Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: aws_secretsmanager_secret_rotation switch from automatically_after_days to schedule_expression failed #30540

Closed
CyrilDevOps opened this issue Apr 7, 2023 · 9 comments · Fixed by #31915
Labels
bug Addresses a defect in current functionality. service/secretsmanager Issues and PRs that pertain to the secretsmanager service.
Milestone

Comments

@CyrilDevOps
Copy link

CyrilDevOps commented Apr 7, 2023

Terraform Core Version

1.4.4

AWS Provider Version

4.62.0

Affected Resource(s)

resource "aws_secretsmanager_secret_rotation" "rotation" {

  rotation_lambda_arn = var.aurora_secrets_rotation_lambda_arn
  secret_id           = aws_secretsmanager_secret.secret.id

  rotation_rules {
    automatically_after_days = local.t_days
    schedule_expression = local.t_schedule
  }
}

Expected Behavior

In the past we only use

  rotation_rules {
    automatically_after_days = local.t_days
  }

Now we switch to cron style schedule with :

  rotation_rules {
    automatically_after_days = local.t_days
    schedule_expression = local.t_schedule
  }

where local.t_days is null
and
local.t_schedule = "cron(...)"

I wanted to keep the same aws_secretsmanager_secret_rotation to do an update instead of having two different resources with count for both config (days/schedule)
but during the apply I got the error :

│ Error: updating Secrets Manager Secret Rotation "arn:aws:secretsmanager:us-west-2:123456:secret:/secrets-rQ6Iq5" : InvalidParameterException: You cannot specify both rotation frequency and schedule expression together.

Actual Behavior

plan return :

  # module.databases_secrets["xx"].module.secrets["xxxx"].aws_secretsmanager_secret_rotation.rotation[0] will be updated in-place
  ~ resource "aws_secretsmanager_secret_rotation" "rotation" {
        id                  = "arn:aws:secretsmanager:us-west-2:123456:secret:/secrets-rQ6Iq5"
        # (3 unchanged attributes hidden)

      ~ rotation_rules {
          + schedule_expression      = "cron(0 0 ? * SAT#1 *)"
            # (1 unchanged attribute hidden)
        }
    }

doesn't seems to catch the removal of automatically_after_days
and the apply gave me :

│ Error: updating Secrets Manager Secret Rotation "arn:aws:secretsmanager:us-west-2:123456:secret:/secrets-rQ6Iq5" : InvalidParameterException: You cannot specify both rotation frequency and schedule expression together.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_secretsmanager_secret_rotation" "rotation" {

  rotation_lambda_arn = var.aurora_secrets_rotation_lambda_arn
  secret_id           = aws_secretsmanager_secret.secret.id

  rotation_rules {
    automatically_after_days = local.t_days
    schedule_expression = local.t_schedule
  }
}

base on my tfvars file, local.t_days has a value and local.t_schedule is null, or local.t_days is null and local.t_schedule as a cron style schedule

Steps to Reproduce

moving from a days config (aws provider <4.62.0)

resource "aws_secretsmanager_secret_rotation" "rotation" {

  rotation_lambda_arn = var.aurora_secrets_rotation_lambda_arn
  secret_id           = aws_secretsmanager_secret.secret.id

  rotation_rules {
    automatically_after_days = local.t_days
  }
}

to a schedule config :

resource "aws_secretsmanager_secret_rotation" "rotation" {

  rotation_lambda_arn = var.aurora_secrets_rotation_lambda_arn
  secret_id           = aws_secretsmanager_secret.secret.id

  rotation_rules {
    automatically_after_days = local.t_days
    schedule_expression = local.t_schedule
  }
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

@CyrilDevOps CyrilDevOps added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Apr 7, 2023
@github-actions
Copy link

github-actions bot commented Apr 7, 2023

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/secretsmanager Issues and PRs that pertain to the secretsmanager service. label Apr 7, 2023
@CyrilDevOps
Copy link
Author

I wanted to avoid two resource and count for both style of config, as our config today is with days (aws < 4.62) but want to move them to cron style.
a two resource config may create 'problem' as one would be destroy and one would be created by they point to the same secrets, so if the order is wrong, I would have no rotation at all.
Wanted also to update the schedule but not force a immediate rotation. (don't know if aws allow that).

@CyrilDevOps
Copy link
Author

CyrilDevOps commented Apr 7, 2023

Same error when using the setup :

  dynamic "rotation_rules" {
    for_each = local.t_days != null ? [1] : []
    content {
      automatically_after_days = local.t_days
    }
  }

  dynamic "rotation_rules" {
    for_each = local.t_schedule != null ? [1] : []
    content {
      schedule_expression = local.t_schedule
    }
  }

@CyrilDevOps
Copy link
Author

CyrilDevOps commented Apr 19, 2023

Same problem when I try to change an existing schedule_expression :

  # module.databases_secrets["xxxx"].module.root.aws_secretsmanager_secret_rotation.rotation_schedule[0] will be updated in-place
      ~ rotation_rules {
          ~ schedule_expression      = "cron(0 0 ? * SAT#1 *)" -> "cron(0 0 ? * SUN#1 *)"
            # (1 unchanged attribute hidden)
        }

│ Error: updating Secrets Manager Secret Rotation "arn:aws:secretsmanager:us-east-1:xxxx:secret:/monsecret-123456" : InvalidParameterException: You cannot specify both rotation frequency and schedule expression together.

@g-dx
Copy link
Contributor

g-dx commented Apr 24, 2023

Original PR is: #30425

@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Apr 27, 2023
@joaocfernandes
Copy link

Same problem when I try to change an existing schedule_expression :

  # module.databases_secrets["xxxx"].module.root.aws_secretsmanager_secret_rotation.rotation_schedule[0] will be updated in-place
      ~ rotation_rules {
          ~ schedule_expression      = "cron(0 0 ? * SAT#1 *)" -> "cron(0 0 ? * SUN#1 *)"
            # (1 unchanged attribute hidden)
        }

│ Error: updating Secrets Manager Secret Rotation "arn:aws:secretsmanager:us-east-1:xxxx:secret:/monsecret-123456" : InvalidParameterException: You cannot specify both rotation frequency and schedule expression together.

I am also affected by this.

  rotation_rules {
    schedule_expression = "cron(0 14 1/2 * ? *)"
  }

Plan result:


      ~ rotation_rules {
          ~ schedule_expression      = "cron(0 18 1/2 * ? *)" -> "cron(0 14 1/2 * ? *)"
            # (1 unchanged attribute hidden)
        }

Apply result:

Error: updating Secrets Manager Secret Rotation "arn:aws:secretsmanager:region:xyzw:secret:/mysecret/credentials-xyzw" :

InvalidParameterException: You cannot specify both rotation frequency and schedule expression together.

@matthewmi
Copy link

Just seem to have run into this issue as well, however my plan is not even changing any of the rotation rules.

I have a secret and its rotation already setup using a schedule_expression, the change im making is only for the rotation_lambda_arn (I have renamed my lambda) but I am also getting the error

 InvalidParameterException: You cannot specify both rotation frequency and schedule expression together.

@github-actions
Copy link

github-actions bot commented Jul 7, 2023

This functionality has been released in v5.7.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

github-actions bot commented Aug 7, 2023

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/secretsmanager Issues and PRs that pertain to the secretsmanager service.
Projects
None yet
5 participants