From bfbb01e08bf7e7e957e2a49ad5fd804b8148571f Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Mon, 20 May 2024 14:57:28 +0900 Subject: [PATCH] Update ssm-parameter-store modules --- .../README.md | 18 ++--- .../ssm-parameter-store-parameter-set/main.tf | 69 +++---------------- .../outputs.tf | 6 +- .../variables.tf | 39 ++++++----- .../versions.tf | 4 +- .../ssm-parameter-store-parameter/README.md | 8 +-- modules/ssm-parameter-store-parameter/main.tf | 10 ++- .../variables.tf | 8 ++- .../ssm-parameter-store-parameter/versions.tf | 4 +- .../ssm-parameter-store-settings/README.md | 6 +- .../ssm-parameter-store-settings/versions.tf | 4 +- 11 files changed, 61 insertions(+), 115 deletions(-) diff --git a/modules/ssm-parameter-store-parameter-set/README.md b/modules/ssm-parameter-store-parameter-set/README.md index 9a922f8..f96eaa1 100644 --- a/modules/ssm-parameter-store-parameter-set/README.md +++ b/modules/ssm-parameter-store-parameter-set/README.md @@ -9,36 +9,32 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.22 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.43 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 5.19.0 | +No providers. ## Modules | Name | Source | Version | |------|--------|---------| | [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | +| [this](#module\_this) | ../ssm-parameter-store-parameter | n/a | ## Resources -| Name | Type | -|------|------| -| [aws_ssm_parameter.self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | -| [aws_ssm_parameter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +No resources. ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [parameters](#input\_parameters) | (Required) A list of parameters to manage in the parameter set. Each value of `parameters` block as defined below.
(Required) `name` - The name of the parameter. This is concatenated with the `path` of the parameter set for the id. The name should begin with slash (/) and end without trailing slash.
(Optional) `description` - The description of the parameter.
(Optional) `tier` - The parameter tier to assign to the parameter. Valid values are `STANDARD`, `ADVANCED` or `INTELLIGENT_TIERING`.
(Optional) `type` - The intended type of the parameter. Valid values are `STRING`, `STRING_LIST`. Not support `SECURE_STRING`.
(Optional) `data_type` - The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ec2:image` for AMI format.
(Optional) `allowed_pattern` - A regular expression used to validate the parameter value.
(Required) `value` - The value of the parameter. | `list(map(string))` | n/a | yes | +| [parameters](#input\_parameters) | (Required) A list of parameters to manage in the parameter set. Each value of `parameters` block as defined below.
(Required) `name` - The name of the parameter. This is concatenated with the `path` of the parameter set for the id. The name should begin with slash (/) and end without trailing slash.
(Optional) `description` - The description of the parameter.
(Optional) `tier` - The parameter tier to assign to the parameter. Valid values are `STANDARD`, `ADVANCED` or `INTELLIGENT_TIERING`.
(Optional) `type` - The intended type of the parameter. Valid values are `STRING`, `STRING_LIST`. Not support `SECURE_STRING`.
(Optional) `data_type` - The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format.
(Optional) `allowed_pattern` - A regular expression used to validate the parameter value.
(Required) `value` - The value of the parameter. |
list(object({
name = string
description = optional(string)
tier = optional(string)
type = optional(string)
data_type = optional(string)
allowed_pattern = optional(string)
value = string
}))
| n/a | yes | | [path](#input\_path) | (Required) A path used for the prefix of each parameter name created by this parameter set. The path should begin with slash (/) and end without trailing slash. | `string` | n/a | yes | | [allowed\_pattern](#input\_allowed\_pattern) | (Optional) The default regular expression used to validate each parameter value in the parameter set. This is only used when a specific pattern for the parameter is not provided. For example, for `STRING` types with values restricted to numbers, you can specify `^d+$`. | `string` | `""` | no | -| [data\_type](#input\_data\_type) | (Optional) The default data type of parameters in the parameter set. Only required when `type` is `STRING`. This is only used when a specific data type of the parameter is not provided. Valid values are `text`, `aws:ec2:image` for AMI format. Defaults to `text`. | `string` | `"text"` | no | +| [data\_type](#input\_data\_type) | (Optional) The default data type of parameters in the parameter set. Only required when `type` is `STRING`. This is only used when a specific data type of the parameter is not provided. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format. Defaults to `text`. `aws:ssm:integration` data\_type parameters must be of the type `SECURE_STRING` and the name must start with the prefix `/d9d01087-4a3f-49e0-b0b4-d568d7826553/ssm/integrations/webhook/`. | `string` | `"text"` | no | | [description](#input\_description) | (Optional) The default description of parameters in the parameter set. This is only used when a specific description of the parameter is not provided. | `string` | `"Managed by Terraform."