-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resource/aws_ssm_parameter: Remove overwrite
parameter
#25636
Comments
Hi, @gdavison. I agree that it doesn't match the Terraform resource model, but I'm struggling with this a bit: should the provider be more faithful to the API or more faithful to the Terraform resource model? I'm currently building something where I was expecting AWS SSM Parameter Store's It's more strictly (statefully) controlled for production environments. I'll admit, this is an edge case and maybe I'm doing it wrong. I'm torn. |
And how do I need to handle situations where I want to create new version by Terraform rather than recreate parameter each time? For example I need to have versioning for Canary deployments. |
@gdavison Any comment on this? This change is breaking and you haven't give any alternative...? |
@gdavison From terraform docs overwrite - (Optional, Deprecated) Overwrite an existing parameter. If not specified, will default to false if the resource has not been created by terraform to avoid overwrite of existing resource and will default to true otherwise (terraform lifecycle rules should then be used to manage the update behavior). Can you give me an example how to use lifecycle meta-argument to achieve same behaviour? I tried almost everything, but have no clue what you meant by that note. |
I too am in the same boat as @orlovmyk ^^^ and would benefit to see an example of lifecycle rules in the documentation. For context: In trying to move to the 5.0 version of AWS provider, I removed the │ Error: updating SSM Parameter (/discovery/v1/namespaces/...): ParameterAlreadyExists: The parameter already exists. To overwrite this value, set the overwrite option in the request to true. edit isn't it strange to see the error message recommending to set a deprecated parameter? The terraform looks something like: locals {
discovery_path = "/discovery/v1/namespaces/${var.config.id}"
discovery_params = {
account_name = "foo"
account_tier = "bar"
...
}
}
resource "aws_ssm_parameter" "discovery" {
for_each = local.discovery_params
name = "${local.discovery_path}/${each.key}"
type = "String"
value = jsonencode(each.value)
tags = {
Namespace = var.config.id
}
} Any ideas on managing these paramters whose values perodically change? /cc @jar-b Thanks! |
To followup on ^^^, following the migration guide for aws_ssm_parameter I tried importing these resources and am getting "Resource already managed by terraform" error...
so kind of at a loss of what to do. We have a many params across many configurations and the removing from state <-> re-importing is not a trivial thing. to sumarize,
|
Not sure why this was marked as depreciated before feeling it out. |
I believe this will break at least one workflow in an environment I work with. There is a base set of Terraform that creates initial resources in an account, including setting some SSM Parameters. This Terraform uses lifecycling to ignore changes to the SSM Parameter value that it sets. Later, in another set of Terraform managing other resources for the same account, these SSM Parameters are referenced via a Some resources are created (in Kubernetes) based on that SSM Parameter before the SSM Parameter is finally overwritten with a new value. That resource in Kubernetes does its thing and then ceases to exist. We do not want Terraform to create the resource on every Because this manipulation of the same SSM Parameter happens in different Terraform workspaces (and separate state files), I believe that the overwriting of the SSM Parameter that we do here would cause an error if the The parameter wouldn't exist in the 2nd state file, which I believe means that Terraform wouldn't know to set the |
Hi everyone - first off, we apologize for the confusion deprecation of this argument and the entry in the V5 upgrade guide have caused. Given the number of questions, a more detailed explanation of the propsed changes is in order. Ultimately the goal is to align the SSM parameter resource with the standard Terraform resource model. Specifically, the The sections below cover each of these issues in more depth, and provide descriptions of how the same behavior can be achieved once this attribute is removed in Import on createCurrent behaviorSetting Future behaviorIn import {
to = aws_ssm_parameter.example
id = "/some/param"
}
resource "aws_ssm_parameter" "example" {
name = "/some/param"
