Conditionally ignore terraform resource update

Let’s say you have following SSM parameter resource

resource aws_ssm_parameter private_key {
  name      = var.name
  type      = "SecureString"
  value     = var.key
  overwrite = true
  tags      = var.tags
}

The value of var.key variable changes every time terraform runs. But you need to be able to prevent value update based on some conditions (say, bool variable var.overwrite_old_value).

You can’t use overwrite = property, because if it’s set to false terraform will throw an exception attempting to overwrite the value.

You can’t use lifecycle { ignore_chanes = [...] } because it requires static attribute values and doesn’t accept variables, functions etc.

So how do you update the value only the condition is met?

The following code achieves this

data aws_ssm_parameter private_key {
  count = var.overwrite_old_values? 0 : 1
  name  = var.name
}

resource aws_ssm_parameter private_key {
  name           = var.name
  type           = "SecureString"
  value          = var.overwrite_old_values? 
                   var.key : 
                   data.aws_ssm_parameter.private_key[0].value
  overwrite      = true
  tags           = var.tags
}

Here we add an SSM parameter data source that reads an existing value of the parameter. But to avoid error of reading value of a resource that hasn’t been created yet – we only read that data source if var.overwrite_old_values is false or null. We also modify the SSM parameter resource – if var.overwrite_old_values is false or null – we’re using value we read from the data source as a value parameter for the resource i.e. the existing value, so it does not change. Otherwise we’re using original var.key we passed as a parameter.

Leave a Reply

Your email address will not be published. Required fields are marked *