` | no | | [ignore\_value\_changes](#input\_ignore\_value\_changes) | (Optional) Whether to manage the parameter value with Terraform. Ignore changes of `value` or `secret_value` if true. Defaults to `false`. | `bool` | `false` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | diff --git a/modules/ssm-parameter-store-parameter-set/main.tf b/modules/ssm-parameter-store-parameter-set/main.tf index eba8d2c..cb364d6 100644 --- a/modules/ssm-parameter-store-parameter-set/main.tf +++ b/modules/ssm-parameter-store-parameter-set/main.tf @@ -14,72 +14,32 @@ locals { } : {} } -locals { - types = { - "STRING" = "String" - "STRING_LIST" = "StringList" - "SECURE_STRING" = "SecureString" - } - tiers = { - "STANDARD" = "Standard" - "ADVANCED" = "Advanced" - "INTELLIGENT_TIERING" = "Intelligent-Tiering" - } -} - ################################################### # Parameter on Systems Manager Parameter Store ################################################### -resource "aws_ssm_parameter" "this" { +module "this" { for_each = { for parameter in var.parameters : parameter.name => parameter - if !var.ignore_value_changes } - name = join("", [var.path, each.key]) - description = try(each.value.description, var.description) - tier = local.tiers[try(each.value.tier, var.tier)] - - type = local.types[try(each.value.type, var.type)] - data_type = try(each.value.data_type, var.data_type) - allowed_pattern = try(each.value.allowed_pattern, var.allowed_pattern) - - insecure_value = each.value.value - - # BUG: https://github.com/hashicorp/terraform-provider-aws/issues/25335 - overwrite = true - - tags = merge( - { - "Name" = join("", [var.path, each.key]) - }, - local.module_tags, - var.tags, - ) -} - -resource "aws_ssm_parameter" "self" { - for_each = { - for parameter in var.parameters : - parameter.name => parameter - if var.ignore_value_changes - } + source = "../ssm-parameter-store-parameter" name = join("", [var.path, each.key]) - description = try(each.value.description, var.description) - tier = local.tiers[try(each.value.tier, var.tier)] + description = coalesce(each.value.description, var.description) + tier = coalesce(each.value.tier, var.tier) - type = local.types[try(each.value.type, var.type)] - data_type = try(each.value.data_type, var.data_type) - allowed_pattern = try(each.value.allowed_pattern, var.allowed_pattern) + type = coalesce(each.value.type, var.type) + data_type = coalesce(each.value.data_type, var.data_type) + allowed_pattern = coalesce(each.value.allowed_pattern, var.allowed_pattern) - insecure_value = each.value.value + ignore_value_changes = var.ignore_value_changes + value = each.value.value - # BUG: https://github.com/hashicorp/terraform-provider-aws/issues/25335 - overwrite = true + resource_group_enabled = false + module_tags_enabled = false tags = merge( { @@ -88,11 +48,4 @@ resource "aws_ssm_parameter" "self" { local.module_tags, var.tags, ) - - lifecycle { - ignore_changes = [ - value, - insecure_value, - ] - } } diff --git a/modules/ssm-parameter-store-parameter-set/outputs.tf b/modules/ssm-parameter-store-parameter-set/outputs.tf index bc21032..1988394 100644 --- a/modules/ssm-parameter-store-parameter-set/outputs.tf +++ b/modules/ssm-parameter-store-parameter-set/outputs.tf @@ -1,7 +1,3 @@ -locals { - parameter_set = var.ignore_value_changes ? aws_ssm_parameter.self : aws_ssm_parameter.this -} - output "path" { description = "The path used for the prefix of each parameter names managed by this parameter set." value = var.path @@ -10,7 +6,7 @@ output "path" { output "parameters" { description = "The list of parameters in the parameter set." value = { - for name, parameter in local.parameter_set : + for name, parameter in module.this : name => { id = parameter.id arn = parameter.arn diff --git a/modules/ssm-parameter-store-parameter-set/variables.tf b/modules/ssm-parameter-store-parameter-set/variables.tf index a4fe854..f65513c 100644 --- a/modules/ssm-parameter-store-parameter-set/variables.tf +++ b/modules/ssm-parameter-store-parameter-set/variables.tf @@ -1,6 +1,7 @@ variable "path" { description = "(Required) A path used for the prefix of each parameter name created by this parameter set. The path should begin with slash (/) and end without trailing slash." type = string + nullable = false validation { condition = alltrue([ @@ -43,14 +44,14 @@ variable "type" { } variable "data_type" { - description = "(Optional) The default data type of parameters in the parameter set. Only required when `type` is `STRING`. This is only used when a specific data type of the parameter is not provided. Valid values are `text`, `aws:ec2:image` for AMI format. Defaults to `text`." + description = "(Optional) The default data type of parameters in the parameter set. Only required when `type` is `STRING`. This is only used when a specific data type of the parameter is not provided. