-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
provider/aws: New SSM Parameter resource #14043
provider/aws: New SSM Parameter resource #14043
Conversation
Can be used for creating parameters in AWS' SSM Parameter Store that can then be used by other applications that have access to AWS and necessary IAM permissions.
I'm unsure if I should be marking value as |
@radeksimko sorry to nag you but is there any chance you could take a look at this as is please? I'm starting a new job on Monday so probably won't get much time for a while to look at this again after this week. My testing with it seems to do everything I need it to do (including working with the file interpolation which is my main requirement for storing SSH keys in SSM Parameter store) but not sure if it needs any more automated tests at all? I'm happy without the CMK option for SecureStrings right now but that might be useful to be added in later - |
@radeksimko Can you approve and merge this? My org also needs this ASAP. Thanks! |
Just noticed that there's merge conflicts on the branch now. I'll sort those as soon as the rest of the code has been reviewed. EDIT: Conflicts look fine, just need to move this parameter store stuff after |
@tomelliff Would you also be interested to produce a data source version of the parameter_store for reading existing values? I think you already have most of the implementation code similar to https://www.terraform.io/docs/providers/aws/d/kms_alias.html
We work in sensitive environments, so use parameter store for generic secrets management since we can pair it with IAM policies that limit application access to them. |
+1. If the data source and the ability to create them were in Terraform that would be fantastic. |
Yeah, happy to add a data source once this has been reviewed and I get some free time. Would like to check if this is missing anything glaring first though. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @tomelliff
thank you for submitting this PR.
This looks overall 👌 I just left you a few questions there. Would you mind looking over those?
}, | ||
"value": { | ||
Type: schema.TypeString, | ||
Required: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it worth marking this field as Sensitive
as it may contain sensitive data?
Name: aws.String(d.Get("name").(string)), | ||
Type: aws.String(d.Get("type").(string)), | ||
Value: aws.String(d.Get("value").(string)), | ||
Overwrite: aws.Bool(overwrite), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just FYI - there's d.IsNewResource()
which can basically tell you whether this is being called from Create()
or Update()
and therefore you could reduce the number of arguments as you already have *schema.ResourceData
there.
} | ||
|
||
log.Printf("[DEBUG] Waiting for SSM Parameter %q to be updated", d.Get("name").(string)) | ||
err := resource.Retry(5*time.Minute, func() *resource.RetryError { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What exactly is the reason for retrying this operation if there's no retryable error? 🤔
Also would you mind rebasing your branch & resolving conflicts? Thanks. |
Will this be part of 0.9.7? |
- Addressed all issues in hashicorp#14043 - Added ForceNew directive to type - Added the ability to specify a KMS key for encryption and decryption
@tomelliff even if you're busy, could you please prioritize spending a couple of hours and finishing this. |
* New SSM Parameter resource Can be used for creating parameters in AWS' SSM Parameter Store that can then be used by other applications that have access to AWS and necessary IAM permissions. * Add docs for new SSM Parameter resource * Code Review and Bug Hunt and KMS Key - Addressed all issues in #14043 - Added ForceNew directive to type - Added the ability to specify a KMS key for encryption and decryption * Add SSM Parameter Data Source * Fix bad merge * Fix SSM Parameter Integration Tests * docs/aws: Fix typo in SSM sidebar link
#15035 was just merged. @tomelliff thank you for all the initial work and @pmorton for taking it to the finish line 🎉 |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
This new resource can be used for creating parameters in AWS' SSM Parameter Store that can then be used by other applications that have access to AWS and necessary IAM permissions.
Acceptance tests are currently passing:
This is my first stab at creating a new resource and I'm not all that used to Go just yet either so I might be missing a whole bunch of things here and would love any feedback I get from this.
This was previously requested in #11433. Would be good to add a data source for this at some point as well but this solves an immediate use case I have right now (providing a secret to a Lambda function that I deploy using Terraform).
TODO: