I have the following HCL code, that asks & reads the secret_api_key variable from the terminal on terraform plan and saves it in secret manager.

variable "secret_api_key" {
  type        = string
  sensitive   = true
}

resource "aws_secretsmanager_secret" "secret_api_key" {
  name = "secret_api_key"
}

resource "aws_secretsmanager_secret_version" "secret_api_key" {
  secret_id     = aws_secretsmanager_secret.secret_api_key.id
  secret_string = var.secret_api_key
}

In another configuration, the secret is read like this:

data "aws_secretsmanager_secret" "secret_api_key" {
  name       = "secret_api_key"
  depends_on = [aws_secretsmanager_secret.secret_api_key]
}

data "aws_secretsmanager_secret_version" "secret_api_key" {
  secret_id = data.aws_secretsmanager_secret.secret_api_key.id
}

resource "aws_lambda_function" "s3_to_service" {
  ...
  environment {
    variables = {
      SECRET_ARN = data.aws_secretsmanager_secret_version.secret_api_key.arn
    }
  }
}

How do I force terraform to not ask me for the API key everytime I plan? It needs to ask me the first time I do it, to store it at the secrets manager. But after that, it is redundant. How can I avoid this?

CodePudding user response：

Not really.

Either you manually provide a value every time or you don't but Terraform variables require a value specified in some shape, way, or form whether by you or by default, every time you want to evaluate a Terraform configuration.

If you plan/apply aws_secretsmanager_secret, there is no way around supplying a value manually unless you hard code a value or specify a default.

Terraform works based on calculating differences in the state - it needs to know what your expected state is (with your variable value) to then compare it with the actual state.

I would advise you to plan/apply the Terraform config for the secret when you want to create/update it & to separate the creation of the secret from the usage of the secret.

Then, you can use data.aws_secretsmanager_secret.secret_api_key to access it as you have.