Secretsmanager Secret create or restore

[luis-silva]

Fixes #4467

Changes proposed in this pull request:

• Allow secretmanager secret creation to create a secret, even if it is marked as deleted.

The reasoning for this is that creating a secret and then destroying it will mark the secret for deletion with a recovery window of 7 to 30 days. This means it is not possible to create the secret again with the same name as terraform will error out with 'secret already exists'.

This prevents environments from being destroyed and recreated repeatedly and is a blocker for more generalised usage of secretmanager with terraform.

This PR change the creation logic by first checking if a secret with that name exists and:

• If it does and is in a deleted state, terraform restores it and updates it with the new information (description, kms_key_id, policy, etc.)

• If it does and is in a active state, terraform fails as before

• If it doesn't, terraform creates it as before.

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAwsSecretsManagerSecret'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -run=TestAccAwsSecretsManagerSecret -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAwsSecretsManagerSecret_Basic
--- PASS: TestAccAwsSecretsManagerSecret_Basic (39.78s)
=== RUN   TestAccAwsSecretsManagerSecret_Restore
--- PASS: TestAccAwsSecretsManagerSecret_Restore (150.20s)
=== RUN   TestAccAwsSecretsManagerSecret_Description
--- PASS: TestAccAwsSecretsManagerSecret_Description (58.68s)
=== RUN   TestAccAwsSecretsManagerSecret_KmsKeyID
--- PASS: TestAccAwsSecretsManagerSecret_KmsKeyID (104.42s)
=== RUN   TestAccAwsSecretsManagerSecret_RotationLambdaARN
--- PASS: TestAccAwsSecretsManagerSecret_RotationLambdaARN (95.84s)
=== RUN   TestAccAwsSecretsManagerSecret_RotationRules
--- PASS: TestAccAwsSecretsManagerSecret_RotationRules (89.54s)
=== RUN   TestAccAwsSecretsManagerSecret_Tags
--- PASS: TestAccAwsSecretsManagerSecret_Tags (106.66s)
=== RUN   TestAccAwsSecretsManagerSecret_policy
--- PASS: TestAccAwsSecretsManagerSecret_policy (30.88s)
=== RUN   TestAccAwsSecretsManagerSecretVersion_Basic
--- PASS: TestAccAwsSecretsManagerSecretVersion_Basic (35.80s)
=== RUN   TestAccAwsSecretsManagerSecretVersion_VersionStages
--- PASS: TestAccAwsSecretsManagerSecretVersion_VersionStages (81.83s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	793.688s

[bflad]

FYI, https://github.com/aws/aws-sdk-go/releases/tag/v1.15.8 contains a new parameter during deletion allowing us to force delete secrets without recovery. We'll likely want to go down that route instead of potentially adjusting the behavior of creation. I'll be submitting the dependency update PR shortly.

[luis-silva]

That would work out nicely, just an extra param to force deletion.

[bflad]

Hey @luis-silva can you check out #5583 and let me know what you think?

[bflad]

In version 1.33.0 of the AWS provider, likely releasing later today, the aws_secretsmanager_secret resource will support:

• Setting recovery_window_in_days to 0, which will "immediately" delete the secret (technically its an asynchronous process started in the background by the Secrets Manager service).
• On creation it will retry on InvalidRequestException: You can’t perform this operation on the secret because it was deleted. errors waiting for the background process to complete, which allows for recreating deleted secrets using the method above.

Please note for updating existing aws_secretsmanager_secret resources: updating the recovery_window_in_days argument must have terraform apply ran before any sort of deletion operation (e.g. terraform destroy, count = 0) for it to take effect.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!