Secrets manager runs Lambda rotation function before secret is set

[jakejx]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.12.10

Affected Resource(s)

• aws_secretsmanager_secret
• aws_secretsmanager_secret_version

Expected Behavior

Terraform should run the rotation function for a secret after a secret has been set. This is stated in the documentation:

Configuring rotation causes the secret to rotate once as soon as you store the secret.

Actual Behavior

Terraform runs the rotation function once the secret has been created, even though a secret value (version) has not been set. I have taken a look at the code and it seems that RotateSecretInput is called inside resourceAwsSecretsManagerSecretCreate. Further, RotateSecretInput is not called at all in resourceAwsSecretsManagerSecretVersionCreate.

This causes the rotation lambda to fail as there is no initial secret for it to rotate. Is there a reason for the change in behaviour from the documentation?

My use case is for the rotation of RDS credentials, and the Lambda requires an initial set of DB credentials to access the DB. Since the rotation function runs before any secret value is stored, the Lambda fails.

[ayshamdmgit]

Any solution?

[a-weiss-programmer]

A temporary solution to this is to use CloudFormation stacks instead, but it is not ideal.

[kelvin-acosta]

I had opened this PR months ago but it never got attention #9487 . Not sure how to get someone to review it..

[bflad]

Sorry for the delay @kelvin-acosta, I have provided additional information in that pull request.

[bflad]

Hi folks 👋 The solution to this issue was creating a separate resource, aws_secretsmanager_secret_rotation and deprecating the existing rotation_* configuration within the aws_secretsmanager_secret resource. This has been merged and will release with version 2.67.0 of the Terraform AWS Provider, very shortly. Thanks to @kelvin-acosta for the implementation. 👍

[ghost]

This has been released in version 2.67.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!