terraform-aws-ssm-parameters
Create AWS SSM Parameter Store parameters with a Terraform module. The creation/deletion (schema) is managed with Terraform, and the values should be maintained via AWS Console.
To manage AWS SSM Parameters values programatically, use unfor19/parzival - "A CLI that can get/set more than 10 SSM Parameters by path in a single command."
Usage
module "app_params" {
source = "unfor19/ssm-parameters/aws"
version = "0.0.2"
prefix = "/myapp/dev/"
string_parameters = [
"LOG_LEVEL",
]
securestring_parameters = [
"GOOGLE_CLIENT_ID",
"GOOGLE_CLIENT_SECRET"
]
}Requirements
| Name | Version |
|---|---|
| terraform | >= 0.12.31 |
| aws | >= 3.38 |
Providers
| Name | Version |
|---|---|
| aws | >= 3.38 |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| key_id | When using SecureString, use a specific KMS key | string |
"alias/aws/ssm" |
no |
| overwrite | DANGEROUS Overwrites parameter if exists, use carefully | bool |
false |
no |
| prefix | Set a prefix to all variables, for example: /myapp/dev/ |
string |
"" |
no |
| securestring_initial_value | Initial value for SecureString(s) | string |
"empty" |
no |
| securestring_parameters | List of SecureString(s) | list(string) |
[] |
no |
| securestring_tier | Valid values: Standard, Advanced and Intelligent-Tiering |
string |
"Standard" |
no |
| string_initial_value | Initial value for String(s) | string |
"empty" |
no |
| string_parameters | List of String(s) | list(string) |
[] |
no |
| string_tier | Valid values: Standard, Advanced and Intelligent-Tiering |
string |
"Standard" |
no |
| stringlist_initial_value | Initial value for StringList(s) | string |
"empty" |
no |
| stringlist_parameters | List of StringList(s) | list(string) |
[] |
no |
| stringlist_tier | Valid values: Standard, Advanced and Intelligent-Tiering |
string |
"Standard" |
no |
Outputs
| Name | Description |
|---|---|
| securestring_arns | List of SecureString ARNs |
| securestring_names | List of SecureString names |
| string_arns | List of String ARNs |
| string_names | List of String names |
| stringlist_arns | List of StringList ARNs |
| stringlist_names | List of StringList names |
Troubleshooting
-
ParameterAlreadyExists - to overcome this error, you'll have to pass the
overwrite = truevariable. This also means that the current values will be overwritten with the dummy initial valueempty. This is very dangerous and should be used with cautious.Error: error updating SSM parameter (/myapp/dev/GOOGLE_CLIENT_ID): ParameterAlreadyExists: Parameter /myapp/dev/GOOGLE_CLIENT_ID already exists.
Local Development
Expand/Collapse
For local development, we'll use the following services
- localstack - A fully functional local cloud (AWS) stack
- unfor19/tfcoding - Triggers a whole terraform pipeline of
terraform initandterraform fmtandterraform applyupon changing the file examples/basic/tfcoding.tf
Requirements
Development Process
Run tfcoding and localstack locally with docker-compose
make up-localstack-awsMake changes in examples/basic/tfcoding.tf and save the file
Check the logs of the tfcoding Docker container
# ... omitted for brevity
tfcoding-aws | Outputs:
tfcoding-aws |
tfcoding-aws | securestring_arns = [
tfcoding-aws | "arn:aws:ssm:us-east-1:000000000000:parameter/myapp/dev/GOOGLE_CLIENT_ID",
tfcoding-aws | "arn:aws:ssm:us-east-1:000000000000:parameter/myapp/dev/GOOGLE_CLIENT_SECRET",
tfcoding-aws | ]
tfcoding-aws | securestring_names = [
tfcoding-aws | "/myapp/dev/GOOGLE_CLIENT_ID",
tfcoding-aws | "/myapp/dev/GOOGLE_CLIENT_SECRET",
tfcoding-aws | ]
tfcoding-aws | string_arns = [
tfcoding-aws | "arn:aws:ssm:us-east-1:000000000000:parameter/myapp/dev/LOG_LEVEL",
tfcoding-aws | ]
tfcoding-aws | string_names = [
tfcoding-aws | "/myapp/dev/LOG_LEVEL",
tfcoding-aws | ]
tfcoding-aws | stringlist_arns = []
tfcoding-aws | stringlist_names = []Test Suite
Execute the script scripts/tests.sh
make testExamine the output
... # omitted for brevity
Outputs:
securestring_arns = [
"arn:aws:ssm:us-east-1:000000000000:parameter/myapp/dev/GOOGLE_CLIENT_ID",
"arn:aws:ssm:us-east-1:000000000000:parameter/myapp/dev/GOOGLE_CLIENT_SECRET",
]
securestring_names = [
"/myapp/dev/GOOGLE_CLIENT_ID",
"/myapp/dev/GOOGLE_CLIENT_SECRET",
]
string_arns = [
"arn:aws:ssm:us-east-1:000000000000:parameter/myapp/dev/LOG_LEVEL",
]
string_names = [
"/myapp/dev/LOG_LEVEL",
]
stringlist_arns = []
stringlist_names = []
\e[92m[SUCCESS]\e[0m Test passed as expectedNOTE: \e[92m]...\e[0m] is colorizing the text in CI/CD services logs such as GitHub Actions
Contributing
Report issues/questions/feature requests on the Issues section.
Pull requests are welcome! These are the steps:
- Fork this repo
- Create your feature branch from master (
git checkout -b my-new-feature) - Add the code of your new feature; expand the above Local Development section to learn how
- Run tests on your code, feel free to add more tests
make test ... # All good? Move on to the next step
- Commit your remarkable changes (
git commit -am 'Added new feature') - Push to the branch (
git push --set-up-stream origin my-new-feature) - Create a new Pull Request and provide details about your changes
Authors
Created and maintained by Meir Gabay
License
This project is licensed under the MIT License - see the LICENSE file for details