Reputation: 8088
Terraform aws_ssm_parameter null/empty with ignore_changes
I have a Terraform config that looks like this:
resource "random_string" "foo" {
length = 31
special = false
}
resource "aws_ssm_parameter" "bar" {
name = "baz"
type = "SecureString"
value = random_string.foo.result
lifecycle {
ignore_changes = [value]
}
}
The idea is that on the first terraform apply the bar resource will be stored in baz in SSM based on the value of foo, and then on subsequent calls to apply I'll be able to reference aws_ssm_parameter.bar.value, however what I see is that it works on the first run, stores the newly created random value, and then on subsequent runs aws_ssm_parameter.bar.value is empty.
If I create a aws_ssm_parameter data source that can pull the value correctly, but it doesn't work on the first apply when it doesn't exist yet. How can I modify this config so I can get the value stored in baz in SSM and work for creating the value in the same config?
Upvotes: 6
Views: 5118
Answers (2)
Reputation: 8088
Oh, I forgot about this question, but turns out I did figure out the problem.
The issue was that I was creating the ssm parameter inside a module that was being used in another module. The problem was because I didn't output anything related to this parameter, so it seemed to get dropped from state by Terraform on subsequent replans after it was created. Exposing it as output on the module fixed the issue.
Upvotes: 0
Reputation:
(Sorry not enough karma to comment)
To fix the chicken-egg problem, you could add depends_on = [aws_ssm_parameter.bar] to a data resource, but this introduces some awkwardness (especially if you need to call destroy often in your workflow). It's not particularly recommended (see here).
It doesn't really make sense that it's returning empty, though, so I wonder if you've hit a different bug. Does the value actually get posted to SSM (i.e. can you see it when you run aws ssm get-paramter ...)?
Edit- I just tested your example code above with:
output "bar" {
value = aws_ssm_parameter.bar.value
}
and it seems to work fine. Maybe you need to update tf or plugins?
Upvotes: 0
Related Questions
- Terraform - Optional SSM parameter lookup
- Conditionally ignore resource update
- Terraform - Access SSM Parameter Store Value Access
- How to create/overwrite a parameter in AWS Parameter Store only if it does not exist?
- Optional variable in Terraform is not ignored when the value is null
- How to create AWS SSM Parameter from Terraform
- Terraform: Issue while reading value from aws ssm parameter store
- AWS SSM as a valueFrom for task in Terraform not working
- Terraform AWS SSM Parameter with multiple values
- How to hide terraform aws_ssm_parameter values