Closed jmonte-sph closed 1 year ago
@jmonte-sph thanks for sharing this. To understand better, can you share your secrets definitions?
@jmonte-sph also check the examples, in particular the one for defining rotation secrets https://github.com/lgallard/terraform-aws-secrets-manager/tree/master/examples/rotation
👋 there! Looks like I have the same issue with the secret I'm rotating with lambda.
Terraform = 1.3.7 Terragrunt = 0.42.5 AWS Provider = 4.48.0
Rotation secret definition:
...
inputs = {
unmanaged = true
rotate_secrets = {
"/${include.common.locals.env_short}/rds/credentials" = {
description = "This is a secret to be rotated by a lambda"
secret_key_value = {
password = dependency.rds.outputs.db_instance_password
username = dependency.rds.outputs.db_instance_username
host = dependency.rds.outputs.db_instance_address
db_name = dependency.rds.outputs.db_instance_name
port = dependency.rds.outputs.db_instance_port
engine = "postgres"
}
...
rotation_lambda_arn = dependency.lambda.outputs.secret_rotator_lambda_arn
recovery_window_in_days = 0
}
}
}
...
First run works as expected, the module creates secrets. At the second run it recreates the secret with the same secret_id and rotates it.
# aws_secretsmanager_secret_rotation.rsm-sr["/dev/rds/credentials"] must be replaced
-/+ resource "aws_secretsmanager_secret_rotation" "rsm-sr" {
~ id = "arn:aws:secretsmanager:eu-west-1:0000:secret:/dev/rds/credentials-fCuWja" -> (known after apply)
~ rotation_enabled = true -> (known after apply)
~ secret_id = "arn:aws:secretsmanager:eu-west-1:0000:secret:/dev/rds/credentials-fCuWja" -> "/dev/rds/credentials" # forces replacement
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
Plan: 1 to add, 0 to change, 1 to destroy.
I managed to fix it in the fork previously by adding lifesycle to rsm-sr resource, but not sure if it's right solution.
@lgallard , I have the same declaration as @alexrygalov.
@alexrygalov, looks like your lifecycle implementation fixed mine as well.
Since the terraform state's
secret_id
usesarn
, assigning the name to it causes a replacement. Checked using thearn
and orid
forsecret
and the replacement is not happening anymore.