How to convert the aws secret manager string to map in terraform (0.11.13)

Question

I have a secret stored in AWS secret manager and trying to integrate that within terraform during runtime. We are using terraform 0.11.13 version, and updating to latest terraform is in the roadmap.

We all want to use the jsondecode() available as part of latest terraform, but need to get few things integrated before we upgrade our terraform.

We tried to use the below helper external data program suggested as part of https://github.com/terraform-providers/terraform-provider-aws/issues/4789.

data "external" "helper" {
  program = ["echo", "${replace(data.aws_secretsmanager_secret_version.map_example.secret_string, "\\\"", "\"")}"]
}

But we ended up getting this error now.

data.external.helper: can't find external program "echo"

Google search didn't help much.

Any help will be much appreciated.

OS: Windows 10

Answer 1

It sounds like you want to use a data source for the aws_secretsmanager_secret.

Resources in terraform create new resources. Data sources in terraform reference the value of existing resources in terraform.

data "aws_secretsmanager_secret" "example" {
  arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456"
}

data "aws_secretsmanager_secret_version" "example" {
  secret_id     = data.aws_secretsmanager_secret.example.id
  version_stage = "example"
}

Note: you can also use the secret name Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret

Then you can use the value from this like so:

output MySecretJsonAsString {
  value = data.aws_secretsmanager_secret_version.example.secret_string
}

Per the docs, the secret_string property of this resource is:

The decrypted part of the protected secret information that was originally provided as a string.

You should also be able to pass that value into jsondecode and then access the properties of the json body individually.

---

but you asked for a terraform 0.11.13 solution. If the secret value is defined by terraform you can use the terraform state datasource to get the value. This does trust that nothing else is updating the secret other than terraform. But the best answer is to upgrade your terraform. This could be a useful stopgap until then.

As a recommendation, you can make the version of terraform specific to a module and not your whole organization. I do this through the use of docker containers that run specific versions of the terraform bin. There is a script in the root of every module that will wrap the terraform commands to come up in the version of terraform meant for that project. Just a tip.