diff --git a/content/blog/aws/secrets-2.md b/content/blog/aws/secrets-2.md new file mode 100644 index 0000000..9abccc6 --- /dev/null +++ b/content/blog/aws/secrets-2.md @@ -0,0 +1,61 @@ +--- +title: Enforcing AWS Secret version with OpenTofu/Terraform +description: A common pitfall +date: 2025-07-08 +tags: +- AWS +- OpenTofu +- Terraform +--- + +## Introduction + +Managing secrets in AWS is a common task. It is therefore surprising that the +default `aws_secretsmanager_secret_version` usage does not properly enforce a +secret value. + +At first glance, it appears to enforce secret versions properly because updating +the secret's value results in an updated AWS secret version accordingly. +Furthermore, if the secret is deleted then OpenTofu/Terraform will recreate it +with the proper value as well! However, the unexpected behavior occurs when the +value of the secret is manually changed: in that case, OpenTofu/Terraform will +do nothing to reconcile or restore the value. + +## Properly enforcing a secret value + +To solve this issue, the stage of the managed secret version needs to be +enforced. Given the following basic resources that generate a random password +and a secret: + +``` hcl +resource "random_password" "main" { + length = 64 +} + +resource "aws_secretsmanager_secret" "main" { + name = "secret" +} +``` + +A secret version stage can be enforced with: + +``` hcl +resource "aws_secretsmanager_secret_version" "main" { + secret_id = aws_secretsmanager_secret.main.id + secret_string = random_password.main.result + version_stages = ["AWSCURRENT"] +} +``` + +The important attribute in the context of this article is `version_stages`. +Though optional and not mentioned in [the example usages of the resource's +documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version), +it is what properly enforces this secret's value as the current version. + +## Conclusion + +I am in awe that I managed to go on for so many years without encountering this +particular issue! Systematically specifying the `version_stages` attribute in +all secret version resources is a boilerplate that I could have lived without, +but necessary to ensure reliability. I find solace knowing that any manual changes to a secret value performed +outside of OpenTofu/Terraform are now properly detected and corrected.