2

I have the following HCL code, that asks & reads the secret_api_key variable from the terminal on terraform plan and saves it in secret manager.

variable "secret_api_key" {
  type        = string
  sensitive   = true
}

resource "aws_secretsmanager_secret" "secret_api_key" {
  name = "secret_api_key"
}

resource "aws_secretsmanager_secret_version" "secret_api_key" {
  secret_id     = aws_secretsmanager_secret.secret_api_key.id
  secret_string = var.secret_api_key
}

In another configuration, the secret is read like this:

data "aws_secretsmanager_secret" "secret_api_key" {
  name       = "secret_api_key"
  depends_on = [aws_secretsmanager_secret.secret_api_key]
}

data "aws_secretsmanager_secret_version" "secret_api_key" {
  secret_id = data.aws_secretsmanager_secret.secret_api_key.id
}

resource "aws_lambda_function" "s3_to_service" {
  ...
  environment {
    variables = {
      SECRET_ARN = data.aws_secretsmanager_secret_version.secret_api_key.arn
    }
  }
}

How do I force terraform to not ask me for the API key everytime I plan? It needs to ask me the first time I do it, to store it at the secrets manager. But after that, it is redundant. How can I avoid this?

Dimi
  • 309
  • 5
  • 25
  • 1
    Provide some default value. – Marcin Nov 01 '21 at 09:36
  • @Marcin I cannot hardcode a sensitive value as default. This code is uploaded on Git. – Dimi Nov 01 '21 at 09:38
  • Only set up secret manager once then - separate them? – Ermiya Eskandary Nov 01 '21 at 09:38
  • 1
    I mean, you provide a default value as an empty string, or whatever, and then program logic to get the value from SM, if real value is not given. – Marcin Nov 01 '21 at 09:39
  • This leads to: `# aws_secretsmanager_secret_version.secret_api_key must be replaced -/+ resource "aws_secretsmanager_secret_version" "secret_api_key" { ~ secret_string = (sensitive value) # forces replacement }` It wants to replace the actual key with null values every-time I plan. – Dimi Nov 01 '21 at 09:44
  • @ErmiyaEskandary This is a solution, but I am trying to see if there is a more clever way to do it – Dimi Nov 01 '21 at 09:45
  • 1
    Not really - either you provide a value everytime or you don't but it will use the value at hand; reference the secret but don't try recreating the secret everytime. You can also pass in the value via the CLI if the problem is typing in input as opposed to getting input – Ermiya Eskandary Nov 01 '21 at 10:04
  • 1
    Terraform works on calculating differences - if you provide nothing, it will assume that you want it cleared/removed – Ermiya Eskandary Nov 01 '21 at 10:05

1 Answers1

3

Not really.

Either you manually provide a value every time or you don't but Terraform variables require a value specified in some shape, way, or form whether by you or by default, every time you want to evaluate a Terraform configuration.

If you plan/apply aws_secretsmanager_secret, there is no way around supplying a value manually unless you hard code a value or specify a default.

Terraform works based on calculating differences in the state - it needs to know what your expected state is (with your variable value) to then compare it with the actual state.

I would advise you to plan/apply the Terraform config for the secret when you want to create/update it & to separate the creation of the secret from the usage of the secret.

Then, you can use data.aws_secretsmanager_secret.secret_api_key to access it as you have.

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44