-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secrets manager runs Lambda rotation function before secret is set #10619
Comments
Any solution? |
A temporary solution to this is to use CloudFormation stacks instead, but it is not ideal. |
I had opened this PR months ago but it never got attention #9487 . Not sure how to get someone to review it.. |
Sorry for the delay @kelvin-acosta, I have provided additional information in that pull request. |
Hi folks 👋 The solution to this issue was creating a separate resource, |
This has been released in version 2.67.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Terraform Version
0.12.10
Affected Resource(s)
Expected Behavior
Terraform should run the rotation function for a secret after a secret has been set. This is stated in the documentation:
Actual Behavior
Terraform runs the rotation function once the secret has been created, even though a secret value (version) has not been set. I have taken a look at the code and it seems that
RotateSecretInput
is called insideresourceAwsSecretsManagerSecretCreate
. Further,RotateSecretInput
is not called at all inresourceAwsSecretsManagerSecretVersionCreate
.This causes the rotation lambda to fail as there is no initial secret for it to rotate. Is there a reason for the change in behaviour from the documentation?
My use case is for the rotation of RDS credentials, and the Lambda requires an initial set of DB credentials to access the DB. Since the rotation function runs before any secret value is stored, the Lambda fails.
The text was updated successfully, but these errors were encountered: