3

I am trying to export/post variable outputs , resource ids after terraform apply command to AWS SSM parameter store to make the values available to AWS Lambda and other AWS services. Any suggestions will be appreciated. Thanks in advance.

PrakashS
  • 115
  • 2
  • 7
  • 1
    Are you just looking for this resource? https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter – jordanm Aug 03 '21 at 14:16
  • 1
    Why not have Terraform create the SSM parameters directly? – Mark B Aug 03 '21 at 15:20
  • Hi Jordanm, Yes. I got this resource and I am looking to insert values based on my output values that I get after I run my $terraform apply command. – PrakashS Aug 03 '21 at 15:33
  • 1
    Hi Mark, Yes. I got this resource and I am looking to insert values into this resource based on my output values that I get after I run my $terraform apply command. for e.g., Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: security_group = "sg-050f3249087ad469e" server_id = "i-063ba921a88192ebc" server_private_ip = "10.0.1.50" => how can I insert this value in the AWS SSM parameter store?? – PrakashS Aug 03 '21 at 15:41

2 Answers2

2

Just to let you know, if you try to get the output of your resources into SSM Parameter, you will need to run "Apply" twice.

This is how Terraform run, it first record your resources to the outputs, then you can use them after the first apply.

But perhaps this simple solution could work for you?

resource "aws_security_group" "allow_tls" {
  name        = "allow_tls"
  description = "Allow TLS inbound traffic"
  vpc_id      = "vpc-xxxxxxxxxxxxx"

  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["10.1.0.0/16"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = {
    Name = "allow_tls"
  }
}

resource "aws_ssm_parameter" "sg" {
  name        = "/test/tls-sg-id"
  description = "Allow TLS Security Group ID"
  type        = "String"
  value       = aws_security_group.allow_tls.id

  tags = {
    environment = "Testing"
  }
}

Then, when you will apply, Terraform would figure the dependencies and apply accordingly:

20:47 $ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create

Terraform will perform the following actions:

  # aws_security_group.allow_tls will be created
  + resource "aws_security_group" "allow_tls" {
      + arn                    = (known after apply)
      + description            = "Allow TLS inbound traffic"
      + egress                 = [
          + {
              + cidr_blocks      = [
                  + "0.0.0.0/0",
                ]
              + description      = ""
              + from_port        = 0
              + ipv6_cidr_blocks = [
                  + "::/0",
                ]
              + prefix_list_ids  = []
              + protocol         = "-1"
              + security_groups  = []
              + self             = false
              + to_port          = 0
            },
        ]
      + id                     = (known after apply)
      + ingress                = [
          + {
              + cidr_blocks      = [
                  + "10.1.0.0/16",
                ]
              + description      = "TLS from VPC"
              + from_port        = 443
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = false
              + to_port          = 443
            },
        ]
      + name                   = "allow_tls"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "Name" = "allow_tls"
        }
      + tags_all               = {
          + "Name" = "allow_tls"
        }
      + vpc_id                 = "vpc-xxxxxxxxxxx"
    }

  # aws_ssm_parameter.sg will be created
  + resource "aws_ssm_parameter" "sg" {
      + arn         = (known after apply)
      + data_type   = (known after apply)
      + description = "Allow TLS Security Group ID"
      + id          = (known after apply)
      + key_id      = (known after apply)
      + name        = "/test/tls-sg-id"
      + tags        = {
          + "environment" = "Testing"
        }
      + tags_all    = {
          + "environment" = "Testing"
        }
      + tier        = "Standard"
      + type        = "String"
      + value       = (sensitive value)
      + version     = (known after apply)
    }

Then I got this value in the SSM Parameter:

20:48 $ aws ssm describe-parameters --parameter-filters "Key=Name,Values=/test/tls-sg-id"
{
    "Parameters": [
        {
            "Name": "/test/tls-sg-id",
            "DataType": "text",
            "LastModifiedDate": 1628020084.521,
            "Version": 1,
            "LastModifiedUser": "arn:aws:iam:::user/oli",
            "Policies": [],
            "Tier": "Standard",
            "Type": "String",
            "Description": "Allow TLS Security Group ID"
        }
    ]
}
Oli at cdcloudlogix.com
  • 141
  • 9
1

To avoid running the terraform apply "twice" you can add the depends_on meta argument:

resource "aws_ssm_parameter" "sg" {
 name        = "/test/tls-sg-id"
 description = "Allow TLS Security Group ID"
 type        = "String"
 value       = aws_security_group.allow_tls.id

 tags = {
   environment = "Testing"
 }
 depends_on = [
   aws_security_group.allow_tls
 ]
}
Malcon Albuquerque Moreira
  • 11
  • 3