Search code examples
terraform

Terraform secret_string with default value and import support

Is there a templated secret_value resource, that allows default inputs?

I am looking for something like


resource "random_password" "db_password" {
  length           = 64
  special          = false
}

resource "secret_value" "connection_string" {
  value = "postgresql://postgres:${random_password.db_password.result}@service-url:5432/postgres"
}

So it will generate a default secret string when I apply changes. But also supports imports e.g.:

terraform import secret_value.connection_string "postgresql://...."

There is one that I found, but it does not seem to support default templates.

The reason is that in staging environments, by workloads connect to a postgres deployed in the cluster, where as for the production environment we're using DB from RDS. Therefore I'd like to be able to import custom value for prod, but leave it as it is for other environments.

Solution

  • Therefore I'd like to be able to import custom value for prod, but leave it as it is for other environments.

    This is typically handled by checking for the environment in your Terraform code, and just doing something different based on the environment. For example, if you are using Terraform Workspaces to manage the environment:

    resource "random_password" "db_password" {
  # Only create this resource if the environment is not prod
  count = terraform.workspace == "prod" ? 0 : 1

  length           = 64
  special          = false
}

data "aws_secretsmanager_secret" "db_password" {
  # Only create this resource if the environment is prod
  count = terraform.workspace == "prod" ? 1 : 0

  name = "my_db_password"
}

data "aws_secretsmanager_secret_version" "db_password" {
  # Only create this resource if the environment is prod
  count = terraform.workspace == "prod" ? 1 : 0

  secret_id = data.aws_secretsmanager_secret.db_password.id
}

locals {
  # Determine the password to use based on the environment
  db_password = terraform.workspace == "prod" ? aws_secretsmanager_secret_version.db_password.secret_string : random_password.db_password.result

  # Build the DB connection string
  db_connect_string= "postgresql://postgres:${local.db_password}@service-url:5432/postgres"
}

    Then anywhere in your code that you need the database connection string, you would just use local.db_connect_string