However, according to the documentation, we should only specify either version-stage or version-id but not both.
version-stage
The staging label of the version of the secret to use. Secrets Manager uses staging labels to keep track of different versions during the rotation process. If you use version-stage then don't specify version-id. If you don't specify either version-stage or version-id, then the default is the AWSCURRENT version.
This segment may not include the colon character ( :).
version-id
The unique identifier of the version of the secret to use. If you specify version-id, then don't specify version-stage. If you don't specify either version-stage or version-id, then the default is the AWSCURRENT version.
This segment may not include the colon character ( :).
In the event of having created a stack with the example pattern {{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}, the subsequent update fails if we try to update the stack by removing the AWSCURRENT, the stack update fails with the following error:
Secrets Manager can't find the specified secret value for staging label: a13b5552-c254-41f1-9da6-b516809a8e3b (Service: AWSSecretsManager; Status Code: 400; Error Code: ResourceNotFoundException; Request ID: c677d95d-4c21-449e-bdf0-6ada7087d231; Proxy: null)
Issues:
Why does CFN allow creating a stack with the reference pattern {{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}} if we cannot specify both version-stage or version-id? Shouldn't this be a validated during stack creation/update?
Perhaps updating the documentation regarding the reference pattern as shown below would also avoid confusion.
Example 1: {{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage}}
Example 2: {{resolve:secretsmanager:secret-id:secret-string:json-key:version-id}}
Example 3: {{resolve:secretsmanager:secret-id:secret-string:json-key}}
Expected Behavior
CFN should not allow creating the reference pattern {{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}} with both version-stage or version-id specified.
Observed Behavior
CFN creates the stack with the reference pattern {{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}} with both version-stage or version-id specified.
Test Cases
Create a CFN Stack by using a secrets manager dynamic reference with the following pattern:
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}. The stack would be created successfully.
Now, update the stack by removing the version-stage "AWSCURRENT" from the reference pattern.
The update will fail with the error Secrets Manager can't find the specified secret value for staging label
Name of the resource
Other
Resource Name
dynamic references secretsmanager
Issue Description
While using the dynamic references for secrets manager,
If we create a stack with the reference pattern as shown in the documentation, it creates the stack successfully.
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}However, according to the documentation, we should only specify either
version-stageorversion-idbut not both.In the event of having created a stack with the example pattern
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}, the subsequent update fails if we try to update the stack by removing theAWSCURRENT, the stack update fails with the following error:Issues:
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}if we cannot specify bothversion-stageorversion-id? Shouldn't this be a validated during stack creation/update?{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage}}Example 2:{{resolve:secretsmanager:secret-id:secret-string:json-key:version-id}}Example 3:{{resolve:secretsmanager:secret-id:secret-string:json-key}}Expected Behavior
CFN should not allow creating the reference pattern
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}with bothversion-stageorversion-idspecified.Observed Behavior
CFN creates the stack with the reference pattern
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}with bothversion-stageorversion-idspecified.Test Cases
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}. The stack would be created successfully.Secrets Manager can't find the specified secret value for staging labelOther Details
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager
No response