Update ssm-parameter-store modules (#45)

tedilabs · May 20, 2024 · 42216df · 42216df
1 parent 2ef60fb
commit 42216df
Show file tree

Hide file tree

Showing 11 changed files with 61 additions and 115 deletions.
diff --git a/modules/ssm-parameter-store-parameter-set/README.md b/modules/ssm-parameter-store-parameter-set/README.md
@@ -9,36 +9,32 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.22 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.43 |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+No providers.
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+| <a name="module_this"></a> [this](#module\_this) | ../ssm-parameter-store-parameter | n/a |
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| [aws_ssm_parameter.self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
-| [aws_ssm_parameter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+No resources.
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_parameters"></a> [parameters](#input\_parameters) | (Required) A list of parameters to manage in the parameter set. Each value of `parameters` block as defined below.<br>    (Required) `name` - The name of the parameter. This is concatenated with the `path` of the parameter set for the id. The name should begin with slash (/) and end without trailing slash.<br>    (Optional) `description` - The description of the parameter.<br>    (Optional) `tier` - The parameter tier to assign to the parameter. Valid values are `STANDARD`, `ADVANCED` or `INTELLIGENT_TIERING`.<br>    (Optional) `type` - The intended type of the parameter. Valid values are `STRING`, `STRING_LIST`. Not support `SECURE_STRING`.<br>    (Optional) `data_type` - The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ec2:image` for AMI format.<br>    (Optional) `allowed_pattern` - A regular expression used to validate the parameter value.<br>    (Required) `value` - The value of the parameter. | `list(map(string))` | n/a | yes |
+| <a name="input_parameters"></a> [parameters](#input\_parameters) | (Required) A list of parameters to manage in the parameter set. Each value of `parameters` block as defined below.<br>    (Required) `name` - The name of the parameter. This is concatenated with the `path` of the parameter set for the id. The name should begin with slash (/) and end without trailing slash.<br>    (Optional) `description` - The description of the parameter.<br>    (Optional) `tier` - The parameter tier to assign to the parameter. Valid values are `STANDARD`, `ADVANCED` or `INTELLIGENT_TIERING`.<br>    (Optional) `type` - The intended type of the parameter. Valid values are `STRING`, `STRING_LIST`. Not support `SECURE_STRING`.<br>    (Optional) `data_type` - The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format.<br>    (Optional) `allowed_pattern` - A regular expression used to validate the parameter value.<br>    (Required) `value` - The value of the parameter. | <pre>list(object({<br>    name            = string<br>    description     = optional(string)<br>    tier            = optional(string)<br>    type            = optional(string)<br>    data_type       = optional(string)<br>    allowed_pattern = optional(string)<br>    value           = string<br>  }))</pre> | n/a | yes |
 | <a name="input_path"></a> [path](#input\_path) | (Required) A path used for the prefix of each parameter name created by this parameter set. The path should begin with slash (/) and end without trailing slash. | `string` | n/a | yes |
 | <a name="input_allowed_pattern"></a> [allowed\_pattern](#input\_allowed\_pattern) | (Optional) The default regular expression used to validate each parameter value in the parameter set. This is only used when a specific pattern for the parameter is not provided. For example, for `STRING` types with values restricted to numbers, you can specify `^d+$`. | `string` | `""` | no |
-| <a name="input_data_type"></a> [data\_type](#input\_data\_type) | (Optional) The default data type of parameters in the parameter set. Only required when `type` is `STRING`. This is only used when a specific data type of the parameter is not provided. Valid values are `text`, `aws:ec2:image` for AMI format. Defaults to `text`. | `string` | `"text"` | no |
+| <a name="input_data_type"></a> [data\_type](#input\_data\_type) | (Optional) The default data type of parameters in the parameter set. Only required when `type` is `STRING`. This is only used when a specific data type of the parameter is not provided. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format. Defaults to `text`. `aws:ssm:integration` data\_type parameters must be of the type `SECURE_STRING` and the name must start with the prefix `/d9d01087-4a3f-49e0-b0b4-d568d7826553/ssm/integrations/webhook/`. | `string` | `"text"` | no |
 | <a name="input_description"></a> [description](#input\_description) | (Optional) The default description of parameters in the parameter set. This is only used when a specific description of the parameter is not provided. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_ignore_value_changes"></a> [ignore\_value\_changes](#input\_ignore\_value\_changes) | (Optional) Whether to manage the parameter value with Terraform. Ignore changes of `value` or `secret_value` if true. Defaults to `false`. | `bool` | `false` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |

diff --git a/modules/ssm-parameter-store-parameter-set/main.tf b/modules/ssm-parameter-store-parameter-set/main.tf
@@ -14,72 +14,32 @@ locals {
   } : {}
 }
 
