[Bug]: aws_secretsmanager_secret_version behavior when version_id is deprecated and deleted by AWS

[CyrilDevOps]

Terraform Core Version

1.5.7

AWS Provider Version

5.48.0

Affected Resource(s)

• aws_secretsmanager_secret_version

Expected Behavior

I would expect some sort of behavior (maybe conditional to flag in the HCL) where the state refresh itself with the latest non-deprecated version if the version id become deprecated or if the version id is past deprecated state and deleted by AWS

Actual Behavior

I think today (by reading the go code, I am not a go guy), if the versionid of the secret is deleted by aws (past deprecated and past 100 version id), the secret version object is deleted from the state file, which may not be what we want as it would trigger a 'creation' request ?

We use terraform to create the initial secret at stack creation, but after that the value of the secret is change by the secrets manager auto rotation and our lambda, or by manually editing it in AWS (after terraform created the first one from a template)

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_secretsmanager_secret_version" "secret" { // populating the secret with a default json build from the template
  secret_id     = aws_secretsmanager_secret.secret.id
  secret_string = templatefile("${path.module}/secret-user.tftpl", { ... })
  lifecycle {
    ignore_changes = [
      secret_string,
      version_stages
    ]
  }
}

Steps to Reproduce

Do 100 or more rotation/secret change in AWS (outside of terraform), until the version id of the secret in the terraform state is deleted by AWS.
(it is theoretical, I didn't try to reproduce it)

Debug Output

No response

Panic Output

No response

Important Factoids

I discover/thought about that problem by hitting another problem with secrets,
I changed the KMS key of our secrets with terraform, and then deleted the old KMS key,
terraform plan try to do a get-secret-value on the secret on the version id in the state file, but that version id is 'old' (not AWSCURRENT/AWSPENDING/AWSPREVIOUS that are good with the new kms key),
and because I deleted the old key (pending delete), aws fail the terraform get-secret-value with DecryptionFailure and my plan was stuck in error for all the secrets.
I had to do a terraform state rm , and terraform import |

We may want something in the lifecycle or other flag to force terraform to refresh the secret version id in the state file during a terraform plan for case where terraform is used to create/populate the initial secret, but is not used for the life of the secret itself. (just a place holder).

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.