Move tag creation for secrets manager from being a seperate step to be part of the creati…

[syntastical]

…on. This is necessary when IAM policies are in place that have conditions for RequestTag.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Fixes #0000

Release note for CHANGELOG:

Tags will now be created as part of the initial secret creation.  This will accommodate IAM policies that have aws:RequestTag in the condition block.

Output from acceptance testing:

make testacc TEST=./aws TESTARGS='-run=TestAccAwsSecretsManager*'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -parallel 20 -run=TestAccAwsSecretsManager* -timeout 120m
=== RUN   TestAccAwsSecretsManagerSecret_Basic
=== PAUSE TestAccAwsSecretsManagerSecret_Basic
=== RUN   TestAccAwsSecretsManagerSecret_withNamePrefix
=== PAUSE TestAccAwsSecretsManagerSecret_withNamePrefix
=== RUN   TestAccAwsSecretsManagerSecret_Description
=== PAUSE TestAccAwsSecretsManagerSecret_Description
=== RUN   TestAccAwsSecretsManagerSecret_KmsKeyID
=== PAUSE TestAccAwsSecretsManagerSecret_KmsKeyID
=== RUN   TestAccAwsSecretsManagerSecret_RecoveryWindowInDays_Recreate
=== PAUSE TestAccAwsSecretsManagerSecret_RecoveryWindowInDays_Recreate
=== RUN   TestAccAwsSecretsManagerSecret_RotationLambdaARN
=== PAUSE TestAccAwsSecretsManagerSecret_RotationLambdaARN
=== RUN   TestAccAwsSecretsManagerSecret_RotationRules
=== PAUSE TestAccAwsSecretsManagerSecret_RotationRules
=== RUN   TestAccAwsSecretsManagerSecret_Tags
=== PAUSE TestAccAwsSecretsManagerSecret_Tags
=== RUN   TestAccAwsSecretsManagerSecret_policy
=== PAUSE TestAccAwsSecretsManagerSecret_policy
=== RUN   TestAccAwsSecretsManagerSecretVersion_BasicString
=== PAUSE TestAccAwsSecretsManagerSecretVersion_BasicString
=== RUN   TestAccAwsSecretsManagerSecretVersion_Base64Binary
=== PAUSE TestAccAwsSecretsManagerSecretVersion_Base64Binary
=== RUN   TestAccAwsSecretsManagerSecretVersion_VersionStages
=== PAUSE TestAccAwsSecretsManagerSecretVersion_VersionStages
=== CONT  TestAccAwsSecretsManagerSecret_Basic
=== CONT  TestAccAwsSecretsManagerSecretVersion_VersionStages
=== CONT  TestAccAwsSecretsManagerSecret_Tags
=== CONT  TestAccAwsSecretsManagerSecret_RotationLambdaARN
=== CONT  TestAccAwsSecretsManagerSecret_RecoveryWindowInDays_Recreate
=== CONT  TestAccAwsSecretsManagerSecret_KmsKeyID
=== CONT  TestAccAwsSecretsManagerSecret_RotationRules
=== CONT  TestAccAwsSecretsManagerSecret_Description
=== CONT  TestAccAwsSecretsManagerSecretVersion_Base64Binary
=== CONT  TestAccAwsSecretsManagerSecretVersion_BasicString
=== CONT  TestAccAwsSecretsManagerSecret_policy
=== CONT  TestAccAwsSecretsManagerSecret_withNamePrefix
--- PASS: TestAccAwsSecretsManagerSecret_policy (13.25s)
--- PASS: TestAccAwsSecretsManagerSecret_Basic (15.06s)
--- PASS: TestAccAwsSecretsManagerSecret_withNamePrefix (15.08s)
--- PASS: TestAccAwsSecretsManagerSecretVersion_BasicString (16.01s)
--- PASS: TestAccAwsSecretsManagerSecretVersion_Base64Binary (16.15s)
--- PASS: TestAccAwsSecretsManagerSecret_Description (24.31s)
--- PASS: TestAccAwsSecretsManagerSecretVersion_VersionStages (35.71s)
--- PASS: TestAccAwsSecretsManagerSecret_RecoveryWindowInDays_Recreate (41.21s)
--- PASS: TestAccAwsSecretsManagerSecret_Tags (42.95s)
--- PASS: TestAccAwsSecretsManagerSecret_RotationRules (49.37s)
--- PASS: TestAccAwsSecretsManagerSecret_RotationLambdaARN (50.14s)
--- PASS: TestAccAwsSecretsManagerSecret_KmsKeyID (50.87s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       50.941s
...

[bflad]

Thanks for this, @syntastical 🚀

Output from acceptance testing in AWS Commercial:

--- PASS: TestAccAwsSecretsManagerSecret_policy (10.26s)
--- PASS: TestAccAwsSecretsManagerSecret_withNamePrefix (11.06s)
--- PASS: TestAccAwsSecretsManagerSecret_Basic (11.30s)
--- PASS: TestAccAwsSecretsManagerSecretVersion_BasicString (11.61s)
--- PASS: TestAccAwsSecretsManagerSecretVersion_Base64Binary (11.67s)
--- PASS: TestAccAwsSecretsManagerSecret_Description (16.23s)
--- PASS: TestAccAwsSecretsManagerSecretVersion_VersionStages (20.71s)
--- PASS: TestAccAwsSecretsManagerSecret_Tags (25.66s)
--- PASS: TestAccAwsSecretsManagerSecret_RotationRules (32.84s)
--- PASS: TestAccAwsSecretsManagerSecret_RotationLambdaARN (34.45s)
--- PASS: TestAccAwsSecretsManagerSecret_KmsKeyID (35.86s)
--- PASS: TestAccAwsSecretsManagerSecret_RecoveryWindowInDays_Recreate (51.73s)

Output from acceptance testing in AWS GovCloud (US):

--- PASS: TestAccAwsSecretsManagerSecret_policy (8.68s)
--- PASS: TestAccAwsSecretsManagerSecret_withNamePrefix (9.46s)
--- PASS: TestAccAwsSecretsManagerSecretVersion_BasicString (9.64s)
--- PASS: TestAccAwsSecretsManagerSecret_Basic (10.07s)
--- PASS: TestAccAwsSecretsManagerSecretVersion_Base64Binary (10.11s)
--- PASS: TestAccAwsSecretsManagerSecret_Description (11.33s)
--- PASS: TestAccAwsSecretsManagerSecretVersion_VersionStages (13.19s)
--- PASS: TestAccAwsSecretsManagerSecret_Tags (14.24s)
--- PASS: TestAccAwsSecretsManagerSecret_RotationRules (16.46s)
--- PASS: TestAccAwsSecretsManagerSecret_RotationLambdaARN (16.80s)
--- PASS: TestAccAwsSecretsManagerSecret_KmsKeyID (30.12s)
--- PASS: TestAccAwsSecretsManagerSecret_RecoveryWindowInDays_Recreate (45.91s)

[syntastical]

@bflad Hey Brian, I was wondering, you included the AWS GovCloud and AWS Commercial test output, was I supposed to do that?

[bflad]

@syntastical showing passing acceptance testing in AWS Commercial is generally good enough for community contributions as we understand that not everyone has an AWS GovCloud (US) account. The maintainers will always re-run AWS Commercial testing to ensure that special testing account setup wasn't used and that it passes before merging for release, but in the case of switching Terraform resources from tag-after-create to tag-on-create, we have seen that sometimes AWS GovCloud (US) has not received the API update yet so we try to be extra careful with this particular type of update to ensure we aren't introducing a regression there.

[bflad]

This has been released in version 2.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!