {
    random = {
      source  = "hashicorp/random"
      version = "~> 3.5"  # Use latest stable version
    }
  }
}

After upgrading, run terraform init and test again.

How to fix Error: keepers value has changed in Terraform

What this error means

Typical symptoms

Common causes

How to fix "Error: keepers value has changed"

Advanced notes

Related errors

Official resources & further reading