feat: allow importing and easy referencing of external secrets

pevisscher · pevisscher · commit 4331181db6e1 · 2024-07-09T15:51:09.000+02:00
diff --git a/terraform/persistent/secret.tf b/terraform/persistent/secret.tf
@@ -1,30 +1,53 @@
-variable "ssm_parameter" {
+variable "secret" {
   type = map(
     object({
       name = string
-      type = optional(string, "SecureString")
     })
   )
   default  = {}
   nullable = false
 }
 
-resource "aws_ssm_parameter" "ssm_parameter" {
-  for_each = var.ssm_parameter
+variable "external_secret" {
+  type = map(
+    object({
+      arn = optional(string)
+      name = optional(string)
+    })
+  )
+  default  = {}
+  nullable = false
+}
 
-  name  = each.value
-  type  = each.value.type
-  value = ""
+resource "aws_secretsmanager_secret" "secret" {
+  for_each = var.secret
 
-  lifecycle {
-    ignore_changes = [value]
+  name = each.value.name
+}
+
+data "aws_secretsmanager_secret" "secret" {
+  for_each = {
+    for secret_id, definition in var.external_secret : secret_id => definition.name
+    if definition.name != null && definition.arn == null
   }
+  name = each.value.name
 }
 
-output "ssm_parameter" {
-  value = {
-    for parameter_id, definition in aws_secretsmanager_secret.secret : parameter_id => {
+output "secret" {
+  value = merge({
+    for secret, definition in aws_secretsmanager_secret.secret : secret => {
       arn = definition.arn
     }
-  }
+  },
+  {
+    for secret, definition in data.aws_secretsmanager_secret.secret : secret => {
+      arn = definition.arn
+    }
+  },
+  {
+    for secret_id, definition in var.external_secret : secret_id => {
+      arn = definition.arn
+    } if definition.arn != null
+  },
+  )
 }
diff --git a/terraform/persistent/ssm-parameter.tf b/terraform/persistent/ssm-parameter.tf
@@ -1,22 +1,29 @@
-variable "secret" {
+variable "ssm_parameter" {
   type = map(
     object({
       name = string
+      type = optional(string, "SecureString")
     })
   )
   default  = {}
   nullable = false
 }
 
-resource "aws_secretsmanager_secret" "secret" {
-  for_each = var.secret
+resource "aws_ssm_parameter" "ssm_parameter" {
+  for_each = var.ssm_parameter
 
-  name = each.value.name
+  name  = each.value
+  type  = each.value.type
+  value = ""
+
+  lifecycle {
+    ignore_changes = [value]
+  }
 }
 
-output "secret" {
+output "ssm_parameter" {
   value = {
-    for secret, definition in aws_secretsmanager_secret.secret : secret => {
+    for parameter_id, definition in aws_secretsmanager_secret.secret : parameter_id => {
       arn = definition.arn
     }
   }
