hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io
Other
42.78k stars 9.56k forks source link

Error when creating Secrets Manager Secret Rotation due to invalid name validation #35743

Closed asambon closed 2 months ago

asambon commented 2 months ago

Terraform Version

Terraform v1.8.3
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v5.7.0
+ provider registry.terraform.io/hashicorp/external v2.3.3
+ provider registry.terraform.io/hashicorp/null v3.2.2
+ provider registry.terraform.io/hashicorp/template v2.2.0

Terraform Configuration Files


resource "aws_rds_cluster" "this" {
  count                           = var.create_cluster ? 1 : 0
  cluster_identifier              = var.use_cluster_instance_prefix == false ? var.identifier : null
  cluster_identifier_prefix       = var.use_cluster_instance_prefix == false ? null : "${var.identifier}-"
  deletion_protection             = var.enable_cluster_deletion_protection
  master_username                 = var.replication_source_identifier != null ? null : var.master_username
  source_region                   = var.source_region
  final_snapshot_identifier       = "${var.identifier}-final-snapshot"
  skip_final_snapshot             = true
  availability_zones              = var.azs
  backup_retention_period         = var.backup_retention_period
  preferred_backup_window         = local.preferred_backup_window
  preferred_maintenance_window    = local.preferred_maintenance_window
  vpc_security_group_ids          = [element(concat(aws_security_group.this.*.id, [""]), 0)]
  storage_encrypted               = true
  replication_source_identifier   = var.replication_source_identifier
  apply_immediately               = true
  db_subnet_group_name            = local.db_subnet_group_name_id
  db_cluster_parameter_group_name = local.cluster_parameter_group_name_id
  kms_key_id                      = var.create_kms ? aws_kms_key.this[0].arn : var.kms_arn
  engine                          = var.engine
  engine_mode                     = var.engine_mode
  engine_version                  = var.engine_version
  enable_http_endpoint            = var.enable_http_endpoint
  enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
  snapshot_identifier             = var.snapshot_identifier
  global_cluster_identifier       = var.global_cluster_identifier
  database_name                   = var.database_name != null ? var.database_name : null
  allow_major_version_upgrade     = var.allow_major_version_upgrade
  manage_master_user_password     = true

  lifecycle {
    ignore_changes = [
      engine_version,
    ]
  }

data "external" "secret_arn" {
  count   = var.create_cluster ? 1 : 0
  program = ["bash", "-c", "echo $(aws rds describe-db-clusters --db-cluster-identifier ${element(concat(aws_rds_cluster.this.*.id, [""]), 0)} --output json | jq -r '{'secret_arn': .DBClusters[0].MasterUserSecret.SecretArn}')"]
}

resource "aws_secretsmanager_secret_rotation" "this" {
  # checkov:skip=CKV2_AWS_34:The parameter type is String not SecureString
  # checkov:skip=CKV_AWS_337:The parameter type is String and using default KMS key
  # checkov:skip=CKV_AWS_304:Ensure Secrets Manager secrets should be rotated within 90 days
  count     = var.create_cluster ? 1 : 0
  secret_id = element(concat(data.external.secret_arn.*.result.secret_arn, [""]), 0)
  rotation_rules {
    schedule_expression = var.secret_rotation_cron
  }
}

Debug Output

Error: creating Secrets Manager Secret Rotation (): operation error Secrets Manager: RotateSecret, https response error StatusCode: 400, RequestID: f65503b7-1e21-49d1-9d26-22c8c6a78d2b, api error ValidationException: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@! │ │ with module.backend.module.provisioned_aurora_0_virginia.aws_secretsmanager_secret_rotation.this[0], │ on .terraform/modules/backend.provisioned_aurora_0_virginia/main.tf line 374, in resource "aws_secretsmanager_secret_rotation" "this": │ 374: resource "aws_secretsmanager_secret_rotation" "this" {

Expected Behavior

The secret should be created successfully with the specified name and rotation configuration, as long as the name contains only valid characters (alphanumeric characters, or any of the following: -/_+=.@!).

Actual Behavior

The creation of the secret fails with a ValidationException, claiming the name is invalid despite containing only valid characters.

Steps to Reproduce

  1. terraform init
  2. terraform apply

Additional Context

Automatic secret rotation was enabled, but the issue occurred in our production environment where we have provisioned Aurora instances. The error seems to happen when updates are made in addition to the automatic secret rotation. This behavior is not present in our non-production environments.

References

No response

liamcervante commented 2 months ago

Hi @asambon, this appears to be an issue relating to the AWS provider and not Terraform Core. The individual providers are managed in their own repositories by separate teams. For AWS this is https://github.com/hashicorp/terraform-provider-aws. I will close the issue here, but you should reopen this directly with the relevant provider. Thanks!

github-actions[bot] commented 1 month ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.