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format. Defaults to `text`. `aws:ssm:integration` data_type parameters must be of the type `SECURE_STRING` and the name must start with the prefix `/d9d01087-4a3f-49e0-b0b4-d568d7826553/ssm/integrations/webhook/`." type = string default = "text" nullable = false validation { - condition = contains(["text", "aws:ec2:image"], var.data_type) - error_message = "Valid values are `text`, `aws:ec2:image`." + condition = contains(["text", "aws:ssm:integration", "aws:ec2:image"], var.data_type) + error_message = "Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image`." } } @@ -68,12 +69,20 @@ variable "parameters" { (Optional) `description` - The description of the parameter. (Optional) `tier` - The parameter tier to assign to the parameter. Valid values are `STANDARD`, `ADVANCED` or `INTELLIGENT_TIERING`. (Optional) `type` - The intended type of the parameter. Valid values are `STRING`, `STRING_LIST`. Not support `SECURE_STRING`. - (Optional) `data_type` - The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ec2:image` for AMI format. + (Optional) `data_type` - The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format. (Optional) `allowed_pattern` - A regular expression used to validate the parameter value. (Required) `value` - The value of the parameter. EOF - type = list(map(string)) - nullable = false + type = list(object({ + name = string + description = optional(string) + tier = optional(string) + type = optional(string) + data_type = optional(string) + allowed_pattern = optional(string) + value = string + })) + nullable = false validation { condition = alltrue([ @@ -90,7 +99,7 @@ variable "parameters" { condition = alltrue([ for parameter in var.parameters : contains(["STANDARD", "ADVANCED", "INTELLIGENT_TIERING"], parameter.tier) - if try(parameter.tier, null) != null + if parameter.tier != null ]) error_message = "Valid values are `STANDARD`, `ADVANCED` or `INTELLIGENT_TIERING`." } @@ -99,7 +108,7 @@ variable "parameters" { condition = alltrue([ for parameter in var.parameters : contains(["STRING", "STRING_LIST"], parameter.type) - if try(parameter.type, null) != null + if parameter.type != null ]) error_message = "Valid values are `STRING`, `STRING_LIST`. Not support `SECURE_STRING`." } @@ -107,18 +116,10 @@ variable "parameters" { validation { condition = alltrue([ for parameter in var.parameters : - contains(["text", "aws:ec2:image"], parameter.data_type) - if try(parameter.data_type, null) != null - ]) - error_message = "Valid values are `text`, `aws:ec2:image`." - } - - validation { - condition = alltrue([ - for parameter in var.parameters : - can(parameter.value) + contains(["text", "aws:ssm:integration", "aws:ec2:image"], parameter.data_type) + if parameter.data_type != null ]) - error_message = "The value for `value` is required." + error_message = "Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image`." } } diff --git a/modules/ssm-parameter-store-parameter-set/versions.tf b/modules/ssm-parameter-store-parameter-set/versions.tf index 16131a3..ebaffa6 100644 --- a/modules/ssm-parameter-store-parameter-set/versions.tf +++ b/modules/ssm-parameter-store-parameter-set/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.5" + required_version = ">= 1.6" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.22" + version = ">= 5.43" } } } diff --git a/modules/ssm-parameter-store-parameter/README.md b/modules/ssm-parameter-store-parameter/README.md index 604d650..5c09528 100644 --- a/modules/ssm-parameter-store-parameter/README.md +++ b/modules/ssm-parameter-store-parameter/README.md @@ -9,14 +9,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.22 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.43 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.50.0 | ## Modules @@ -37,7 +37,7 @@ This module creates following resources. |------|-------------|------|---------|:--------:| | [name](#input\_name) | (Required) Friendly name of the new parameter. If the name contains a path (e.g., any forward slashes (/)), it must be fully qualified with a leading forward slash (/). | `string` | n/a | yes | | [allowed\_pattern](#input\_allowed\_pattern) | (Optional) A regular expression used to validate the parameter value. For example, for `STRING` types with values restricted to numbers, you can specify `^d+$`. | `string` | `""` | no | -| [data\_type](#input\_data\_type) | (Optional) The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ec2:image` for AMI format. Defaults to `text`. | `string` | `"text"` | no | +| [data\_type](#input\_data\_type) | (Optional) The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format. Defaults to `text`. `aws:ssm:integration` data\_type parameters must be of the type `SECURE_STRING` and the name must start with the prefix `/d9d01087-4a3f-49e0-b0b4-d568d7826553/ssm/integrations/webhook/`. | `string` | `"text"` | no | | [description](#input\_description) | (Optional) The description of the parameter. | `string` | `"Managed by Terraform."