SSM Parameter Store (map-driven)

aws-ssm-parameter-store

Map-driven SSM Parameter Store parameters — String, StringList, and SecureString — created from a single parameters map with for_each. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. SecureString values are always encrypted at rest (a customer KMS key when you supply one, otherwise the AWS-managed alias/aws/ssm key), and the default Standard tier is free.

Status: static-validated, live-test pending. Ships under live-test quarantine — validated with tofu fmt, tofu validate, and tflint. Real apply → read → destroy against an AWS account is pending a cloud sandbox. Standard-tier parameters are free to create/store, so the live test creates a couple and tears them down immediately.

What you get:

• aws_ssm_parameter (one per map entry) — String / StringList / SecureString, per-parameter tier, data_type, allowed_pattern, key_id, and tags.
• A clean name hierarchy: name_prefix is prepended to every map key, so {"app/log-level" = …} under name_prefix = "/myapp/prod/" becomes /myapp/prod/app/log-level.

Secure defaults

• Encryption at rest is automatic for SecureString: a customer-managed CMK via key_id / default_kms_key_id, or the AWS-managed alias/aws/ssm key when none is given. key_id is rejected on non-SecureString parameters.
• Standard tier (free) by default — no surprise Advanced-tier charges.
• Provider marks value sensitive, so plaintext never appears in plan output. (Note: like any non-write-only SSM parameter, the value is stored in Terraform state — protect your state backend, or manage rotation out of band.)
• Strict input validation: type / tier / data_type are constrained to their valid sets, key_id is rejected on non-SecureString parameters, and non-text data types are rejected on non-String parameters.

Provider pin

aws = {
  source  = "hashicorp/aws"
  version = ">= 6.0, < 7.0"
}

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).