aws_secretsmanager_secret recreate

[becrsh]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

provider.aws v1.17.0

Affected Resource(s)

• aws_secretsmanager_secret

Terraform Configuration Files

resource "aws_secretsmanager_secret" "mongo_root" {
  name        = "${local.common_tags["Project"]}/MongoDB_root_Credential"
  description = "Credential for Admin User for MongoDB"

  tags = "${local.common_tags}"

}

Output

• aws_secretsmanager_secret.mongo_root: error creating Secrets Manager Secret: ResourceExistsException: The operation failed because the secret CapeCloud/MongoDB_root_Credential already exists.
  status code: 400, request id: 9fba0380-51d2-11e8-9d5d-25c00ab77b23

Expected Behavior

After a destroy and apply the secret should be recreated

Actual Behavior

Error is given that the secret already exists

Steps to Reproduce

1. terraform apply
2. terraform destroy
3. terraform apply

Important Factoids

In the documentation it is stated that secrets are not immediately deleted. Perhaps adding a name_prefix to the resource could solve this issue? See: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-restore-secret.html

References

[bflad]

Pull request submitted with support of the new ForceDeleteWithoutRecovery parameter for DeleteSecret: #5583

[bflad]

In version 1.33.0 of the AWS provider, likely releasing later today, the aws_secretsmanager_secret resource will support:

• Setting recovery_window_in_days to 0, which will "immediately" delete the secret (technically its an asynchronous process started in the background by the Secrets Manager service).
• On creation it will retry on InvalidRequestException: You can’t perform this operation on the secret because it was deleted. errors waiting for the background process to complete, which allows for recreating deleted secrets using the method above.

Please note for updating existing aws_secretsmanager_secret resources: updating the recovery_window_in_days argument must have terraform apply ran before any sort of deletion operation (e.g. terraform destroy, count = 0) for it to take effect.

[bflad]

This has been released in version 1.33.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[garyp]

Can you please add name_prefix support to aws_secretsmanager_secret as well? For some use cases we want the extra protection that recovery_window_in_days > 0 provides, so we don't accidentally blow away an important secret. In those cases it'd be helpful to use name_prefix to still allow a new version of the secret to be deleted before the old version has expired.

[bflad]

Hi @garyp 👋 Great idea -- I would suggest opening a new feature request instead of commenting on a closed one so it can properly accounted for and potentially implemented. 👍

[garyp]

@bflad Yes good point :) Created #6054.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!