aws_secretsmanager_secret_version fails to move the AWSCURRENT label

kjkuan commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.7
+ provider registry.terraform.io/hashicorp/aws v3.10.0

Affected Resource(s)

aws_secretsmanager_secret_version

Terraform Configuration Files

Any use of the aws_secretsmanager_secret_version resource with version_stages set to [ "AWSCURRENT" ].

Expected Behavior

If aws_secretsmanager_secret_version is told to set the AWSCURRENT label but the label is currently on a different version (e.g., one that's created by manually updating the secret in Secrets Manager in AWS console), then terraform should move the label back to the version tracked by terraform.

Actual Behavior

With a plan like this:

  ~ resource "aws_secretsmanager_secret_version" "app-config-vars-from-tf" {
        id             = "staging3/workers/configs|DAC17BED-4C85-4187-A6D0-D46CE9D5780A"
      ~ version_stages = [
          + "AWSCURRENT",
        ]
        # (4 unchanged attributes hidden)
    }

We got an error like this:

Error: error updating Secrets Manager Secret "staging3/workers/configs" Version Stage "AWSCURRENT": InvalidParameterException: The parameter RemoveFromVersionId can't be empty. Staging label AWSCURRENT is currently attached to version 22bcae4b-f6b7-45e4-bf54-48495c69a33b, so you must explicitly reference that version in RemoveFromVersionId.

Steps to Reproduce

Set version_stages to [ "AWSCURRENT" ] for a aws_secretsmanager_secret_version resource
terraform apply
Manually update the secret outside of terraform so that the AWSCURRENT label is moved to a different version than the one tracked by terraform.
terraform apply

References

https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UpdateSecretVersionStage.html#API_UpdateSecretVersionStage_RequestSyntax

syndbg commented 3 years ago

@kjkuan Just letting you know that I've opened a PR (referenced) that fixes the issue you reported. Works on our end ™️ (and tests'), but if you're blocked, you can also test it.

To maintainers, the issue is also blocking us (SumUp) from using terraform-provider-aws with SecretsManager resources.

syndbg commented 3 years ago

Any chance we can get this fixed? The referenced PR is still eager to be reviewed 🥳

peramnaveen29 commented 2 years ago

Any ETA for the fix? this will be useful to force update changes made to secrets outside of terraform

zoezhangmattr commented 2 years ago

have the same error

viktorradnai commented 1 year ago

This bug also affects us

alexku7 commented 1 year ago

still isn't fixed :(

github-actions[bot] commented 9 months ago

This functionality has been released in v5.33.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] commented 8 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-aws