search

lgallard / terraform-aws-secrets-manager

Terraform module to create Amazon Secrets Manager resources.
Apache License 2.0
63 stars 50 forks source link

terraform plan/apply always provision a replacement because of secret_id #27

Closed jmonte-sph closed 1 year ago

jmonte-sph commented 1 year ago
Screenshot 2023-01-06 at 9 22 45 AM

Since the terraform state'ssecret_id uses arn, assigning the name to it causes a replacement. Checked using the arn and or id for secret and the replacement is not happening anymore.

lgallard commented 1 year ago

@jmonte-sph thanks for sharing this. To understand better, can you share your secrets definitions?

lgallard commented 1 year ago

@jmonte-sph also check the examples, in particular the one for defining rotation secrets https://github.com/lgallard/terraform-aws-secrets-manager/tree/master/examples/rotation

alexrygalov commented 1 year ago

👋 there! Looks like I have the same issue with the secret I'm rotating with lambda.

Terraform = 1.3.7 Terragrunt = 0.42.5 AWS Provider = 4.48.0

Rotation secret definition:

...
inputs = {
  unmanaged = true
  rotate_secrets = {
    "/${include.common.locals.env_short}/rds/credentials" = {
      description = "This is a secret to be rotated by a lambda"
      secret_key_value = {
        password = dependency.rds.outputs.db_instance_password
        username = dependency.rds.outputs.db_instance_username
        host     = dependency.rds.outputs.db_instance_address
        db_name  = dependency.rds.outputs.db_instance_name
        port     = dependency.rds.outputs.db_instance_port
        engine   = "postgres"
      }
      ...
      rotation_lambda_arn     = dependency.lambda.outputs.secret_rotator_lambda_arn
      recovery_window_in_days = 0
    }
  }
}
...

First run works as expected, the module creates secrets. At the second run it recreates the secret with the same secret_id and rotates it.

  # aws_secretsmanager_secret_rotation.rsm-sr["/dev/rds/credentials"] must be replaced
-/+ resource "aws_secretsmanager_secret_rotation" "rsm-sr" {
      ~ id                  = "arn:aws:secretsmanager:eu-west-1:0000:secret:/dev/rds/credentials-fCuWja" -> (known after apply)
      ~ rotation_enabled    = true -> (known after apply)
      ~ secret_id           = "arn:aws:secretsmanager:eu-west-1:0000:secret:/dev/rds/credentials-fCuWja" -> "/dev/rds/credentials" # forces replacement
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

I managed to fix it in the fork previously by adding lifesycle to rsm-sr resource, but not sure if it's right solution.

jmonte-sph commented 1 year ago

@lgallard , I have the same declaration as @alexrygalov.

@alexrygalov, looks like your lifecycle implementation fixed mine as well.