DR-235 Ignore value field changes to smm param

Author: megan-bower4

infrastructure/modules/ssm_parameter/main.tf

@@ -1,4 +1,20 @@
 resource "aws_ssm_parameter" "secret" {
+  count       = var.ignore_value_changes ? 0 : 1
+  name        = "/ndr/${terraform.workspace}/${var.name}"
+  type        = var.type
+  description = var.description
+  value       = var.value
+  key_id      = var.key_id
+  depends_on  = [var.resource_depends_on]
+  tags = {
+    Name = "${terraform.workspace}-ssm"
+  }
+
+}
+
+
+resource "aws_ssm_parameter" "secret_ignore_value_changes" {
+  count       = var.ignore_value_changes ? 1 : 0
   name        = "/ndr/${terraform.workspace}/${var.name}"
   type        = var.type
   description = var.description
@@ -10,7 +26,9 @@ resource "aws_ssm_parameter" "secret" {
   }
 
   lifecycle {
-    ignore_changes = var.ignore_changes
+    ignore_changes = [
+      value,
+    ]
   }
 }
 

infrastructure/modules/ssm_parameter/variable.tf

@@ -44,8 +44,8 @@ variable "key_id" {
   description = "KMS Key ID or ARN to encrypt the SecureString parameter"
 }
 
-variable "ignore_changes" {
-  type        = list(string)
-  default     = []
-  description = "List of resource attributes to ignore changes for"
+variable "ignore_value_changes" {
+  type        = bool
+  default     = false
+  description = "Whether to ignore changes to the value field"
 }

infrastructure/ssm_parameters_externally_signed_mtls.tf

@@ -1,26 +1,26 @@
 # Creating Params to hold a copy of externally signed client cert and key
 module "ssm_param_external_client_cert" {
   # count       = var.externally_signed_certs ? 1 : 0
-  source         = "./modules/ssm_parameter"
-  environment    = var.environment
-  owner          = var.owner
-  name           = "external_client_cert"
-  type           = "SecureString"
-  description    = "Externally signed client certificate for mTLS"
-  value          = "REPLACE_ME"
-  key_id         = module.sns_encryption_key.key_id
-  ignore_changes = ["value"]
+  source               = "./modules/ssm_parameter"
+  environment          = var.environment
+  owner                = var.owner
+  name                 = "external_client_cert"
+  type                 = "SecureString"
+  description          = "Externally signed client certificate for mTLS"
+  value                = "REPLACE_ME"
+  key_id               = module.sns_encryption_key.key_id
+  ignore_value_changes = true
 }
 
 module "ssm_param_external_client_key" {
   # count       = var.externally_signed_certs ? 1 : 0
-  source         = "./modules/ssm_parameter"
-  environment    = var.environment
-  owner          = var.owner
-  name           = "external_client_key"
-  type           = "SecureString"
-  description    = "Externally signed client certificate for mTLS"
-  value          = "REPLACE_ME"
-  key_id         = module.sns_encryption_key.key_id
-  ignore_changes = ["value"]
+  source               = "./modules/ssm_parameter"
+  environment          = var.environment
+  owner                = var.owner
+  name                 = "external_client_key"
+  type                 = "SecureString"
+  description          = "Externally signed client certificate for mTLS"
+  value                = "REPLACE_ME"
+  key_id               = module.sns_encryption_key.key_id
+  ignore_value_changes = true
 }