ssm (terraform)

Remarks

Default tags

# Get the default tags from the provider

data "aws_default_tags" "common" {}

locals {

  ssm_prefix = "/${data.aws_default_tags.common.tags.env}/${data.aws_default_tags.common.tags.ci}"

}

Lifecycle

The lifecycle ignore_changes doesn't prevent destroy (it only prevents the value being updated by Terraform apply).

Therefore, for parameters to be populated manually, it seems better to create the parameters manually too.

  lifecycle {

    ignore_changes = [value]

  }

Sample: Parameter String/SecureString & lifecycle

modules/ssm/variables.tf

variable "var_COUEnv" {}

variable "var_ci" {}

variable "ssm_param_g_client_id" {}

variable "ssm_param_g_client_secret" {}

modules/ssm/outputs.tf

modules/ssm/ssm.tf

resource "aws_ssm_parameter" "g_client_id" {

  name        = "/${var.var_COUEnv}/${var.var_ci}/g_client_id"

  description = "Google account client id"

  type        = "String"

  value       = var.ssm_param_g_client_id

  lifecycle {

    # W/out lifecycle

  }

  tags = {

    COUEnv = var.var_COUEnv

    ci = var.var_ci

  }

}

resource "aws_ssm_parameter" "g_client_secret" {

  name        = "/${var.var_COUEnv}/${var.var_ci}/g_client_secret"

  description = "Google account client secret"

  type        = "SecureString"

  value       = var.ssm_param_g_client_secret

  lifecycle {

    # Warning: it doesn't prevent destroy

    ignore_changes = [value]

  }

  tags = {

    COUEnv = var.var_COUEnv

    ci = var.var_ci

  }

}