-locals {
-  types = {
-    "STRING"        = "String"
-    "STRING_LIST"   = "StringList"
-    "SECURE_STRING" = "SecureString"
-  }
-  tiers = {
-    "STANDARD"            = "Standard"
-    "ADVANCED"            = "Advanced"
-    "INTELLIGENT_TIERING" = "Intelligent-Tiering"
-  }
-}
-
 
 ###################################################
 # Parameter on Systems Manager Parameter Store
 ###################################################
 
-resource "aws_ssm_parameter" "this" {
+module "this" {
   for_each = {
     for parameter in var.parameters :
     parameter.name => parameter
-    if !var.ignore_value_changes
   }
 
-  name        = join("", [var.path, each.key])
-  description = try(each.value.description, var.description)
-  tier        = local.tiers[try(each.value.tier, var.tier)]
-
-  type            = local.types[try(each.value.type, var.type)]
-  data_type       = try(each.value.data_type, var.data_type)
-  allowed_pattern = try(each.value.allowed_pattern, var.allowed_pattern)
-
-  insecure_value = each.value.value
-
-  # BUG: https://github.com/hashicorp/terraform-provider-aws/issues/25335
-  overwrite = true
-
-  tags = merge(
-    {
-      "Name" = join("", [var.path, each.key])
-    },
-    local.module_tags,
-    var.tags,
-  )
-}
-
-resource "aws_ssm_parameter" "self" {
-  for_each = {
-    for parameter in var.parameters :
-    parameter.name => parameter
-    if var.ignore_value_changes
-  }
+  source = "../ssm-parameter-store-parameter"
 
   name        = join("", [var.path, each.key])
-  description = try(each.value.description, var.description)
-  tier        = local.tiers[try(each.value.tier, var.tier)]
+  description = coalesce(each.value.description, var.description)
+  tier        = coalesce(each.value.tier, var.tier)
 
-  type            = local.types[try(each.value.type, var.type)]
-  data_type       = try(each.value.data_type, var.data_type)
-  allowed_pattern = try(each.value.allowed_pattern, var.allowed_pattern)
+  type            = coalesce(each.value.type, var.type)
+  data_type       = coalesce(each.value.data_type, var.data_type)
+  allowed_pattern = coalesce(each.value.allowed_pattern, var.allowed_pattern)
 
-  insecure_value = each.value.value
+  ignore_value_changes = var.ignore_value_changes
+  value                = each.value.value
 
-  # BUG: https://github.com/hashicorp/terraform-provider-aws/issues/25335
-  overwrite = true
+  resource_group_enabled = false
+  module_tags_enabled    = false
 
   tags = merge(
     {
@@ -88,11 +48,4 @@ resource "aws_ssm_parameter" "self" {
     local.module_tags,
     var.tags,
   )
-
-  lifecycle {
-    ignore_changes = [
-      value,
-      insecure_value,
-    ]
-  }
 }
diff --git a/modules/ssm-parameter-store-parameter-set/outputs.tf b/modules/ssm-parameter-store-parameter-set/outputs.tf
@@ -1,7 +1,3 @@
-locals {
-  parameter_set = var.ignore_value_changes ? aws_ssm_parameter.self : aws_ssm_parameter.this
-}
-
 output "path" {
   description = "The path used for the prefix of each parameter names managed by this parameter set."
   value       = var.path
@@ -10,7 +6,7 @@ output "path" {
 output "parameters" {
   description = "The list of parameters in the parameter set."
   value = {
-    for name, parameter in local.parameter_set :
+    for name, parameter in module.this :
     name => {
       id          = parameter.id
       arn         = parameter.arn

diff --git a/modules/ssm-parameter-store-parameter-set/variables.tf b/modules/ssm-parameter-store-parameter-set/variables.tf
@@ -1,6 +1,7 @@
 variable "path" {
   description = "(Required) A path used for the prefix of each parameter name created by this parameter set. The path should begin with slash (/) and end without trailing slash."
   type        = string
+  nullable    = false
 
