I tried to figure out a good way to use AWS Parameter Store in my Terragrunt config.
I created module secrets to create all my secret parameters:
# secrets/main.tf
resource "aws_ssm_parameter" "postgres_password" {
name = "${var.env}-postgres-password"
description = "The parameter description"
type = "SecureString"
value = var.postgres_password
tags = var.tags
}
With outputs:
# secrets/outputs.tf
output "postgres_password" {
description = "Postgres password"
value = try(aws_ssm_parameter.postgres_password.name, "")
}
I then created the dependency for this module:
# dependency-blocks/secrets.hcl
dependency "secrets" {
config_path = "${get_original_terragrunt_dir()}/../../data-stores/secrets"
mock_outputs = {
postgres_password= "staging-postgres-password"
}
mock_outputs_allowed_terraform_commands = ["validate", "plan", "init"]
}
In my database config, I included the secrets dependency and set it as input for my Database module:
# db/terragrunt.hcl
include "secrets" {
path = "../../../../dependency-blocks/secrets.hcl"
expose = true
merge_strategy = "deep"
}
inputs = {
postgres_password = dependency.secrets.outputs.postgres_password
}
Than I tried to refer to this parameter in db module:
# db/main.tf
data "aws_ssm_parameter" "password" {
name = var.postgres_password
}
When I run terragrunt run-all plan it ends with error:
Error describing SSM parameter (staging-postgres-password): ParameterNotFound: Parameter staging-postgres-password not found.
and I know that's because I mocked only the name, but I don't have ssm parameter resource created yet.
My questions:
- how to make this
plancommand work? - It also led me to the question that maybe creating a module for parameters is not a good idea and I should manage them outside Terraform config?
Could you recommend some of your good practices to work with parameters in Terragrunt/Terraform?
