add unocking feature

README.md

@@ -75,6 +75,32 @@ module "parameters_and_parse_files" {
 }
 ```
 
+#### Unlocked variables example(wont be changed by terraform):
+You can lock each parameter or all the parameters
+```hcl
+module "parameters" {
+  source  = "zahornyak/multiple-ssm-parameters/aws"
+  
+  parameters = {
+    db_name = {
+      name        = "foo"
+      value       = "bar"
+      type        = "String"
+      description = "name of the db"
+    }
+    db_password = {
+      value       = "password"
+      type        = "String"
+      description = "secure password"
+      unlocked = true
+    }
+  }
+
+  #  unlocked = true
+}
+```
+
+
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -101,6 +127,7 @@ No modules.
 |------|------|
 | [aws_ssm_parameter.parsed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_ssm_parameter.unlocked](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [local_file.config_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
 
 ## Inputs
@@ -111,6 +138,7 @@ No modules.
 | <a name="input_parameter_prefix"></a> [parameter\_prefix](#input\_parameter\_prefix) | prefix for parameter names. For example you wanna split dev/prod parameters so you wanna add /service\_name/development/ prefix before parameter name | `string` | `null` | no |
 | <a name="input_parameters"></a> [parameters](#input\_parameters) | map of parameters for parameter store | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Specifies a tags | `any` | `{}` | no |
+| <a name="input_unlocked"></a> [unlocked](#input\_unlocked) | if true - sets the ignore lifecycle policy and disable terraform managing the version of the resource | `bool` | `false` | no |
 
 ## Outputs
 

examples/simple/main.tf

@@ -14,6 +14,9 @@ module "parameters" {
       value       = "password"
       type        = "String"
       description = "secure password"
+      unlocked    = true
     }
   }
+
+  #  unlocked = true
 }

main.tf

@@ -1,5 +1,5 @@
 resource "aws_ssm_parameter" "this" {
-  for_each = var.parameters
+  for_each = { for k, v in var.parameters : k => v if !var.unlocked && try(v.unlocked, false) == false }
 
   name            = var.parameter_prefix != null ? "${var.parameter_prefix}${lookup(each.value, "name", null) == null ? each.key : lookup(each.value, "name")}" : lookup(each.value, "name", null) == null ? each.key : lookup(each.value, "name")
   type            = lookup(each.value, "type", "SecureString")
@@ -15,6 +15,27 @@ resource "aws_ssm_parameter" "this" {
   tags = merge(var.tags, lookup(each.value, "tags", null))
 }
 
+resource "aws_ssm_parameter" "unlocked" {
+  for_each = { for k, v in var.parameters : k => v if var.unlocked || try(v.unlocked, false) == true }
+
+  name            = var.parameter_prefix != null ? "${var.parameter_prefix}${lookup(each.value, "name", null) == null ? each.key : lookup(each.value, "name")}" : lookup(each.value, "name", null) == null ? each.key : lookup(each.value, "name")
+  type            = lookup(each.value, "type", "SecureString")
+  value           = lookup(each.value, "value", null)
+  description     = lookup(each.value, "description", null)
+  allowed_pattern = lookup(each.value, "allowed_pattern", null)
+  data_type       = lookup(each.value, "data_type", null)
+  insecure_value  = lookup(each.value, "insecure_value", null)
+  key_id          = lookup(each.value, "key_id", null)
+  overwrite       = lookup(each.value, "overwrite", null)
+  tier            = lookup(each.value, "tier", null)
+
+  tags = merge(var.tags, lookup(each.value, "tags", null))
+
+  lifecycle {
+    ignore_changes = [value]
+  }
+}
+
 
 data "local_file" "config_file" {
   count    = var.file_path != null ? 1 : 0

variables.tf

@@ -21,3 +21,9 @@ variable "parameter_prefix" {
   default     = null
   type        = string
 }
+
+variable "unlocked" {
+  description = "if true - sets the ignore lifecycle policy and disable terraform managing the version of the resource"
+  type        = bool
+  default     = false
+}