AWS SSM Parameter Store Terraform module

Terraform module which creates AWS SSM Parameters on AWS.

Available Features

One of multiple SSM Parameters can be created
Value type guesser
Allow SSM Parameter to ignore changes in the value
Wrapper module which allows managing multiple resources with less code

Usage

Parameter as String

module "string" {
  source  = "terraform-aws-modules/ssm-parameter/aws"

  name  = "my-parameter"
  value = "some-value"
}

Parameter as SecureString

module "secret" {
  source  = "terraform-aws-modules/ssm-parameter/aws"

  name        = "my-secret-token"
  value       = "secret123123!!!"
  secure_type = true
}

Parameter as StringList

module "list" {
  source  = "terraform-aws-modules/ssm-parameter/aws"

  name   = "my-list-parameter"
  values = ["item1", "item2"] # "values" not "value"
}

Parameter with ignored value changes

module "list" {
  source  = "terraform-aws-modules/ssm-parameter/aws"

  ignore_value_changes = true

  name  = "my-parameter-ignore-value-changes"
  value = "some-value"
}

Multiple parameters

locals {
  parameters = {
    #########
    # String
    #########
    "string_simple" = {
      value = "string_value123"
    }
    "string" = {
      type            = "String"
      value           = "string_value123"
      tier            = "Intelligent-Tiering"
      allowed_pattern = "[a-z0-9_]+"
    }

    ###############
    # SecureString
    ###############
    "secure" = {
      type        = "SecureString"
      value       = "secret123123!!!"
      tier        = "Advanced"
      description = "My awesome password!"
    }
    "secure_encrypted_true" = {
      secure_type = true
      value       = "secret123123!!!"
      key_id      = "c938de44-1c09-4c91-89fd-b5881f06f317"
    }

    #############
    # StringList
    #############
    "list_as_autoguess_type" = {
      values = ["item1", "item2"]
    }
    "list_as_jsonencoded_string" = {
      type  = "StringList"
      value = jsonencode(["item1", "item2"])
    }
    "list_as_plain_string" = {
      type  = "StringList"
      value = "item1,item2"
    }
    "list_as_autoconvert_values" = {
      type   = "StringList"
      values = ["item1", "item2"]
    }
    "list_empty_as_jsonencoded_string" = {
      type  = "StringList"
      value = jsonencode([])
    }
  }
}

module "multiple" {
  source  = "terraform-aws-modules/ssm-parameter/aws"

  for_each = local.parameters

  name            = try(each.value.name, each.key)
  value           = try(each.value.value, null)
  values          = try(each.value.values, [])
  type            = try(each.value.type, null)
  secure_type     = try(each.value.secure_type, null)
  description     = try(each.value.description, null)
  tier            = try(each.value.tier, null)
  key_id          = try(each.value.key_id, null)
  allowed_pattern = try(each.value.allowed_pattern, null)
  data_type       = try(each.value.data_type, null)
}

Module wrappers

Users of this Terraform module can create multiple similar resources by using for_each meta-argument within module block which became available in Terraform 0.13.

Users of Terragrunt can achieve similar results by using modules provided in the wrappers directory, if they prefer to reduce amount of configuration files.

Examples

Complete - shows all possible ways to create parameters.

Conditional Creation

The following values are provided to toggle on/off creation of the associated resources as desired:

module "parameter" {
  source  = "terraform-aws-modules/ssm-parameter/aws"

  # Disable creation of all resources
  create = false

  # ... omitted
}

Requirements

Name	Version
terraform	>= 1.0
aws	>= 4.37

Providers

Name	Version
aws	>= 4.37

Modules

No modules.

Resources

Name	Type
aws_ssm_parameter.ignore_value	resource
aws_ssm_parameter.this	resource

Inputs

Name	Description	Type	Default	Required
allowed_pattern	Regular expression used to validate the parameter value.	`string`	`null`	no
create	Whether to create SSM Parameter	`bool`	`true`	no
data_type	Data type of the parameter. Valid values: text, aws:ssm:integration and aws:ec2:image for AMI format.	`string`	`null`	no
description	Description of the parameter	`string`	`null`	no
ignore_value_changes	Whether to create SSM Parameter and ignore changes in value	`bool`	`false`	no
key_id	KMS key ID or ARN for encrypting a parameter (when type is SecureString)	`string`	`null`	no
name	Name of SSM parameter	`string`	`null`	no
secure_type	Whether the type of the value should be considered as secure or not?	`bool`	`false`	no
tags	A mapping of tags to assign to resources	`map(string)`	`{}`	no
tier	Parameter tier to assign to the parameter. If not specified, will use the default parameter tier for the region. Valid tiers are Standard, Advanced, and Intelligent-Tiering. Downgrading an Advanced tier parameter to Standard will recreate the resource.	`string`	`null`	no
type	Type of the parameter. Valid types are String, StringList and SecureString.	`string`	`null`	no
value	Value of the parameter	`string`	`null`	no
values	List of values of the parameter (will be jsonencoded to store as string natively in SSM)	`list(string)`	`[]`	no

Outputs

Name	Description
insecure_value	Insecure value of the parameter
raw_value	Raw value of the parameter (as it is stored in SSM). Use 'value' output to get jsondecode'd value
secure_type	Whether SSM parameter is a SecureString or not?
secure_value	Secure value of the parameter
ssm_parameter_arn	The ARN of the parameter
ssm_parameter_name	Name of the parameter
ssm_parameter_tags_all	All tags used for the parameter
ssm_parameter_type	Type of the parameter
ssm_parameter_version	Version of the parameter
value	Parameter value after jsondecode(). Probably this is what you are looking for

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

Ignore changes to the Version when ignore_value_changes is set to True

✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

Versions

Module version [Required]: 1.1.0
Terraform version: Terraform v1.6.3
Provider version(s):

+ provider registry.terraform.io/hashicorp/aws v5.36.0
+ provider registry.terraform.io/hashicorp/null v3.2.2
+ provider registry.terraform.io/hashicorp/random v3.6.0

Reproduction Code [Required]

module "docker_image_ssm" {
  source  = "terraform-aws-modules/ssm-parameter/aws"
  version = "1.1.0"

  ignore_value_changes = true

  name  = "/docker_image"
  value = "REPLACE_ME"
}

Steps to reproduce the behavior:

Apply the above Terraform.
Modify the value of the SSM parameter manually.
Do a Terraform plan again and you will notice the following -

Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:
  # module.docker_image_ssm.aws_ssm_parameter.ignore_value[0] has changed
  ~ resource "aws_ssm_parameter" "ignore_value" {
        id             = "/docker_image"
      ~ insecure_value = "REPLACE_ME" -> "***.dkr.ecr.us-east-2.amazonaws.com/hello-02ca40c02"
        name           = "/docker_image"
        tags           = {}
      ~ version        = 1 -> 9
        # (5 unchanged attributes hidden)
    }
Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

Are you using workspaces?
Yes, we are using workspaces.

Expected behavior

No changes are detected from outside when the value is changed.

Actual behavior

Terraform is complaining that changes have been performed outside of Terraform.

terraform-aws-modules / terraform-aws-ssm-parameter Goto Github PK

terraform-aws-ssm-parameter's Introduction