Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Terraform | Secrets Manager | Reuse of existing secrets without deleting

Tags:

amazon-web-services

terraform

aws-secrets-manager

I am creating Secrets in AWS using Terraform code. My Jenkins pipeline will create the infrastructure every 2 hours and destroys it. Once Infrastructure re-creates after 2 hours, it happened that, AWS Secrets is not allowing me to re-create again and throwing me with below error. Please suggest.

Error: error creating Secrets Manager Secret: InvalidRequestException: You can't create this secret because a secret with this name is already scheduled for deletion.
    status code: 400, request id: e4f8cc85-29a4-46ff-911d-c5115716adc5

TF code:-

resource "aws_secretsmanager_secret" "secret" {
  description         = "${var.environment}"
  kms_key_id          = "${data.aws_kms_key.sm.arn}"
  name                = "${var.environment}-airflow-secret"
}
resource "random_string" "rds_password" {
  length = 16
  special = true
}


resource "aws_secretsmanager_secret_version" "secret" {
  secret_id     = "${aws_secretsmanager_secret.secret.id}"
  secret_string = <<EOF
{
  "rds_password": "${random_string.rds_password.result}"
  }
EOF
}

TF code plan output:-

  # module.aws_af_aws_secretsmanager_secret.secret will be created
  + resource "aws_secretsmanager_secret" "secret" {
      + arn                     = (known after apply)
      + description             = "dev-airflow-secret"
      + id                      = (known after apply)
      + kms_key_id              = "arn:aws:kms:eu-central-1"
      + name                    = "dev-airflow-secret"
      + name_prefix             = (known after apply)
      + recovery_window_in_days = 30
      + rotation_enabled        = (known after apply)
    }

  # module.aws_af.aws_secretsmanager_secret_version.secret will be created
  + resource "aws_secretsmanager_secret_version" "secret" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }
like image 855
asur Avatar asked Aug 09 '19 14:08

asur

People also ask

How can I immediately delete a secrets Manager secret so that I can create a new secret with the same name?

Open the Secrets Manager console. In the navigation pane, choose Secrets. Choose the settings icon, and then in Preferences, select Show secrets scheduled for deletion. In Visible columns, turn on the Deleted on toggle switch, and then choose Save.

How do I get rid of AWS Secret immediately?

To delete a secret (console)Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/ . In the list of secrets, choose the secret you want to delete. In the Secret details section, choose Actions, and then choose Delete secret.

What is secret ID in secret Manager?

The secret-id doesn't need to be a secret. The value of that ID is the secret. The secret-id tells Secrets Manager which value to retrieve.

1 Answers

You need to set the recovery window to 0 for immediate deletion of secrets.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#recovery_window_in_days

recovery_window_in_days - (Optional) Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

like image 159
Chris Fowles Avatar answered Sep 27 '22 16:09

Chris Fowles
Sign in to Comment

Related questions

Processing SQS queues with boto
Why using a common hash key with AWS DynamoDB is a bad thing?
Amazon S3 Folder Level Permissions
Hex string to integer conversion in Amazon Redshift
AWS S3 - Listing all objects inside a folder without the prefix
CloudFormation: Template error: every Ref object must have a single String value
Avoid throttle dynamoDB
How to check when is the last time S3 bucket has been updated?
Aws s3 reduced redundancy costs the same as standard?
AWS CloudFormation w/ AWS::ApiGateway::RestApi gives Invalid REST API identifier specified
missing region; use :region option or export region name to ENV['AWS_REGION']
Stopping task on AWS ECS via CLI (program output as argument input bash)
What is the maximum number of event source mappings per AWS Lambda?
How to create a nested Resource path in AWS RestAPI using Cloudformation?
Aws lambda not connecting with Dynamo Db
AWS ECS - exit code 137
AWS CodePipeline build lacks Git history
Destroy resources created via Serverless without destroying Lambda endpoints
How to debug failed fargate task initialization
AWS secure REST API with mutual authentication

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!