[Bug]: aws_secretsmanager_secret_version behavior when version_id is deprecated and deleted by AWS #37302
Labels
bug
Addresses a defect in current functionality.
service/secretsmanager
Issues and PRs that pertain to the secretsmanager service.
Terraform Core Version
1.5.7
AWS Provider Version
5.48.0
Affected Resource(s)
Expected Behavior
I would expect some sort of behavior (maybe conditional to flag in the HCL) where the state refresh itself with the latest non-deprecated version if the version id become deprecated or if the version id is past deprecated state and deleted by AWS
Actual Behavior
I think today (by reading the go code, I am not a go guy), if the versionid of the secret is deleted by aws (past deprecated and past 100 version id), the secret version object is deleted from the state file, which may not be what we want as it would trigger a 'creation' request ?
We use terraform to create the initial secret at stack creation, but after that the value of the secret is change by the secrets manager auto rotation and our lambda, or by manually editing it in AWS (after terraform created the first one from a template)
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Steps to Reproduce
Do 100 or more rotation/secret change in AWS (outside of terraform), until the version id of the secret in the terraform state is deleted by AWS.
(it is theoretical, I didn't try to reproduce it)
Debug Output
No response
Panic Output
No response
Important Factoids
I discover/thought about that problem by hitting another problem with secrets,
I changed the KMS key of our secrets with terraform, and then deleted the old KMS key,
terraform plan try to do a get-secret-value on the secret on the version id in the state file, but that version id is 'old' (not AWSCURRENT/AWSPENDING/AWSPREVIOUS that are good with the new kms key),
and because I deleted the old key (pending delete), aws fail the terraform get-secret-value with DecryptionFailure and my plan was stuck in error for all the secrets.
I had to do a terraform state rm , and terraform import |
We may want something in the lifecycle or other flag to force terraform to refresh the secret version id in the state file during a terraform plan for case where terraform is used to create/populate the initial secret, but is not used for the life of the secret itself. (just a place holder).
References
No response
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: