Conditionally ignore resource update

YuriGal · March 5, 2021, 5:06pm

I have following SSM resource:

resource aws_ssm_parameter private_key {
  name      = var.name
  type      = "SecureString"
  value     = var.key
  overwrite = true
  tags      = var.tags
}

I have no control over what value of var.key is supplied, and it changes every time terraform runs. But I need to be able to prevent value update based on some condition (say, bool variable var.overwrite_old_value).

I can’t use overwrite = property, because if it’s set to false terraform will throw an exception attempting to overwrite the value

I can’t use lifecycle { ignore_chanes = [...] } because it requires static attribute values and doesn’t accept variables, functions etc.

Is there a way to achieve this?

jbardin · March 5, 2021, 7:03pm

Hi @YuriGal

Can you explain what didn’t work for you when using ignore_changes? Your description sounds like the exact use case for ignore_changes, as you do not want to every update the value attribute.

YuriGal · March 5, 2021, 7:16pm

Hi @jbardin

It needs to be conditional. If variable var.overwrite_old_value is set to true - changes should be allowed, value should be updated. If var.overwrite_old_value is set to false - changes to value should be ignored.

jbardin · March 5, 2021, 7:40pm

Thanks, that makes sense, unfortunately there’s no direct way to accomplish what you’re asking.

It might be possible to split the configuration to conditionally create an “update-able” aws_ssm_parameter, and a separate static aws_ssm_parameter with ignore_changes set. You could then use that same condition to choose which of those resources is used elsewhere in the configuration.

For example, the condition on each resource would look like

resource "aws_ssm_parameter" "private_key_updates" {
  count = var.update ? 1 : 0
  ...

resource "aws_ssm_parameter" "private_key_static" {
  count = var.update ? 0 : 1
  lifecycle {
    ignore_changes = [value]
  }
  ...

And you switch which resource result to use in a local or output

output "private_key" {
  value = var.update ? aws_ssm_parameter.private_key_updates[0].id : aws_ssm_parameter.private_key_static[0].id
}

YuriGal · March 5, 2021, 7:55pm

I think I have tried this approach before as well… Every time flag changes one resource is destroyed and another is created despite pointing to the same SSM parameter. By itself this shouldn’t be a problem, but if I remember correctly this caused other issues.
But let me try to recreate this again, maybe I missed something. Thanks!

YuriGal · March 5, 2021, 8:09pm

Yes, I tried it again and I remember now. For some reason when flag changes and resources destroyed/created I always get errors

Error: error creating SSM parameter: TooManyUpdates

or

Error: error reading SSM Parameter ParameterNotFound

on the first after the flag changes. Consecutive runs with the same flag are error-free.

YuriGal · March 6, 2021, 2:02am

Ok I figured out the way

data aws_ssm_parameter private_key {
  name = var.name
}

resource aws_ssm_parameter private_key {
  name         = var.name
  type           = "SecureString"
  value         = var.overwrite_old_values? var.key : data.aws_ssm_parameter.private_key.value
  overwrite  = true
  tags            = var.tags
}

If flag is set to overwrite - I am assigning new value, otherwise the value from the SSM parameter itself, using it as data source (had to add some additional checks so the data source isn’t used before parameter is created, but it works).