I’m in the process of upgrading our Cloudflare provider. One of the elements is an API Token for use in an application being persisted in an AWS Parameter Store entry.
Prior to the upgrade, all was well.
Now I’m getting some odd behaviour on our SSM Parameters.
This is the resource and is unchanged prior to the Cloudflare upgrade:
resource "aws_ssm_parameter" "namespaced_parameter_dynamic_values" { # This is line 409 of the file.
for_each = { for key, parameter in local.namespaced_parameter_store_keys : key => parameter if parameter.dynamic == true }
name = each.key
description = each.value.description
type = "SecureString"
value = each.value.value
tags = {
dynamic = "Yes - Controlled by Terraform"
usage = each.value.usage
}
}
The errors I’m getting are:
╷
│ Error: Invalid combination of arguments
│
│ with aws_ssm_parameter.namespaced_parameter_dynamic_values["/DT/CLOUDFLARE/API_KEY"],
│ on parameter-store.tf line 409, in resource "aws_ssm_parameter" "namespaced_parameter_dynamic_values":
│ 409: resource "aws_ssm_parameter" "namespaced_parameter_dynamic_values" {
│
│ "insecure_value": one of `insecure_value,value,value_wo` must be specified
╵
╷
│ Error: Invalid combination of arguments
│
│ with aws_ssm_parameter.namespaced_parameter_dynamic_values["/DT/CLOUDFLARE/API_KEY"],
│ on parameter-store.tf line 409, in resource "aws_ssm_parameter" "namespaced_parameter_dynamic_values":
│ 409: resource "aws_ssm_parameter" "namespaced_parameter_dynamic_values" {
│
│ "value_wo": one of `insecure_value,value,value_wo` must be specified
╵
╷
│ Error: Invalid combination of arguments
│
│ with aws_ssm_parameter.namespaced_parameter_dynamic_values["/DT/CLOUDFLARE/API_KEY"],
│ on parameter-store.tf line 414, in resource "aws_ssm_parameter" "namespaced_parameter_dynamic_values":
│ 414: value = each.value.value
│
│ "value": one of `insecure_value,value,value_wo` must be specified
╵
The value coming from Cloudflare is put into a map (edited) for the parameter store entries:
locals {
namespaced_parameter_store_entries = {
CLOUDFLARE = {
API_KEY = {
description = format("Cloudflare API Key for %s.%s", var.domain, var.main_tld)
value = cloudflare_api_token.dns_tls_edit_token.value
}
ZONE_ID = {
description = format("Cloudflare Zone ID for %s.%s", var.domain, var.main_tld)
value = var.tlds[var.main_tld]
}
}
}
}
I suspect the issue is that the value of the token is secure, but I’m at a loss as trying to understand that error, especially when I’m not using insecure_value, or value_wo.
I’m hoping it is a “doh”/obvious answer/fix, but I’m not finding it.