Retrieve a secret in terraform from aws secret manager using workspaces

Question

I'm trying to retrieve a secret from AWS Secret Manager using the following line of code:

"${terraform.workspace}.PROJECT_KEY"   = "${jsondecode(data.aws_secretsmanager_secret_version.take-sm-store-version.secret_string)["${terraform.workspace}.PROJECT_KEY"]}"

When I run terraform plan I can see the environment variable is correctly translated:

  ~ environment {
      ~ variables = {
            "ENVIRONMENT"          = "test"
          + "test.PROJECT_KEY" = "example_key_test"

However, when I run terraform apply I'm met with the following error:

Error: Error modifying Lambda Function Configuration example-function-test: ValidationException: 
        status code: 400, request id: ae52d9bc-819e-4a45-ba0d-a5b4e4de9516

Is there another way I could handle this? I have three workspaces (dev/acc/prod) so I was hoping this way I could have one resource (Lambda function) with the environment variables set based on the current workspace.

Answer 1

Environment variables can't contain periods. You can test this locally by running export foo.bar=baz in a shell:

bash: export: `foo.bar=baz': not a valid identifier

The Lambda API docs shows that the allowed characters are [a-zA-Z]([a-zA-Z0-9_])+.

Ideally this would have been validated by the aws_lambda_function resource itself so this error was displayed at plan or validate time but unfortunately it's missing a ValidateFunc helper on this part of the schema.

I've raised this pull request to add support for plan time validation.