Hi
I have a load of ECS services to build and they have similar configs but some of them need different and optional AWS Secrets adding to the task definition templates and more importantly the IAM Task Execution policy.
I was trying to make it dry and use the:
“%{if example_credential_required }aws_secretsmanager_secret.example_credentials[each.value].arn%{endif}”
Whatever I seem to do syntax wise it won’t lookup the arn it will only add it as text string which obviously doesn’t work.
I’ve checked the documentation, none of the examples I have found seem to help or let me know if this is supposed to work.
I could split it all up into different data.x resources but as 85% is the same that seems a bit rubbish, I could also make it a template but it suggested in the docs that for 0.12 this the way I’m supposed to be doing it.
Please help.
data “aws_iam_policy_document” “example_execution_iam_policy_document” {
for_each = toset(var.namespace)
statement {
# Allows access to required secrets and SSM parameters defined in the task definition only
effect = “Allow”
actions = [
“ssm:GetParameters”,
“secretsmanager:GetSecretValue”,
“kms:Decrypt”
]
resources = [
aws_secretsmanager_secret.snoop_xxxxxx_credentials[each.value].arn, #This works hardcoding it, don’t want to do that though.
“%{if var.insight_analytics_db_con_required}aws_secretsmanager_secret.snoop_xxxxxx_credentials[each.value].arn%{endif}”, # I want this to work
data.terraform_remote_state.terraform_layer_xyz_db.outputs.rds_aurora_connection_parameter_arn
]
}
}
The above provides this in the Terraform Plan
~ Resource = [
+ “aws_secretsmanager_secret.snoop_xxxxxx_credentials[each.value].arn”,