# (other resource arguments...)
} Skipping updates without a lifecycle ruleCurrent behaviorSetting Future behaviorIn resource "aws_ssm_parameter" "example" {
name = "/some/param"
type = "String"
value = "foo"
lifecycle {
ignore_changes = [value]
}
} What changed in
|
@jar-b thanks for the update and clear explanation. is there a workaround for 5.0 currently to avoid the deprecation notice? in my situation I am;
thus I have to set overwrite to true and see the deprecation notice. I think my use-case is that I always have managed the ssm parameter via the terraform configuration (in v4 of the aws provider), but decided to set |
Hey @briceburg - Based on your description is sounds like you're expecting the standard Terraform workflow, mentioned above here:
There isn't currently a workaround to avoid the deprecation notice in |
Ok great! We can live with it =) I wanted to doubly make sure our terraforms were not deviating too far towards exotic... So in a post v6+ world, where we have an SSM parameter created by an "upstream" terraform configuration and potentially updated by a "downstream" one, could we use the following pattern? upstream terraform# create addon discovery params
resource "aws_ssm_parameter" "addons" {
for_each = toset(["foo", "bar"])
name = "/disovery/v1/addons/${each.key}"
type = "String"
value = jsonencode({ enabled : false })
# ignore subsequent 'downstream' changes
lifecycle {
ignore_changes = [value, tags]
}
} downstream terraformimport {
id = "/disovery/v1/addons/foo"
to = aws_ssm_parameter.discovery
}
# enable the 'foo' addon
resource "aws_ssm_parameter" "discovery" {
name = "/disovery/v1/addons/foo"
type = "String"
value = jsonencode({
enabled = true
hello = "world"
})
} |
Yes, the The import docs also mention leaving the block permanently as a record of the resource origin, so I don't think this approach deviates too far from the intended use of the feature.
|
Hi, the overwrite feature has been working for years and it's a crucial part for a tons of deployments in my company now. We store docker tags (as well as other deployment-wide params) of the images in SSM param store and using "terraform apply -var image_ver=1234" to deploy new image to AWS ECS. In case when image_ver var is not specified the image version gets collected using terraform data. It's a bullet proof schema that has been working like a charm for years. |
In our case we use a variable to set part of the ssm path - and the new import block does not support this.
Error: Variables not allowed |
In our case, we have the creation of every ssm parameter store with a "null" value first, and after, in another terraform stack, we define the value of these parameters. The creation part with
The second part, update the parameter's value without overwrite is very painful because we have all our terraform projects developed with nested modules and the
While with |
Kinda weird that there is no in the middle workaround. Usually, when something is deprecated. The future configuration is implemented in a non-breaking way with a deprecation warning. And in the next major release, the deprecated functionality is removed. If I understood this thread correctly, there is no way to implement the new configuration before moving to v6.0.0 which is kinda weird. |
I am using terraform v1.1.2 version If I want to use import block instead of overrite = "true" , The import blocks are only available in Terraform v1.5.0 and later. If I use terraform import command its says resource already managed by terraform. If I remove overrrite parameter it says resource already created. So I need to upgrade terraform version to latest v1.6.0 for this change ? or is there any other workaround for this? |
I agree that it's very strange to get a deprecation warning without any action possible until the actual breaking change. Either there should be
What we have now is the worst of both worlds. Correct me if I'm wrong. |
Hi, I'm a little confused as well ... I did attempt to remove that "overwrite" from my code, at which point terraform is unable to write values, when rotating some secret. Can't share exact code here, sorry, ... imagine I have an iam_access_key. its value written as an SSM parameter. And a time_rotating. Would make sense for replacement to first delete old value, and only then write new copy. Thanks! |
I am very confused after coming across this deprecation warning, so I disabled the overwrite value.
What should I do to adhere to the deprecation warning and deprecate the parameter while still allowing me to set parameter values? |
In some cases, we use the overwrite flag to ensure that terraform takes over any existing parameter store entries that might have been manually added in the past. they don't necessarily exist. if we try to use an import block, it will fail if it doesn't exist. There's no way to say "import if it exists, otherwise create it", which the current |
Community Note
Description
The AWS API uses a PUT operation to create or modify SSM Parameters. By default it will return an error on modify, but setting
Overwrite = true
allows the modification.The
aws_ssm_parameter
resource exposes this as the parameteroverwrite
. This is redundant for Update operations, since the provider always sets it totrue
. When creating anaws_ssm_parameter
, settingoverwrite = true
allows the Create operation to act as an Import. This does not match the standard Terraform resource model, so should be removed.This will be a breaking change.
The text was updated successfully, but these errors were encountered: