[Bug]: switch from secret rotation automatically_after to schedule_expression fails with error InvalidParameterException: You cannot specify both rotation frequency and schedule expression together.

[yogesh2580]

Terraform Core Version

1.5.4

AWS Provider Version

5.11.0

Affected Resource(s)

aws_secretsmanager_secret_rotation.

resource "aws_secretsmanager_secret_rotation" "secret" {
  secret_id = aws_secretsmanager_secret.secret[0].id
  rotation_lambda_arn = aws_lambda_function.lambda_rotation[0].arn
  rotation_rules {
    automatically_after_days = var.schedule_expression == null ? var.rotation_days : null
    schedule_expression = var.schedule_expression
  }
}

Expected Behavior

secret rotation should have changed from frequency to cron based/ rate based error

Actual Behavior

Error: updating Secrets Manager Secret Rotation (arn): InvalidParameterException: You cannot specify both rotation frequency and schedule expression together.

with module.postgres.aws_secretsmanager_secret_rotation.secret[0],
on .terraform/modules/postgres/main.tf line 215, in resource "aws_secretsmanager_secret_rotation" "secret":
215: resource "aws_secretsmanager_secret_rotation" "secret" {

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

variable "rotation_days" {
  description = "Interval in which the secrets are rotated(in days)"
  default = "43"
}

variable "schedule_expression"{
  type = string
  description = "A cron() or rate() expression that defines the schedule for rotating the secrets."
  default = null
}

resource "aws_secretsmanager_secret_rotation" "secret" {
  secret_id = aws_secretsmanager_secret.secret[0].id
  rotation_lambda_arn = aws_lambda_function.lambda_rotation[0].arn
  rotation_rules {
    automatically_after_days = var.schedule_expression == null ? var.rotation_days : null
    schedule_expression = var.schedule_expression
  }
}

Steps to Reproduce

terraform init terraform apply

Debug Output

# module.postgres.aws_secretsmanager_secret_rotation.secret[0] will be updated in-place
 ~ resource "aws_secretsmanager_secret_rotation" "secret" {
 id = "arn"
 (3 unchanged attributes hidden)
 ~ rotation_rules {
 + schedule_expression = "cron(0 /8 * * ? *)"
# (1 unchanged attribute hidden)
}
}

Panic Output

No response

Important Factoids

No response

References

There was a ticket for the same issue previously, it says the fix has been provided in the 5.7.0 version of the aws provider. the issue is still exist on 5.11.0 version of the aws provider. https://github.com/hashicorp/terraform-provider-aws/issues/30540

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @yogesh2580 👋 Thanks for taking the time to raise this! Can you supply debug logging (redacted as needed)?

[yogesh2580]

Hi @justinretzolk , Thanks for updating me about the debug logs, below are the part of debug logs 2023-09-15T12:37:35.501+0530 [DEBUG] ProviderTransformer: "module.postgres.aws_secretsmanager_secret_version.secret" (terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/aws"] 2023-09-15T12:37:36.909+0530 [DEBUG] ProviderTransformer: "module.postgres.aws_secretsmanager_secret_rotation.secret (expand)" (terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/hashicorp/aws"]

2023-09-15T12:43:20.437+0530 [DEBUG] provider.terraform-provider-aws_v5.11.0_x5: HTTP Response Received: aws.sdk=aws-sdk-go http.response.body="{"__type":"Inva*****tion","Message":"You cannot specify both rotation frequency and schedule expression together."} " http.response.header.content_type=application/x-amz-json-1.1 http.response_content_length=127 tf_mux_provider=*schema.GRPCProviderServer @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.33/logger.go:144 aws.service="Secrets Manager" http.duration=774 http.response.header.x_amzn_requestid=2461d76c-27da-401a-bc2c-07d6a8255e34 @module=aws aws.operation=RotateSecret aws.region=us-east-1 http.response.header.date="Fri, 15 Sep 2023 07:13:20 GMT" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_resource_type=aws_secretsmanager_secret_rotation http.status_code=400 tf_req_id=71fa9681-4936-9880-a92c-d154a73089f5 tf_rpc=ApplyResourceChange timestamp=2023-09-15T12:43:20.437+0530 2023-09-15T12:43:20.437+0530 [ERROR] provider.terraform-provider-aws_v5.11.0_x5: Response contains error diagnostic: diagnostic_detail= diagnostic_severity=ERROR tf_proto_version=5.3 @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto tf_resource_type=aws_secretsmanager_secret_rotation diagnostic_summary="updating Secrets Manager Secret Rotation (arn:aws:secretsmanager:us-east-1:598693051713:secret:iac/datafabric/development/datafabric/pdfrb-8332-cy-v2_ad-Twauro): InvalidParameterException: You cannot specify both rotation frequency and schedule expression together." tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=71fa9681-4936-9880-a92c-d154a73089f5 tf_rpc=ApplyResourceChange timestamp=2023-09-15T12:43:20.437+0530

2023-09-15T12:43:20.448+0530 [ERROR] vertex "module.postgres.aws_secretsmanager_secret_rotation.secret[0]" error: updating Secrets Manager Secret Rotation (arn:aws:secretsmanager:us-east-1:598693051713:secret:iac/datafabric/development/datafabric/pdfrb-8332-cy-v2-6uTjoe): InvalidParameterException: You cannot specify both rotation frequency and schedule expression together. 2023-09-15T12:43:20.453+0530 [DEBUG] provider.terraform-provider-aws_v5.11.0_x5: HTTP Response Received: @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.33/logger.go:144 aws.operation=RotateSecret tf_provider_addr=registry.terraform.io/hashicorp/aws http.duration=790 tf_req_id=56dd66a1-f752-245a-2ad4-5d00ca5080ae http.response_content_length=127 tf_rpc=ApplyResourceChange @module=aws aws.region=us-east-1 aws.service="Secrets Manager" http.response.body="{"__type":"Inva*****tion","Message":"You cannot specify both rotation frequency and schedule expression together."}

[lukenny]

Just curious, was it originally created with < 5.7 AWS provider? Because when I created it with 5.3 AWS provider and updated the provider to 5.7, I also got the same error InvalidParameterException: You cannot specify both rotation frequency and schedule expression together. But if I created it fresh with 5.7 AWS provider, then no issue.

[anishbharata]

I see this error in AWS provider 5.16.2 as well. InvalidParameterException: You cannot specify both rotation frequency and schedule expression together.

[rdsedmundo]

Seeing the same 5.26.0, I'm guessing the original PR didn't fix the original issue fully.