feat(blog): add secrets enforcing with terraform
All checks were successful
/ all (push) Successful in 1m7s
All checks were successful
/ all (push) Successful in 1m7s
This commit is contained in:
parent
7b1267ff06
commit
979e383df9
GPG key ID:
F92E51B86E07177E
1 changed files with 61 additions and 0 deletions
61
content/blog/aws/secrets-2.md
Normal file
61
content/blog/aws/secrets-2.md
Normal file
|
|
@ -0,0 +1,61 @@
|
||||||
|
---
|
||||||
|
title: Enforcing AWS Secret version with OpenTofu/Terraform
|
||||||
|
description: A common pitfall
|
||||||
|
date: 2025-07-08
|
||||||
|
tags:
|
||||||
|
- AWS
|
||||||
|
- OpenTofu
|
||||||
|
- Terraform
|
||||||
|
---
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
|
||||||
|
Managing secrets in AWS is a common task. It is therefore surprising that the
|
||||||
|
default `aws_secretsmanager_secret_version` usage does not properly enforce a
|
||||||
|
secret value.
|
||||||
|
|
||||||
|
At first glance, it appears to enforce secret versions properly because updating
|
||||||
|
the secret's value results in an updated AWS secret version accordingly.
|
||||||
|
Furthermore, if the secret is deleted then OpenTofu/Terraform will recreate it
|
||||||
|
with the proper value as well! However, the unexpected behavior occurs when the
|
||||||
|
value of the secret is manually changed: in that case, OpenTofu/Terraform will
|
||||||
|
do nothing to reconcile or restore the value.
|
||||||
|
|
||||||
|
## Properly enforcing a secret value
|
||||||
|
|
||||||
|
To solve this issue, the stage of the managed secret version needs to be
|
||||||
|
enforced. Given the following basic resources that generate a random password
|
||||||
|
and a secret:
|
||||||
|
|
||||||
|
``` hcl
|
||||||
|
resource "random_password" "main" {
|
||||||
|
length = 64
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_secretsmanager_secret" "main" {
|
||||||
|
name = "secret"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
A secret version stage can be enforced with:
|
||||||
|
|
||||||
|
``` hcl
|
||||||
|
resource "aws_secretsmanager_secret_version" "main" {
|
||||||
|
secret_id = aws_secretsmanager_secret.main.id
|
||||||
|
secret_string = random_password.main.result
|
||||||
|
version_stages = ["AWSCURRENT"]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
The important attribute in the context of this article is `version_stages`.
|
||||||
|
Though optional and not mentioned in [the example usages of the resource's
|
||||||
|
documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version),
|
||||||
|
it is what properly enforces this secret's value as the current version.
|
||||||
|
|
||||||
|
## Conclusion
|
||||||
|
|
||||||
|
I am in awe that I managed to go on for so many years without encountering this
|
||||||
|
particular issue! Systematically specifying the `version_stages` attribute in
|
||||||
|
all secret version resources is a boilerplate that I could have lived without,
|
||||||
|
but necessary to ensure reliability. I find solace knowing that any manual changes to a secret value performed
|
||||||
|
outside of OpenTofu/Terraform are now properly detected and corrected.
|
||||||
Loading…
Add table
Add a link
Reference in a new issue