search

lgallard / terraform-aws-secrets-manager

Terraform module to create Amazon Secrets Manager resources.
Apache License 2.0
63 stars 50 forks source link

Name and Name_prefix are not properly supported #40

Closed bensharp1 closed 12 months ago

bensharp1 commented 12 months ago

Currently, a 'name' parameter can be supplied, but which has no effect on the name of the secret. The parameter 'name_prefix' can be supplied, which will overwrite the key as the name of the secret, but doing so will also generate a unique key name after your specified prefix. The use-case for fixing this is one I came across recently, in which a for_each argument is used within the secrets/rotate_secrets parameter, and results in the key being unable to be changed due to the following error:

│ Error: Invalid for_each argument │ │ on .terraform/modules/secrets/main.tf line 50, in resource "aws_secretsmanager_secret" "rsm": │ 50: for_each = var.rotate_secrets │ ├──────────────── │ │ var.rotate_secrets will be known only after apply │ │ The "for_each" map includes keys derived from resource attributes that │ cannot be determined until apply, and so Terraform cannot determine the │ full set of keys that will identify the instances of this resource. │ │ When working with unknown values in for_each, it's better to define the map │ keys statically in your configuration and place apply-time results only in │ the map values. │ │ Alternatively, you could use the -target planning option to first apply │ only the resources that the for_each value depends on, and then apply a │ second time to fully converge.

Additionally, secret version and secret rotation resources are set to each.key, which does not take into account the supported name_prefix parameter that can be set in the secrets' creation. As such, when name_prefix is set, the version and rotation resources fail to create, as the referenced secret_id does not exist.

│ Error: putting Secrets Manager Secret value: ResourceNotFoundException: Secrets Manager can't find the specified secret. │ │ with module.users_secrets[0].aws_secretsmanager_secret_version.rsm-svu["example-secret"], │ on .terraform/modules/users_secrets/main.tf line 75, in resource "aws_secretsmanager_secret_version" "rsm-svu": │ 75: resource "aws_secretsmanager_secret_version" "rsm-svu" { │

Since the secret is already a dependency for these resources, we can use the output from the secret as the secret_id.

I have raised two PRs to fix these issues: !38 and !39.

lgallard commented 12 months ago

Closed as it was fixed on #38 and #39