I use terraform to provision an RDS database. After the database is created, I use local-exec block to overwrite its master-password inside the database itself, as in the secret store.
My problem is now, that when I run Terraform for the next time the change in the secret store is detected and the password is fetched and updated. This way, the password again is stored in the terraform state - A thing I wanted to avoid in the first place.
My code looks like the following and already has anignore_changes for the version, but the data source does not support it. Is there any way to ignore a change there as well?
resource "aws_secretsmanager_secret_version" "secret_version" {
secret_id = aws_secretsmanager_secret.secret.id
secret_string = data.aws_secretsmanager_random_password.password.random_password
lifecycle {
ignore_changes = [secret_string, secret_binary]
}
}
data "aws_secretsmanager_secret_version" "secret_version" {
secret_id = aws_secretsmanager_secret.secret.id
depends_on = [
aws_secretsmanager_secret.secret,
aws_secretsmanager_secret_version.secret_version
]
}
resource "aws_db_instance" "rds" {
identifier = var.name
password = jsondecode(data.aws_secretsmanager_secret_version.secret_version.secret_string)["password"]
...
}
Related questions:
You should delete the data source from your code and just reference the secret value from the resource. The resource already ignores changes to the secret value, so it will work just like you want.
You should never have both a data source and a resource in your Terraform code that references the same thing, since all the values available on the data source are also available on the resource. This is an anti-pattern, and if you tried to apply that infrastructure to a brand-new, empty AWS account you would actually get an error, because Terraform will always try to look up the data source during the plan phase, before it creates any resources.