From bab319247c681b35877582d801c09ecec49af94f Mon Sep 17 00:00:00 2001
From: Eric Milford <github@heyheyhey.email>
Date: Tue, 7 Jan 2025 08:56:20 -0500
Subject: [PATCH] Update to v5.x of terraform-provider-aws (#27)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Switch this and dependent modules to the v5.x of the Terraform AWS
provider to support the latest AWS features, like RDS' io2.

- Fix dynamic statement block

```
│   on .terraform/modules/production.auth_token/secret/main.tf line 43, in data "aws_iam_policy_document" "secret":
│   43:         identifiers = [statement.arn]
│
│ This object does not have an attribute named "arn".
```

https://developer.hashicorp.com/terraform/language/expressions/dynamic-blocks

- Fix user managed secret environment variables

NOTE: This cherry picks a commit from a [PR @jferris opened] to address the same issue.

  - Terraform was complaining about calling `nonsensitive` when the value
    wasn't sensitive; this forces the initial value to potentially be
    sensitive to avoid the error.
  - We can skip parsing out the environment variables for the user managed
    secret module, because they are passed in directly.

[PR @jferris opened]: https://github.com/thoughtbot/terraform-aws-secrets/pull/13
---
 secret/main.tf                 | 6 +++---
 user-managed-secret/outputs.tf | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/secret/main.tf b/secret/main.tf
index 179b74c..477c793 100644
--- a/secret/main.tf
+++ b/secret/main.tf
@@ -40,7 +40,7 @@ data "aws_iam_policy_document" "secret" {
       ]
       principals {
         type        = "AWS"
-        identifiers = [statement.arn]
+        identifiers = [statement.value.arn]
       }
     }
   }
@@ -136,7 +136,7 @@ data "aws_iam_policy_document" "key" {
       resources = ["*"]
       principals {
         type        = "AWS"
-        identifiers = [statement.arn]
+        identifiers = [statement.value.arn]
       }
     }
   }
@@ -288,7 +288,7 @@ locals {
   rotation_role_name = coalesce(var.rotation_role_name, "${var.name}-rotation")
 
   env_vars = nonsensitive([
-    for key in try(keys(jsondecode(var.initial_value)), []) :
+    for key in try(keys(jsondecode(sensitive(var.initial_value))), []) :
     key if upper(key) == key
   ])
 }
diff --git a/user-managed-secret/outputs.tf b/user-managed-secret/outputs.tf
index 7c90a99..9438f5e 100644
--- a/user-managed-secret/outputs.tf
+++ b/user-managed-secret/outputs.tf
@@ -5,7 +5,7 @@ output "arn" {
 
 output "environment_variables" {
   description = "Environment variables provided by this secret"
-  value       = module.secret.environment_variables
+  value       = var.environment_variables
 }
 
 output "id" {