Terraform missing when value should be passed in from tfvar file-CodePudding

I have a terraform project which contains a main module and a submodule. Something like this:

\modules
 dev.tfvars
 \app
  \main
   main.tf, output.tf, providers.tf, variables.tf
  \sub-modules
   \eventbridge
    main.tf, output.tf, variables.tf

Both variables.tf files have this variable defined:

variable "secrets" {
    description = "map for secret manager"
    type = map(string)
}

The top level main.tf has this defined:

module "a-eventbridge-trigger" {
    source          = "../sub-modules/eventbridge"
    secrets         = var.secrets
}

The submodule main.tf has this:

resource "aws_cloudwatch_event_connection" "auth" {
  name               = "request-token"
  description        = "Gets token"
  authorization_type = "OAUTH_CLIENT_CREDENTIALS"

  auth_parameters {
    oauth {
      authorization_endpoint = "${var.apiurl}"
      http_method            = "POST"

      oauth_http_parameters {
        body {
          key             = "grant_type"
          value           = "client_credentials"
          is_value_secret = true
        }
        
        body {
          key             = "client_id"
          value           = var.secrets.Client_Id
          is_value_secret = true
        }
        
        body {
          key             = "client_secret"
          value           = var.secrets.Client_Secret
          is_value_secret = true
        }
      }
    }
  }
}

However, when run it throws this error:

Error: error creating EventBridge connection (request-token): InvalidParameter: 2 validation error(s) found.
- missing required field, CreateConnectionInput.AuthParameters.OAuthParameters.ClientParameters.ClientID.
- missing required field, CreateConnectionInput.AuthParameters.OAuthParameters.ClientParameters.ClientSecret.

A file dump ahead of the terrform apply command successfully dumps out the contents of the tfvars file, so I know it exists at time of execution.

The top level output.tf successfully writes out the complete values of the secrets variable after execution, so I know the top level module receives the variables.

In the submodule, the resources defined after the aws_cloudwatch_event_connection block do get created and they also use variables received from the same tfvars file.

Is this a problem with how I am providing the variables or with my definition of the resources itself? (Or something else?)

CodePudding user response：

client_parameters is missing on your configuration, you need to set it in auth_parameters.oauth

resource "aws_cloudwatch_event_connection" "auth" {
  name               = "request-token"
  description        = "Gets token"
  authorization_type = "OAUTH_CLIENT_CREDENTIALS"

  auth_parameters {
    oauth {
      authorization_endpoint = "${var.apiurl}"
      http_method            = "POST"

      client_parameters {
        client_id     = var.secrets.Client_Id
        client_secret = var.secrets.Client_Secret
      }

      oauth_http_parameters {
        body {
          key             = "grant_type"
          value           = "client_credentials"
          is_value_secret = true
        }
      }
    }
  }
}