feat(blog): add secrets enforcing with terraform
All checks were successful
/ all (push) Successful in 1m7s
All checks were successful
/ all (push) Successful in 1m7s
This commit is contained in:
parent
7b1267ff06
commit
979e383df9
GPG key ID:
F92E51B86E07177E
1 changed files with 61 additions and 0 deletions
61
content/blog/aws/secrets-2.md
Normal file
61
content/blog/aws/secrets-2.md
Normal file
|
|
@ -0,0 +1,61 @@
|
|||
---
|
||||
title: Enforcing AWS Secret version with OpenTofu/Terraform
|
||||
description: A common pitfall
|
||||
date: 2025-07-08
|
||||
tags:
|
||||
- AWS
|
||||
- OpenTofu
|
||||
- Terraform
|
||||
---
|
||||
|
||||
## Introduction
|
||||
|
||||
Managing secrets in AWS is a common task. It is therefore surprising that the
|
||||
default `aws_secretsmanager_secret_version` usage does not properly enforce a
|
||||
secret value.
|
||||
|
||||
At first glance, it appears to enforce secret versions properly because updating
|
||||
the secret's value results in an updated AWS secret version accordingly.
|
||||
Furthermore, if the secret is deleted then OpenTofu/Terraform will recreate it
|
||||
with the proper value as well! However, the unexpected behavior occurs when the
|
||||
value of the secret is manually changed: in that case, OpenTofu/Terraform will
|
||||
do nothing to reconcile or restore the value.
|
||||
|
||||
## Properly enforcing a secret value
|
||||
|
||||
To solve this issue, the stage of the managed secret version needs to be
|
||||
enforced. Given the following basic resources that generate a random password
|
||||
and a secret:
|
||||
|
||||
``` hcl
|
||||
resource "random_password" "main" {
|
||||
length = 64
|
||||
}
|
||||
|
||||
resource "aws_secretsmanager_secret" "main" {
|
||||
name = "secret"
|
||||
}
|
||||
```
|
||||
|
||||
A secret version stage can be enforced with:
|
||||
|
||||
``` hcl
|
||||
resource "aws_secretsmanager_secret_version" "main" {
|
||||
secret_id = aws_secretsmanager_secret.main.id
|
||||
secret_string = random_password.main.result
|
||||
version_stages = ["AWSCURRENT"]
|
||||
}
|
||||
```
|
||||
|
||||
The important attribute in the context of this article is `version_stages`.
|
||||
Though optional and not mentioned in [the example usages of the resource's
|
||||
documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version),
|
||||
it is what properly enforces this secret's value as the current version.
|
||||
|
||||
## Conclusion
|
||||
|
||||
I am in awe that I managed to go on for so many years without encountering this
|
||||
particular issue! Systematically specifying the `version_stages` attribute in
|
||||
all secret version resources is a boilerplate that I could have lived without,
|
||||
but necessary to ensure reliability. I find solace knowing that any manual changes to a secret value performed
|
||||
outside of OpenTofu/Terraform are now properly detected and corrected.
|
||||
Loading…
Add table
Add a link
Reference in a new issue