   validation {
     condition = alltrue([
@@ -43,14 +44,14 @@ variable "type" {
 }
 
 variable "data_type" {
-  description = "(Optional) The default data type of parameters in the parameter set. Only required when `type` is `STRING`. This is only used when a specific data type of the parameter is not provided. Valid values are `text`, `aws:ec2:image` for AMI format. Defaults to `text`."
+  description = "(Optional) The default data type of parameters in the parameter set. Only required when `type` is `STRING`. This is only used when a specific data type of the parameter is not provided. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format. Defaults to `text`. `aws:ssm:integration` data_type parameters must be of the type `SECURE_STRING` and the name must start with the prefix `/d9d01087-4a3f-49e0-b0b4-d568d7826553/ssm/integrations/webhook/`."
   type        = string
   default     = "text"
   nullable    = false
 
   validation {
-    condition     = contains(["text", "aws:ec2:image"], var.data_type)
-    error_message = "Valid values are `text`, `aws:ec2:image`."
+    condition     = contains(["text", "aws:ssm:integration", "aws:ec2:image"], var.data_type)
+    error_message = "Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image`."
   }
 }
 
@@ -68,12 +69,20 @@ variable "parameters" {
     (Optional) `description` - The description of the parameter.
     (Optional) `tier` - The parameter tier to assign to the parameter. Valid values are `STANDARD`, `ADVANCED` or `INTELLIGENT_TIERING`.
     (Optional) `type` - The intended type of the parameter. Valid values are `STRING`, `STRING_LIST`. Not support `SECURE_STRING`.
-    (Optional) `data_type` - The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ec2:image` for AMI format.
+    (Optional) `data_type` - The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format.
     (Optional) `allowed_pattern` - A regular expression used to validate the parameter value.
     (Required) `value` - The value of the parameter.
   EOF
-  type        = list(map(string))
-  nullable    = false
+  type = list(object({
+    name            = string
+    description     = optional(string)
+    tier            = optional(string)
+    type            = optional(string)
+    data_type       = optional(string)
+    allowed_pattern = optional(string)
+    value           = string
+  }))
+  nullable = false
 
   validation {
     condition = alltrue([
@@ -90,7 +99,7 @@ variable "parameters" {
     condition = alltrue([
       for parameter in var.parameters :
       contains(["STANDARD", "ADVANCED", "INTELLIGENT_TIERING"], parameter.tier)
-      if try(parameter.tier, null) != null
+      if parameter.tier != null
     ])
     error_message = "Valid values are `STANDARD`, `ADVANCED` or `INTELLIGENT_TIERING`."
   }
@@ -99,26 +108,18 @@ variable "parameters" {
     condition = alltrue([
       for parameter in var.parameters :
       contains(["STRING", "STRING_LIST"], parameter.type)
-      if try(parameter.type, null) != null
+      if parameter.type != null
     ])
     error_message = "Valid values are `STRING`, `STRING_LIST`. Not support `SECURE_STRING`."
   }
 
   validation {
     condition = alltrue([
       for parameter in var.parameters :
-      contains(["text", "aws:ec2:image"], parameter.data_type)
-      if try(parameter.data_type, null) != null
-    ])
-    error_message = "Valid values are `text`, `aws:ec2:image`."
-  }
-
-  validation {
-    condition = alltrue([
-      for parameter in var.parameters :
-      can(parameter.value)
+      contains(["text", "aws:ssm:integration", "aws:ec2:image"], parameter.data_type)
+      if parameter.data_type != null
     ])
-    error_message = "The value for `value` is required."
+    error_message = "Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image`."
   }
 }
 

diff --git a/modules/ssm-parameter-store-parameter-set/versions.tf b/modules/ssm-parameter-store-parameter-set/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.5"
+  required_version = ">= 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.22"
+      version = ">= 5.43"
     }
   }
 }
diff --git a/modules/ssm-parameter-store-parameter/README.md b/modules/ssm-parameter-store-parameter/README.md
@@ -9,14 +9,14 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.22 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.43 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.50.0 |
 
