Conditionally ignore resource update

Question

I have following SSM resource:

resource aws_ssm_parameter private_key {
  name      = var.name
  type      = "SecureString"
  value     = var.key
  overwrite = true
  tags      = var.tags
}

I have no control over what value of var.key is supplied, and it changes every time terraform runs. But I need to be able to prevent value update based on some condition (say, bool variable var.overwrite_old_value).

I can't use overwrite = property, because if it's set to false terraform will throw an exception attempting to overwrite the value

I can't use lifecycle { ignore_chanes = [...] } because it requires static attribute values and doesn't accept variables, functions etc.

Is there a way to achieve this?

Answer 1

Ok I figured out the way

data aws_ssm_parameter private_key {
  count = var.overwrite_old_values? 0 : 1
  name  = var.name
}

resource aws_ssm_parameter private_key {
  name           = var.name
  type           = "SecureString"
  value          = var.overwrite_old_values? var.key : data.aws_ssm_parameter.private_key[0].value
  overwrite      = true
  tags           = var.tags
}

If flag is set to overwrite - I am assigning new value, otherwise the value from the SSM parameter itself, using it as data source (had to add some additional checks so the data source isn't used before parameter is created, but it works).

Answer 2

This is not how terraform is intended to work, but you can achieve this behaviour using directly the aws api.

In this case, everytime that you run the plan you should input the var.key and var.overwrite which is the bool variable that tells terraform if the script to update the key needs to be executed.

resource "null_resource" "update_private_key" {
  count = var.overwrite ? 1 : 0

  provisioner "local-exec" {
    command = "aws ssm put-parameter --name \"mykey\" --type \"SecureString\" --value ${var.key} --overwrite"
  }
}