TFE Variables with AWS SSM

I am just beginning to use the Terraform Cloud provider, and one thing I would like to do along with creating workspaces is setting up the variables in the workspace. My initial idea was to use the AWS Parameter Store as the “source of truth” for my variables/secrets.

The problem I am facing is that when using the aws provider’s aws_ssm_parameter data source, the Terraform run will blow up if the parameter does not exist yet in the parameter store. This might be valid, for example I may be adding a new Terraform variable that is only needed in a preproduction environment, that shouldn’t cause Terraform to blow up for the production workspace. Ideally, I could set a default value or the workspace variable wouldn’t be created at all.

I had thought of using the external data source to grab the parameter and handle the non-existence myself, but as I’m using Terraform Cloud and using their build agents, I can’t assume certain programs will be installed on the build agents, per the Terraform docs.

Is there a workaround to this problem? Is this even a good idea, using a secret manager as the source of truth for Terraform variables?

Hi what do you mean by terraform blowing up?
I am very interested in the approach you take for this.

Where I work I saw a use case of using tokens for the terraform user that interacts with the target AWS account.

please post your findings.