` | no | | [ignore\_value\_changes](#input\_ignore\_value\_changes) | (Optional) Whether to manage the parameter value with Terraform. Ignore changes of `value` or `secret_value` if true. Defaults to `false`. | `bool` | `false` | no | | [kms\_key](#input\_kms\_key) | (Optional) The ARN or ID of the AWS KMS key to be used to encrypt the parameter value with `SECURE_STRING` type. If you don't specify this value, then Parameter Store defaults to using the AWS account's default KMS key named `aws/ssm`. If the default KMS key with that name doesn't yet exist, then AWS Parameter Store creates it for you automatically the first time. | `string` | `null` | no | diff --git a/modules/ssm-parameter-store-parameter/main.tf b/modules/ssm-parameter-store-parameter/main.tf index 23d286f..c63994e 100644 --- a/modules/ssm-parameter-store-parameter/main.tf +++ b/modules/ssm-parameter-store-parameter/main.tf @@ -32,6 +32,8 @@ locals { # Parameter on Systems Manager Parameter Store ################################################### +# INFO: Deprecated attributes +# - `overwrite` resource "aws_ssm_parameter" "this" { count = var.ignore_value_changes ? 0 : 1 @@ -46,9 +48,6 @@ resource "aws_ssm_parameter" "this" { insecure_value = var.type == "SECURE_STRING" ? null : var.value value = var.type == "SECURE_STRING" ? var.secret_value : null - # BUG: https://github.com/hashicorp/terraform-provider-aws/issues/25335 - overwrite = true - ## Encryption key_id = var.type == "SECURE_STRING" ? var.kms_key : null @@ -62,6 +61,8 @@ resource "aws_ssm_parameter" "this" { ) } +# INFO: Deprecated attributes +# - `overwrite` resource "aws_ssm_parameter" "self" { count = var.ignore_value_changes ? 1 : 0 @@ -76,9 +77,6 @@ resource "aws_ssm_parameter" "self" { insecure_value = var.type == "SECURE_STRING" ? null : var.value value = var.type == "SECURE_STRING" ? var.secret_value : null - # BUG: https://github.com/hashicorp/terraform-provider-aws/issues/25335 - overwrite = true - ## Encryption key_id = var.type == "SECURE_STRING" ? var.kms_key : null diff --git a/modules/ssm-parameter-store-parameter/variables.tf b/modules/ssm-parameter-store-parameter/variables.tf index e2c7adc..1ac05ff 100644 --- a/modules/ssm-parameter-store-parameter/variables.tf +++ b/modules/ssm-parameter-store-parameter/variables.tf @@ -1,6 +1,7 @@ variable "name" { description = "(Required) Friendly name of the new parameter. If the name contains a path (e.g., any forward slashes (/)), it must be fully qualified with a leading forward slash (/)." type = string + nullable = false } variable "description" { @@ -14,6 +15,7 @@ variable "tier" { description = "(Optional) The parameter tier to assign to the parameter. If not specified, will use the default parameter tier for the region. Valid values are `STANDARD`, `ADVANCED` or `INTELLIGENT_TIERING`." type = string default = null + nullable = true validation { condition = (var.tier != null @@ -37,14 +39,14 @@ variable "type" { } variable "data_type" { - description = "(Optional) The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ec2:image` for AMI format. Defaults to `text`." + description = "(Optional) The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format. Defaults to `text`. `aws:ssm:integration` data_type parameters must be of the type `SECURE_STRING` and the name must start with the prefix `/d9d01087-4a3f-49e0-b0b4-d568d7826553/ssm/integrations/webhook/`." type = string default = "text" nullable = false validation { - condition = contains(["text", "aws:ec2:image"], var.data_type) - error_message = "Valid values are `text`, `aws:ec2:image`." + condition = contains(["text", "aws:ssm:integration", "aws:ec2:image"], var.data_type) + error_message = "Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image`." } } diff --git a/modules/ssm-parameter-store-parameter/versions.tf b/modules/ssm-parameter-store-parameter/versions.tf index 16131a3..ebaffa6 100644 --- a/modules/ssm-parameter-store-parameter/versions.tf +++ b/modules/ssm-parameter-store-parameter/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.5" + required_version = ">= 1.6" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.22" + version = ">= 5.43" } } } diff --git a/modules/ssm-parameter-store-settings/README.md b/modules/ssm-parameter-store-settings/README.md index e014a84..cf77240 100644 --- a/modules/ssm-parameter-store-settings/README.md +++ b/modules/ssm-parameter-store-settings/README.md @@ -9,14 +9,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.22 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.43 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.50.0 | ## Modules diff --git a/modules/ssm-parameter-store-settings/versions.tf b/modules/ssm-parameter-store-settings/versions.tf index 16131a3..ebaffa6 100644 --- a/modules/ssm-parameter-store-settings/versions.tf +++ b/modules/ssm-parameter-store-settings/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.5" + required_version = ">= 1.6" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.22" + version = ">= 5.43" } } }