[Bug]: Error when creating Secrets Manager Secret Rotation due to invalid name validation

[asambon]

Terraform Core Version

1.8.3

AWS Provider Version

5.49.0

Affected Resource(s)

1. resource aws_rds_cluster"

2. data external

3. resource aws_secretsmanager_secret_rotation

Expected Behavior

The secret should be created successfully with the specified name and rotation configuration, as long as the name contains only valid characters (alphanumeric characters, or any of the following: -/_+=.@!).

Actual Behavior

The creation of the secret fails with a ValidationException, claiming the name is invalid despite containing only valid characters.

Relevant Error/Panic Output Snippet

Error: creating Secrets Manager Secret Rotation (): operation error Secrets Manager: RotateSecret, https response error StatusCode: 400, RequestID: f65503b7-1e21-49d1-9d26-22c8c6a78d2b, api error ValidationException: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!
│
│ with module.backend.module.provisioned_aurora_0_virginia.aws_secretsmanager_secret_rotation.this[0],
│ on .terraform/modules/backend.provisioned_aurora_0_virginia/main.tf line 374, in resource "aws_secretsmanager_secret_rotation" "this":
│ 374: resource "aws_secretsmanager_secret_rotation" "this" {

Terraform Configuration Files

resource "aws_rds_cluster" "this" {
  count                           = var.create_cluster ? 1 : 0
  cluster_identifier              = var.use_cluster_instance_prefix == false ? var.identifier : null
  cluster_identifier_prefix       = var.use_cluster_instance_prefix == false ? null : "${var.identifier}-"
  deletion_protection             = var.enable_cluster_deletion_protection
  master_username                 = var.replication_source_identifier != null ? null : var.master_username
  source_region                   = var.source_region
  final_snapshot_identifier       = "${var.identifier}-final-snapshot"
  skip_final_snapshot             = true
  availability_zones              = var.azs
  backup_retention_period         = var.backup_retention_period
  preferred_backup_window         = local.preferred_backup_window
  preferred_maintenance_window    = local.preferred_maintenance_window
  vpc_security_group_ids          = [element(concat(aws_security_group.this.*.id, [""]), 0)]
  storage_encrypted               = true
  replication_source_identifier   = var.replication_source_identifier
  apply_immediately               = true
  db_subnet_group_name            = local.db_subnet_group_name_id
  db_cluster_parameter_group_name = local.cluster_parameter_group_name_id
  kms_key_id                      = var.create_kms ? aws_kms_key.this[0].arn : var.kms_arn
  engine                          = var.engine
  engine_mode                     = var.engine_mode
  engine_version                  = var.engine_version
  enable_http_endpoint            = var.enable_http_endpoint
  enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
  snapshot_identifier             = var.snapshot_identifier
  global_cluster_identifier       = var.global_cluster_identifier
  database_name                   = var.database_name != null ? var.database_name : null
  allow_major_version_upgrade     = var.allow_major_version_upgrade
  manage_master_user_password     = true

  lifecycle {
    ignore_changes = [
      engine_version,
    ]
  }

data "external" "secret_arn" {
  count   = var.create_cluster ? 1 : 0
  program = ["bash", "-c", "echo $(aws rds describe-db-clusters --db-cluster-identifier ${element(concat(aws_rds_cluster.this.*.id, [""]), 0)} --output json | jq -r '{'secret_arn': .DBClusters[0].MasterUserSecret.SecretArn}')"]
}

resource "aws_secretsmanager_secret_rotation" "this" {
  # checkov:skip=CKV2_AWS_34:The parameter type is String not SecureString
  # checkov:skip=CKV_AWS_337:The parameter type is String and using default KMS key
  # checkov:skip=CKV_AWS_304:Ensure Secrets Manager secrets should be rotated within 90 days
  count     = var.create_cluster ? 1 : 0
  secret_id = element(concat(data.external.secret_arn.*.result.secret_arn, [""]), 0)
  rotation_rules {
    schedule_expression = var.secret_rotation_cron
  }

Steps to Reproduce

Steps to Reproduce terraform init terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

Automatic secret rotation was enabled, but the issue occurred in our production environment where we have provisioned Aurora instances. The error seems to happen when updates are made in addition to the automatic secret rotation. This behavior is not present in our non-production environments.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.