# Get the default tags from the provider
data "aws_default_tags" "common" {}
locals {
ssm_prefix = "/${data.aws_default_tags.common.tags.env}/${data.aws_default_tags.common.tags.ci}"
}
The lifecycle ignore_changes doesn't prevent destroy (it only prevents the value being updated by Terraform apply).
Therefore, for parameters to be populated manually, it seems better to create the parameters manually too.
lifecycle {
ignore_changes = [value]
}
modules/ssm/variables.tf
variable "var_COUEnv" {}
variable "var_ci" {}
variable "ssm_param_g_client_id" {}
variable "ssm_param_g_client_secret" {}
modules/ssm/outputs.tf
modules/ssm/ssm.tf
resource "aws_ssm_parameter" "g_client_id" {
name = "/${var.var_COUEnv}/${var.var_ci}/g_client_id"
description = "Google account client id"
type = "String"
value = var.ssm_param_g_client_id
lifecycle {
# W/out lifecycle
}
tags = {
COUEnv = var.var_COUEnv
ci = var.var_ci
}
}
resource "aws_ssm_parameter" "g_client_secret" {
name = "/${var.var_COUEnv}/${var.var_ci}/g_client_secret"
description = "Google account client secret"
type = "SecureString"
value = var.ssm_param_g_client_secret
lifecycle {
# Warning: it doesn't prevent destroy
ignore_changes = [value]
}
tags = {
COUEnv = var.var_COUEnv
ci = var.var_ci
}
}
Eg: docrepo
<env>/main.tf
#LOCALS
locals {
changeit = "changeit"
}
#SSM
module "ssm" {
source = "../modules/ssm"
parameters = [
{
ignore_changes = []
name = "/${local.env}/${local.ci}/terraform/oidc_ac_client_id"
type = "String"
description = "[Value managed by terraform] Authorization Code client id, for the front, eg: app"
value = "app"
},
{
ignore_changes = []
name = "/${local.env}/${local.ci}/terraform/oidc_ac_scopes"
type = "String"
description = "[Value managed by terraform] Authorization Code scopes,for the front (separated by space), eg: 'defaultData_OpenID userData_OpenID'"
value = "defaultData_OpenID userData_OpenID"
},
{
ignore_changes = []
name = "/${local.env}/${local.ci}/terraform/oidc_cc_client_id"
type = "String"
description = "[Value managed by terraform] OIDC Client Credentials ID, eg: app-lambda"
value = "app-lambda"
},
{
ignore_changes = []
name = "/${local.env}/${local.ci}/terraform/oidc_cc_scopes"
type = "String"
description = "[Value managed by terraform] OIDC Client Credentials Scopes (separated by space), eg: openid"
value = "openid"
},
{
ignore_changes = ["value"]
name = "/${local.env}/${local.ci}/terraform/oidc_cc_secret"
type = "SecureString"
description = "[Terraform ignores value] OIDC Client Credentials Secret"
value = local.changeit
}
]
}
modules/ssm/variables.tf
variable "parameters" {
description = "List of SSM parameters to create"
type = list(object({
name = string
type = string
description = string
value = string
ignore_changes = list(string)
}))
default = []
}
modules/ssm/outputs.tf
output "parameters" {
value = aws_ssm_parameter.parameter
}
modules/ssm/ssm.tf
#[1/2] Value managed by terraform
resource "aws_ssm_parameter" "parameter" {
for_each = { for p in var.parameters : p.name => p if length(p.ignore_changes) == 0 }
name = each.value.name
type = each.value.type
description = each.value.description
value = each.value.value
}
#[2/2] Terraform ignores value
resource "aws_ssm_parameter" "parameter_ignore_value" {
for_each = { for p in var.parameters : p.name => p if length(p.ignore_changes) > 0 && contains(p.ignore_changes, "value") }
name = each.value.name
type = each.value.type
description = each.value.description
value = each.value.value
lifecycle {
ignore_changes = [value]
}
}