New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New resource: aws_secretsmanager_secret_rotation #9487
New resource: aws_secretsmanager_secret_rotation #9487
Conversation
This will potentially fix #10619. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @kelvin-acosta 👋 Thank you for submitting this.
The idea here is valid to create another resource, however just removing the current configuration options will cause major issues for existing Terraform configurations and state files, even if we introduced this change in a major version release. Terraform Providers have an explicit deprecation process which the maintainers follow, which can be seen here: https://www.terraform.io/docs/extend/best-practices/deprecations.html#provider-attribute-removal
To move this pull request forward, the recommended actions are:
- Reverting all changes to the existing data sources, resources, testing, and documentation
- Adding
Deprecated: "Use the aws_secretsmanager_secret_rotation resource instead"
andComputed: true
to affectedaws_secretmanager_secret
resource attributes:rotation_enabled
,rotation_lambda_arn
, androtation_rules
- Adding information about the deprecation to the
aws_secretmanager_secret
resource documentation in the existingRotation Configuration
section and for each of those attributes, e.g.
* `rotation_rules` - (Optional) ... existing text ... **DEPRECATED:** Use the [`aws_secretsmanager_secret_rotation` resource](/docs/providers/aws/r/secretsmanager_secret_rotation.html) instead.
Please reach out if you have any questions or do not have time to implement this.
4b4905f
to
500f41c
Compare
revert changes
36d4e10
to
4261890
Compare
Co-Authored-By: Brian Flad <bflad417@gmail.com>
bump |
Is there anything else I can do here to get this moving forward? |
@bflad and @kelvin-acosta - please can somebody, likely Brian, define what more needs doing? Looks like there is a merge conflict, but scrolling through the posts and comments it appears everything is complete. We are very keen to see this merged so we can start using existing lambdas with Terraform. |
Sorry for the delay here! We do want to get this in this or next week's release. |
Thank you for your reply! Looking forward to it. |
Awesome, let me know what I can do here! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks so much for sticking through the changes and fixing this for everyone, @kelvin-acosta 🚀 Test failures will be addressed post-merge, per other review comment.
Output from acceptance testing:
--- PASS: TestAccAwsSecretsManagerSecret_policy (16.61s)
--- PASS: TestAccAwsSecretsManagerSecret_withNamePrefix (18.88s)
--- PASS: TestAccAwsSecretsManagerSecret_Basic (19.04s)
--- PASS: TestAccAwsSecretsManagerSecret_Description (29.87s)
--- PASS: TestAccAwsSecretsManagerSecret_KmsKeyID (38.81s)
--- PASS: TestAccAwsSecretsManagerSecret_RecoveryWindowInDays_Recreate (45.96s)
TestAccAwsSecretsManagerSecret_RotationLambdaARN: testing.go:684: Step 2 error: Check failed: Check 2/3 error: aws_secretsmanager_secret.test: Attribute 'rotation_enabled' expected "false", got "true"
--- PASS: TestAccAwsSecretsManagerSecret_Tags (52.22s)
--- FAIL: TestAccAwsSecretsManagerSecret_RotationLambdaARN (56.77s)
TestAccAwsSecretsManagerSecret_RotationRules: testing.go:684: Step 2 error: Check failed: Check 2/3 error: aws_secretsmanager_secret.test: Attribute 'rotation_enabled' expected "false", got "true"
--- FAIL: TestAccAwsSecretsManagerSecret_RotationRules (64.77s)
--- PASS: TestAccAwsSecretsManagerSecretRotation (60.53s)
--- PASS: TestAccDataSourceAwsSecretsManagerSecretRotation_Basic (49.62s)
--- PASS: TestAccDataSourceAwsSecretsManagerSecret_Basic (8.24s)
--- PASS: TestAccDataSourceAwsSecretsManagerSecret_ARN (20.25s)
--- PASS: TestAccDataSourceAwsSecretsManagerSecret_Policy (20.68s)
--- PASS: TestAccDataSourceAwsSecretsManagerSecret_Name (21.14s)
Computed: true, | ||
Deprecated: "Use the aws_secretsmanager_secret_rotation resource instead", | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
}, | ||
"rotation_lambda_arn": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since these attributes are Computed: true
now (which is required for supporting the new resource), it will no longer be possible to remove this configuration and have Terraform remove the rotation in this resource. I will add some additional verbiage in the resource documentation and CHANGELOG around this behavior change.
This has been released in version 2.67.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Context: We use this lambda for multi user secret rotation https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSPostgreSQLRotationMultiUser/lambda_function.py
We currently use two resources to create a rotating secret in secrets manager.
aws_secretsmanager_secret
aws_secretsmanager_secret_version
The way the
aws_secretsmanager_secret
resource currently works is that you can create a secret and configure rotation for it. Creating a secret version is separate. When rotation is enabled it causes the secret to rotate once immediately. This is happening before we get to store the secret, which is where we start run into our issue.The docs say
Configuring rotation causes the secret to rotate once as soon as you store the secret.
But instead it is actually true thatConfiguring rotation causes the secret to rotate once as soon as rotation is enabled/configured.
The lamdba then kicks off before the secret version has been created and throws an error stating that the secret version, with which the lambda kicked off, has no stage for rotation of secret because by the time the lambda is running, a secret version resource has been created and the secret version is now different.
Concerns: I had to remove the ability to enable secret rotation in the resource
aws_secretsmanager_secret
because then there would be two resources managing state of the rotation configuration.Community Note
Release note for CHANGELOG:
Output from acceptance testing: