Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secrets manager runs Lambda rotation function before secret is set #10619

Closed
jakejx opened this issue Oct 24, 2019 · 7 comments · Fixed by #9487
Closed

Secrets manager runs Lambda rotation function before secret is set #10619

jakejx opened this issue Oct 24, 2019 · 7 comments · Fixed by #9487
Labels
bug Addresses a defect in current functionality. service/secretsmanager Issues and PRs that pertain to the secretsmanager service.
Milestone

Comments

@jakejx
Copy link

jakejx commented Oct 24, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.12.10

Affected Resource(s)

  • aws_secretsmanager_secret
  • aws_secretsmanager_secret_version

Expected Behavior

Terraform should run the rotation function for a secret after a secret has been set. This is stated in the documentation:

Configuring rotation causes the secret to rotate once as soon as you store the secret.

Actual Behavior

Terraform runs the rotation function once the secret has been created, even though a secret value (version) has not been set. I have taken a look at the code and it seems that RotateSecretInput is called inside resourceAwsSecretsManagerSecretCreate. Further, RotateSecretInput is not called at all in resourceAwsSecretsManagerSecretVersionCreate.

This causes the rotation lambda to fail as there is no initial secret for it to rotate. Is there a reason for the change in behaviour from the documentation?

My use case is for the rotation of RDS credentials, and the Lambda requires an initial set of DB credentials to access the DB. Since the rotation function runs before any secret value is stored, the Lambda fails.

@ghost ghost added the service/secretsmanager Issues and PRs that pertain to the secretsmanager service. label Oct 24, 2019
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Oct 24, 2019
@aeschright aeschright added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Dec 20, 2019
@ayshamdmgit
Copy link

Any solution?

@a-weiss-programmer
Copy link

A temporary solution to this is to use CloudFormation stacks instead, but it is not ideal.

@kelvin-acosta
Copy link
Contributor

I had opened this PR months ago but it never got attention #9487 . Not sure how to get someone to review it..

@bflad bflad linked a pull request Feb 21, 2020 that will close this issue
@bflad
Copy link
Member

bflad commented Feb 21, 2020

Sorry for the delay @kelvin-acosta, I have provided additional information in that pull request.

@bflad bflad added this to the v2.67.0 milestone Jun 18, 2020
@bflad
Copy link
Member

bflad commented Jun 18, 2020

Hi folks 👋 The solution to this issue was creating a separate resource, aws_secretsmanager_secret_rotation and deprecating the existing rotation_* configuration within the aws_secretsmanager_secret resource. This has been merged and will release with version 2.67.0 of the Terraform AWS Provider, very shortly. Thanks to @kelvin-acosta for the implementation. 👍

@ghost
Copy link

ghost commented Jun 19, 2020

This has been released in version 2.67.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Jul 19, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Jul 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/secretsmanager Issues and PRs that pertain to the secretsmanager service.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants