Skip to content

ssm-controller: manage a Parameter without overwriting its Value (ignore_changes / initProvider equivalent for SecureString) #2953

Description

@keretdodor

Is your feature request related to a problem?

Yes. We're migrating hundreds of SSM parameters from click-ops to GitOps (KRO + ACK). For SecureString parameters the values are created/rotated out-of-band (by a human). We need ACK to own the parameter's existence and lifecycle — create it if missing, adopt it if it already exists, and apply a deletion policy — while never reading or overwriting its Value: the plaintext must not live in git, and the live secret must never be clobbered by a reconcile.

Today this isn't possible, because management of a Parameter is all-or-nothing:

  • Parameter.Value has no is_ignored / late_initialize / is_secret config, and hooks/parameter/sdk_update_post_build_request.go.tpl forces Overwrite=true. So Value is always part of desired state and always enforced, and drift remediation (~10h) reverts any out-of-band value change back to the spec value.
  • The only user-facing knobs — adoption-policy (adopt / adopt-or-create), deletion-policy, and read-only — are whole-resource, not field-scoped.

We verified the behavior on ssm-controller v1.3.1 (EKS) with throwaway parameters:

Approach Result
adoption-policy: adopt (+ adoption-fields) Adopts an existing param and leaves the value untouched ✅ — but cannot create a missing one ❌
adoption-policy: adopt-or-create Creates missing params ✅ — but overwrites/reverts the value ❌ (we set a real value via the console; the next reconcile reverted it to the spec value)
read-only: "true" Never touches the value ✅ — but never creates or manages it either ❌

So there is no single configuration that does create-or-adopt + own lifecycle + never manage Value.

Describe the solution you'd like

A user-facing, per-resource way to exclude a field (here spec.value) from drift enforcement while still creating/adopting/deleting the resource. Any one of these would solve it:

  1. Create-only / init-time field semantic — the field is applied on create but never reconciled afterwards (equivalent to Crossplane initProvider).
  2. Per-resource "ignore fields" annotation — e.g. services.k8s.aws/ignore-fields: "spec.value" — the controller skips those paths in delta/enforcement (equivalent to Terraform lifecycle { ignore_changes = [value] }).
  3. Granular management policies — a per-resource action allow-list, e.g. Observe, Create, Delete without Update (equivalent to Crossplane managementPolicies).

For ssm-controller specifically, option 1 or 2 applied to Value — ideally treating a SecureString Value as write-only-on-create — would fully solve our use case.

Describe alternatives you've considered

  • adoption-policy: adopt — safe for existing secrets (value untouched) but can't create new ones, forcing a manual out-of-band pre-create step for every new secret.
  • adoption-policy: adopt-or-create — creates new ones but overwrites the value and reverts out-of-band edits on the next reconcile.
  • read-only: "true" — never modifies the value but also never creates or manages the resource.
  • "Manage the name/metadata but not the value" (e.g. tags-only) — not possible: SSM PutParameter requires a value, and ACK always sends and enforces it.
  • Other IaC tools already support exactly this: Terraform lifecycle { ignore_changes = [value] }, and Crossplane initProvider (create-only fields) + managementPolicies (action allow-list). Both let you own the resource without ever writing the secret into state/git.
  • Related (codegen-level) request: Ability to ignore specific fields in the API #510 — "Ability to ignore specific fields in the API". This request is for a runtime, user-facing equivalent.

Environment: ssm-controller v1.3.1, EKS, KRO-generated Parameter CRs.


Suggested labels (I don't have permission to set them): kind/enhancement, service/ssm, area/runtime, area/adopted-resource

Metadata

Metadata

Assignees

Labels

area/drift-remediationIssues or PRs related to drift remediation.kind/featureCategorizes issue or PR as related to a new feature.service/ssmIndicates issues or PRs that are related to ssm-controller.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions