Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

awscc_secretsmanager_secret fail validation Exception: [REPLACE Operation] noSuchPath in β”‚ source, path provided: //GenerateSecretString/ExcludeLowercase #1021

Closed
jackywong-amazon opened this issue Jun 26, 2023 · 4 comments Β· Fixed by #1737
Closed

awscc_secretsmanager_secret fail validation Exception: [REPLACE Operation] noSuchPath in β”‚ source, path provided: //GenerateSecretString/ExcludeLowercase #1021

jackywong-amazon opened this issue Jun 26, 2023 · 4 comments Β· Fixed by #1737
Labels
bug upstream-aws Unable to proceed due to missing or broken functionality from an AWS dependency.

Comments

@jackywong-amazon
Copy link

jackywong-amazon commented Jun 26, 2023
edited
Loading

Community Note

  • Please vote on this issue by adding a πŸ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Affected Resource(s)

Terraform v1.5.0
on darwin_arm64

provider registry.terraform.io/hashicorp/awscc v0.53.0
awscc_secretsmanager_secret

Terraform Configuration Files

resource "awscc_secretsmanager_secret" "gen_secret" {
  name = "gen_secret"
  description = "this is a user-provided description of the secret"

  generate_secret_string = {
    exclude_lowercase = true
  }
}

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Error: AWS SDK Go Service Operation Unsuccessful
β”‚
β”‚ with awscc_secretsmanager_secret.gen_secret,
β”‚ on secretsmanager_secret_generate_secret.tf line 1, in resource "awscc_secretsmanager_secret" "gen_secret":
β”‚ 1: resource "awscc_secretsmanager_secret" "gen_secret" {
β”‚
β”‚ Calling Cloud Control API service UpdateResource operation returned: operation error CloudControl: UpdateResource, https response error
β”‚ StatusCode: 400, RequestID: 6902774e-c4ee-41e3-83bd-fd9380e3ee71, api error ValidationException: [REPLACE Operation] noSuchPath in
β”‚ source, path provided: //GenerateSecretString/ExcludeLowercase

Panic Output

Expected Behavior

Update the resource correctly

Actual Behavior

Failed to update from

 generate_secret_string = {
    exclude_lowercase = true
  }

to

generate_secret_string = {
   exclude_lowercase = false
 }

Unable to pick up the path provided: //GenerateSecretString/ExcludeLowercase

Steps to Reproduce

Terraform Plan
Terraform Apply
Resource provision

Update
generate_secret_string = {
exclude_lowercase = true
}

to

generate_secret_string = {
exclude_lowercase = false
}

Terraform Plan

  1. terraform apply

Important Factoids

References

Similar issue: #999

Statefile:

"provider": "provider[\"registry.terraform.io/hashicorp/awscc\"]",
     "instances": [
       {
         "schema_version": 1,
         "attributes": {
           "description": "this is a user-provided description of the secret",
           "generate_secret_string": {
             "exclude_characters": null,
             "exclude_lowercase": true,
             "exclude_numbers": null,
             "exclude_punctuation": null,
             "exclude_uppercase": null,
             "generate_string_key": null,
             "include_space": null,
             "password_length": null,
             "require_each_included_type": null,
             "secret_string_template": null
           },
  • #0000
@kadrach
Copy link
Contributor

kadrach commented Aug 29, 2023

This is an upstream issue. Out of curiosity, what would you expect to happen in this case - a secret would have been generated on the initial create.

Would you expect this change to overwrite the previously created secret?

@wellsiau-aws wellsiau-aws added bug upstream-aws Unable to proceed due to missing or broken functionality from an AWS dependency. and removed needs-triage labels Sep 7, 2023
@wellsiau-aws
Copy link
Collaborator

From reading the Cfn schema, GenerateSecretString will not trigger replacement, therefore the expectation is for secrets to be re-generated in place update.

@wellsiau-aws
Copy link
Collaborator

GenerateSecretString is a writeOnlyProperties as shown below. As far as I can tell, currently the provider did not have specific logic to handle this.

aws cloudformation describe-type --type RESOURCE --type-name AWS::SecretsManager::Secret | jq -r ".Schema" 
{
  "typeName": "AWS::SecretsManager::Secret",
  "$schema": "https://schema.cloudformation.us-east-1.amazonaws.com/provider.definition.schema.v1.json",
  "description": "Resource Type definition for AWS::SecretsManager::Secret",
  "sourceUrl": "https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-secretsmanager.git",
  "additionalProperties": false,
  "properties": {
    "Description": {
      "type": "string",
      "description": "(Optional) Specifies a user-provided description of the secret."
    },
    "KmsKeyId": {
      "type": "string",
      "description": "(Optional) Specifies the ARN, Key ID, or alias of the AWS KMS customer master key (CMK) used to encrypt the SecretString."
    },
    "SecretString": {
      "type": "string",
      "description": "(Optional) Specifies text data that you want to encrypt and store in this new version of the secret."
    },
    "GenerateSecretString": {
      "$ref": "#/definitions/GenerateSecretString",
      "description": "(Optional) Specifies text data that you want to encrypt and store in this new version of the secret."
    },
    "ReplicaRegions": {
      "type": "array",
      "description": "(Optional) A list of ReplicaRegion objects. The ReplicaRegion type consists of a Region (required) and the KmsKeyId which can be an ARN, Key ID, or Alias.",
      "uniqueItems": false,
      "insertionOrder": false,
      "items": {
        "$ref": "#/definitions/ReplicaRegion"
      }
    },
    "Id": {
      "type": "string",
      "description": "secret Id, the Arn of the resource."
    },
    "Tags": {
      "type": "array",
      "description": "The list of user-defined tags associated with the secret. Use tags to manage your AWS resources. For additional information about tags, see TagResource.",
      "uniqueItems": false,
      "insertionOrder": false,
      "items": {
        "$ref": "#/definitions/Tag"
      }
    },
    "Name": {
      "type": "string",
      "description": "The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy."
    }
  },
  "definitions": {
    "GenerateSecretString": {
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "ExcludeUppercase": {
          "type": "boolean",
          "description": "Specifies that the generated password should not include uppercase letters. The default behavior is False, and the generated password can include uppercase letters. "
        },
        "RequireEachIncludedType": {
          "type": "boolean",
          "description": "Specifies whether the generated password must include at least one of every allowed character type. By default, Secrets Manager enables this parameter, and the generated password includes at least one of every character type."
        },
        "IncludeSpace": {
          "type": "boolean",
          "description": "Specifies that the generated password can include the space character. By default, Secrets Manager disables this parameter, and the generated password doesn't include space"
        },
        "ExcludeCharacters": {
          "type": "string",
          "description": "A string that excludes characters in the generated password. By default, all characters from the included sets can be used. The string can be a minimum length of 0 characters and a maximum length of 7168 characters. "
        },
        "GenerateStringKey": {
          "type": "string",
          "description": "The JSON key name used to add the generated password to the JSON structure specified by the SecretStringTemplate parameter. If you specify this parameter, then you must also specify SecretStringTemplate. "
        },
        "PasswordLength": {
          "type": "integer",
          "description": "The desired length of the generated password. The default value if you do not include this parameter is 32 characters. "
        },
        "ExcludePunctuation": {
          "type": "boolean",
          "description": "Specifies that the generated password should not include punctuation characters. The default if you do not include this switch parameter is that punctuation characters can be included. "
        },
        "ExcludeLowercase": {
          "type": "boolean",
          "description": "Specifies the generated password should not include lowercase letters. By default, ecrets Manager disables this parameter, and the generated password can include lowercase False, and the generated password can include lowercase letters."
        },
        "SecretStringTemplate": {
          "type": "string",
          "description": "A properly structured JSON string that the generated password can be added to. If you specify this parameter, then you must also specify GenerateStringKey."
        },
        "ExcludeNumbers": {
          "type": "boolean",
          "description": "Specifies that the generated password should exclude digits. By default, Secrets Manager does not enable the parameter, False, and the generated password can include digits."
        }
      }
    },
    "ReplicaRegion": {
      "type": "object",
      "description": "A custom type that specifies a Region and the KmsKeyId for a replica secret.",
      "additionalProperties": false,
      "properties": {
        "KmsKeyId": {
          "type": "string",
          "description": "The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don't include this field, Secrets Manager uses aws/secretsmanager."
        },
        "Region": {
          "type": "string",
          "description": "(Optional) A string that represents a Region, for example \"us-east-1\"."
        }
      },
      "required": [
        "Region"
      ]
    },
    "Tag": {
      "type": "object",
      "description": "A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string.",
      "additionalProperties": false,
      "properties": {
        "Value": {
          "type": "string",
          "description": "The key name of the tag. You can specify a value that's 1 to 128 Unicode characters in length and can't be prefixed with aws."
        },
        "Key": {
          "type": "string",
          "description": "The value for the tag. You can specify a value that's 1 to 256 characters in length."
        }
      },
      "required": [
        "Value",
        "Key"
      ]
    }
  },
  "tagging": {
    "taggable": true,
    "tagOnCreate": true,
    "tagUpdatable": true,
    "cloudFormationSystemTags": true,
    "tagProperty": "/properties/Tags"
  },
  "createOnlyProperties": [
    "/properties/Name"
  ],
  "primaryIdentifier": [
    "/properties/Id"
  ],
  "readOnlyProperties": [
    "/properties/Id"
  ],
  "writeOnlyProperties": [
    "/properties/SecretString",
    "/properties/GenerateSecretString"
  ],
  "handlers": {
    "create": {
      "permissions": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetRandomPassword",
        "secretsmanager:CreateSecret",
        "secretsmanager:TagResource"
      ]
    },
    "delete": {
      "permissions": [
        "secretsmanager:DeleteSecret",
        "secretsmanager:DescribeSecret",
        "secretsmanager:RemoveRegionsFromReplication"
      ]
    },
    "list": {
      "permissions": [
        "secretsmanager:ListSecrets"
      ]
    },
    "read": {
      "permissions": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue"
      ]
    },
    "update": {
      "permissions": [
        "secretsmanager:UpdateSecret",
        "secretsmanager:TagResource",
        "secretsmanager:UntagResource",
        "secretsmanager:GetRandomPassword",
        "secretsmanager:GetSecretValue",
        "secretsmanager:ReplicateSecretToRegions",
        "secretsmanager:RemoveRegionsFromReplication"
      ]
    }
  }
}

@wellsiau-aws
Copy link
Collaborator

relates to #1149

@ewbankkit ewbankkit mentioned this issue May 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug upstream-aws Unable to proceed due to missing or broken functionality from an AWS dependency.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Correctly update write-only properties. hashicorp/terraform-provider-awscc
3 participants
@kadrach @jackywong-amazon @wellsiau-aws