 ## Modules
 
@@ -37,7 +37,7 @@ This module creates following resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_name"></a> [name](#input\_name) | (Required) Friendly name of the new parameter. If the name contains a path (e.g., any forward slashes (/)), it must be fully qualified with a leading forward slash (/). | `string` | n/a | yes |
 | <a name="input_allowed_pattern"></a> [allowed\_pattern](#input\_allowed\_pattern) | (Optional) A regular expression used to validate the parameter value. For example, for `STRING` types with values restricted to numbers, you can specify `^d+$`. | `string` | `""` | no |
-| <a name="input_data_type"></a> [data\_type](#input\_data\_type) | (Optional) The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ec2:image` for AMI format. Defaults to `text`. | `string` | `"text"` | no |
+| <a name="input_data_type"></a> [data\_type](#input\_data\_type) | (Optional) The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format. Defaults to `text`. `aws:ssm:integration` data\_type parameters must be of the type `SECURE_STRING` and the name must start with the prefix `/d9d01087-4a3f-49e0-b0b4-d568d7826553/ssm/integrations/webhook/`. | `string` | `"text"` | no |
 | <a name="input_description"></a> [description](#input\_description) | (Optional) The description of the parameter. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_ignore_value_changes"></a> [ignore\_value\_changes](#input\_ignore\_value\_changes) | (Optional) Whether to manage the parameter value with Terraform. Ignore changes of `value` or `secret_value` if true. Defaults to `false`. | `bool` | `false` | no |
 | <a name="input_kms_key"></a> [kms\_key](#input\_kms\_key) | (Optional) The ARN or ID of the AWS KMS key to be used to encrypt the parameter value with `SECURE_STRING` type. If you don't specify this value, then Parameter Store defaults to using the AWS account's default KMS key named `aws/ssm`. If the default KMS key with that name doesn't yet exist, then AWS Parameter Store creates it for you automatically the first time. | `string` | `null` | no |

diff --git a/modules/ssm-parameter-store-parameter/main.tf b/modules/ssm-parameter-store-parameter/main.tf
@@ -32,6 +32,8 @@ locals {
 # Parameter on Systems Manager Parameter Store
 ###################################################
 
+# INFO: Deprecated attributes
+# - `overwrite`
 resource "aws_ssm_parameter" "this" {
   count = var.ignore_value_changes ? 0 : 1
 
@@ -46,9 +48,6 @@ resource "aws_ssm_parameter" "this" {
   insecure_value = var.type == "SECURE_STRING" ? null : var.value
   value          = var.type == "SECURE_STRING" ? var.secret_value : null
 
-  # BUG: https://github.com/hashicorp/terraform-provider-aws/issues/25335
-  overwrite = true
-
 
   ## Encryption
   key_id = var.type == "SECURE_STRING" ? var.kms_key : null
@@ -62,6 +61,8 @@ resource "aws_ssm_parameter" "this" {
   )
 }
 
+# INFO: Deprecated attributes
+# - `overwrite`
 resource "aws_ssm_parameter" "self" {
   count = var.ignore_value_changes ? 1 : 0
 
@@ -76,9 +77,6 @@ resource "aws_ssm_parameter" "self" {
   insecure_value = var.type == "SECURE_STRING" ? null : var.value
   value          = var.type == "SECURE_STRING" ? var.secret_value : null
 
-  # BUG: https://github.com/hashicorp/terraform-provider-aws/issues/25335
-  overwrite = true
-
 
   ## Encryption
   key_id = var.type == "SECURE_STRING" ? var.kms_key : null

diff --git a/modules/ssm-parameter-store-parameter/variables.tf b/modules/ssm-parameter-store-parameter/variables.tf
@@ -1,6 +1,7 @@
 variable "name" {
   description = "(Required) Friendly name of the new parameter. If the name contains a path (e.g., any forward slashes (/)), it must be fully qualified with a leading forward slash (/)."
   type        = string
+  nullable    = false
 }
 
 variable "description" {
@@ -14,6 +15,7 @@ variable "tier" {
   description = "(Optional) The parameter tier to assign to the parameter. If not specified, will use the default parameter tier for the region. Valid values are `STANDARD`, `ADVANCED` or `INTELLIGENT_TIERING`."
   type        = string
   default     = null
+  nullable    = true
 
   validation {
     condition = (var.tier != null
@@ -37,14 +39,14 @@ variable "type" {
 }
 
 variable "data_type" {
-  description = "(Optional) The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ec2:image` for AMI format. Defaults to `text`."
+  description = "(Optional) The data type of the parameter. Only required when `type` is `STRING`. Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image` for AMI format. Defaults to `text`. `aws:ssm:integration` data_type parameters must be of the type `SECURE_STRING` and the name must start with the prefix `/d9d01087-4a3f-49e0-b0b4-d568d7826553/ssm/integrations/webhook/`."
   type        = string
   default     = "text"
   nullable    = false
 
   validation {
-    condition     = contains(["text", "aws:ec2:image"], var.data_type)
-    error_message = "Valid values are `text`, `aws:ec2:image`."
+    condition     = contains(["text", "aws:ssm:integration", "aws:ec2:image"], var.data_type)
+    error_message = "Valid values are `text`, `aws:ssm:integration`, `aws:ec2:image`."
   }
 }
 

diff --git a/modules/ssm-parameter-store-parameter/versions.tf b/modules/ssm-parameter-store-parameter/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.5"
+  required_version = ">= 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.22"
+      version = ">= 5.43"
     }
   }
 }