Ignore Encrypted Entries

[ambsw-technology]

Unless absolutely necessary, I'd rather not put decrypted secrets on a local machine. SSM also logs access to secrets so I'd rather not leave an unnecessary trail of secrets logs. I can think of two ways to handle this:

• Give an option to not decrypt secrets
• Give an option to skip encrypted parameters entirely

Both could make sense, but the second option solves both problems (on-disk and audit logs). I think it should be an ENV variable (vs. a flag) so you don't accidentally delete the encrypted params if you forget to include the flag when you apply.

[ambsw-technology]

OK. The documentation for the get_parameters() call includes the ability to filter on Type. So it should be possible to exclude the SecureString from the list of types (i.e. 'String'|'StringList'|'SecureString') when making the request.