Currently, a 'name' parameter can be supplied, but which has no effect on the name of the secret. The parameter 'name_prefix' can be supplied, which will overwrite the key as the name of the secret, but doing so will also generate a unique key name after your specified prefix.
The use-case for fixing this is one I came across recently, in which a for_each argument is used within the secrets/rotate_secrets parameter, and results in the key being unable to be changed due to the following error:
│ Error: Invalid for_each argument
│
│ on .terraform/modules/secrets/main.tf line 50, in resource "aws_secretsmanager_secret" "rsm":
│ 50: for_each = var.rotate_secrets
│ ├────────────────
│ │ var.rotate_secrets will be known only after apply
│
│ The "for_each" map includes keys derived from resource attributes that
│ cannot be determined until apply, and so Terraform cannot determine the
│ full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to define the map
│ keys statically in your configuration and place apply-time results only in
│ the map values.
│
│ Alternatively, you could use the -target planning option to first apply
│ only the resources that the for_each value depends on, and then apply a
│ second time to fully converge.
Additionally, secret version and secret rotation resources are set to each.key, which does not take into account the supported name_prefix parameter that can be set in the secrets' creation. As such, when name_prefix is set, the version and rotation resources fail to create, as the referenced secret_id does not exist.
│ Error: putting Secrets Manager Secret value: ResourceNotFoundException: Secrets Manager can't find the specified secret.
│
│ with module.users_secrets[0].aws_secretsmanager_secret_version.rsm-svu["example-secret"],
│ on .terraform/modules/users_secrets/main.tf line 75, in resource "aws_secretsmanager_secret_version" "rsm-svu":
│ 75: resource "aws_secretsmanager_secret_version" "rsm-svu" {
│
Since the secret is already a dependency for these resources, we can use the output from the secret as the secret_id.
I have raised two PRs to fix these issues: !38 and !39.
Currently, a 'name' parameter can be supplied, but which has no effect on the name of the secret. The parameter 'name_prefix' can be supplied, which will overwrite the key as the name of the secret, but doing so will also generate a unique key name after your specified prefix. The use-case for fixing this is one I came across recently, in which a for_each argument is used within the secrets/rotate_secrets parameter, and results in the key being unable to be changed due to the following error:
Additionally, secret version and secret rotation resources are set to each.key, which does not take into account the supported name_prefix parameter that can be set in the secrets' creation. As such, when name_prefix is set, the version and rotation resources fail to create, as the referenced secret_id does not exist.
Since the secret is already a dependency for these resources, we can use the output from the secret as the secret_id.
I have raised two PRs to fix these issues: !38 and !39.