New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_secretsmanager_secret_version uses old data? #7630
Comments
I'm having the same problem in terraform 0.12.7 and terraform-provider-aws 0.25.0 The data in the state file is the old value when terraform first created the secret (using a random value). We've updated the secret through the AWS console but the value in the state isn't refreshed. It seems the old version ID is tagged with "AWSCURRENT" incorrectly. $ aws secretsmanager list-secret-version-ids --secret-id 'arn:aws:secretsmanager:us-east-1:0123456789:secret:some_name.OTHER_NAME-abcdef'
{
"Versions": [
{
"VersionId": "0E1D08D5-B66D-4E56-8E51-52B95E176498",
"VersionStages": [
"AWSPREVIOUS"
],
"LastAccessedDate": 1566864000.0,
"CreatedDate": 1565090264.523
},
{
"VersionId": "4207d837-a9cb-433a-a197-32b62b666abc",
"VersionStages": [
"AWSCURRENT"
],
"LastAccessedDate": 1566864000.0,
"CreatedDate": 1566927582.297
}
],
"ARN": "arn:aws:secretsmanager:us-east-1:0123456789:secret:some_name.OTHER_NAME-abcdef",
"Name": "some_name.OTHER_NAME"
} State: {
"arn": "arn:aws:secretsmanager:us-east-1:0123456789:secret:some_name.OTHER_NAME-abcdef",
"id": "arn:aws:secretsmanager:us-east-1:0123456789:secret:some_name.OTHER_NAME-abcdef|0E1D08D5-B66D-4E56-8E51-52B95E176498",
"secret_binary": "",
"secret_id": "arn:aws:secretsmanager:us-east-1:0123456789:secret:some_name.OTHER_NAME-abcdef",
"secret_string": "oldsecretvalue",
"version_id": "0E1D08D5-B66D-4E56-8E51-52B95E176498",
"version_stages": [
"AWSCURRENT"
]
} My reading of resourceAwsSecretsManagerSecretVersionRead() is that it gets the version ID from the resource's ID and that is never updated, apparently. I tried to remove the secret version from state and import it again while specifying the correct Version ID (the one tagged with
But the next plan just shows that the resource has to be recreated because it wants to remove the "AWSCURRENT" stage. Just to clarify, our workflow is currently as follows:
|
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you! |
I run into this with the same workflow mentioned by @gtirloni when having secrets backing sns mobile push applications. |
I am facing the same issue where the secret string was updated outside of terraform and as a result, the Statefile refuses to run the apply because the version id in the state file doesn't match the current version id if the secret string |
Community Note
Terraform Version
Terraform v0.11.11
Affected Resource(s)
Terraform Configuration Files
module/getSecrets/*.tf:
Next, we call this module like this:
At a certain time, we renamed the secrets, and we modified the tf code as follows:
Debug Output
NA
Panic Output
NA
Expected Behavior
We expected that the new secrets should be retrieved, instead of the old ones.
Actual Behavior
TerraForm complains about the old not being available, and does not use the new variables:
Steps to Reproduce
Apply TF code listed above.
terraform apply
Important Factoids
References
The text was updated successfully, but these errors were encountered: