amazon-web-serviceslambdaterraformterraform-provider-awssecret-manager

Terraform 'aws_secretsmanager_secret' pass arn error: Invalid template interpolation value


I have a Lambda which will read a secret from Secret Manager, they all managed by Terraform. So in Terraform I have a definition for this secret:

resource "aws_secretsmanager_secret" "example" {
  name = "example"
}

and for Lambda, I have attached a permission to get the secret:

resource "aws_iam_role_policy" "example_role_policy" {
  name   = "example-role-policy"
  role   = aws_iam_role.example_lambda_role.id
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
.....(other needed permissions)
    },
    {
      "Sid": "GetDatabaseSecret",
      "Effect":"Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "${local.secret_arn}"
    }
  ]
}
POLICY
}

I have secret_arn defined in variables:

locals{

secret_arn = "arn:aws:secretsmanager:::us-east-1:${local.account_number}:secret:${aws_secretsmanager_secret.example}-*"

}

When I apply Terraform, it gave me error:

Error: Invalid template interpolation value

  on ..\..\xxx\terraform\variables.tf line 39, in locals:
  39:   secret_arn = "arn:aws:secretsmanager:::us-east-1:${local.account_number}:secret:${aws_secretsmanager_secret.example}-*"
    |----------------
    | aws_secretsmanager_secret.example is object with 12 attributes

Cannot include the given value in a string template: string required.

I tried to replae *with ?????? in the secrect_arn but still not working, couldn't find anything useful online, might someone be able to help? Many thanks.


Solution

  • Your local.secret_arn should be using ${aws_secretsmanager_secret.example.name}-*", not ${aws_secretsmanager_secret.example}-*".

    But the easiest way to get the arn in your policy it would be simply:

    resource "aws_iam_role_policy" "example_role_policy" {
      name   = "example-role-policy"
      role   = aws_iam_role.example_lambda_role.id
      policy = <<POLICY
    {
      "Version": "2012-10-17",
      "Statement": [
        {
    .....(other needed permissions)
        },
        {
          "Sid": "GetDatabaseSecret",
          "Effect":"Allow",
          "Action": [
            "secretsmanager:GetSecretValue"
          ],
          "Resource": "${aws_secretsmanager_secret.example.arn}"
        }
      ]
    }
    POLICY
    }