Fn.jsondecode with error handling

We are using cdktf with the typescript for reading the secrets from AWS Secrets.
Depending on the secret type sometimes we get a JSON and sometimes it is just a plain text.

We wrote the following generic function to read the secrets. We check if we are able to JSONDecode look up the keys else return the secret as it is.

get(): string {
    const secretManagerData = new DataAwsSecretsmanagerSecret(this, "secretManagerGetData", {
      provider: this.provider,
      name: this.secretName
    const secretManagerVersion = new DataAwsSecretsmanagerSecretVersion(this, "secretManagerGetDataVersion", {
      secretId: secretManagerData.id,
      provider: this.provider
    const secretValue = secretManagerVersion.secretString;
     * Currently we are forced to know upfront if secret being looked up is JSON or not.
     * @TODO: Find an automated way to detect if secret being read is JSON or plain string.
    if (Fn.can(Fn.jsondecode(secretValue))) {
      const data = Fn.jsondecode(secretValue);
      return Fn.lookup(data, this.secretName, null);
    } else {
      return secretValue;

However, we get an error Call to function "jsondecode" failed: invalid character '-' in numeric whenever we get a plain-text secret instead of JSON.
The error is valid as this specific secret is not JSON so we expected it to go the else condition.
We tried multiple approaches but we were not able to get it to work.

We also tried Fn.try([Fn.jsondecode(secretValue), ""]) but that also didn’t work.
We would really appreciate if we can understand what is going on and what is the right way to handle it.


This type of conditional logic at run time is not supported. CDKTF synthesizes a Terraform workspace for you, so we distinguish between compile time and execution time. Control flow operations like if are at compile time, therefore a check like Fn.can that runs at execution time won’t help. You would need to check in e.g. TS directly if the secret value is JSON and do the if dependent on it. This only works if the secret is known at compile time, it’s currently not easy to implement this at execution time as you would only want to create a resource or so conditionally. This part of the docs might be of help: Debugging | Terraform by HashiCorp