feat(blog): add secrets enforcing with terraform
All checks were successful
/ all (push) Successful in 1m7s

This commit is contained in:
Julien Dessaux 2025-07-08 00:17:06 +02:00
parent 7b1267ff06
commit 979e383df9
Signed by: adyxax
GPG key ID: F92E51B86E07177E

View file

@ -0,0 +1,61 @@
---
title: Enforcing AWS Secret version with OpenTofu/Terraform
description: A common pitfall
date: 2025-07-08
tags:
- AWS
- OpenTofu
- Terraform
---
## Introduction
Managing secrets in AWS is a common task. It is therefore surprising that the
default `aws_secretsmanager_secret_version` usage does not properly enforce a
secret value.
At first glance, it appears to enforce secret versions properly because updating
the secret's value results in an updated AWS secret version accordingly.
Furthermore, if the secret is deleted then OpenTofu/Terraform will recreate it
with the proper value as well! However, the unexpected behavior occurs when the
value of the secret is manually changed: in that case, OpenTofu/Terraform will
do nothing to reconcile or restore the value.
## Properly enforcing a secret value
To solve this issue, the stage of the managed secret version needs to be
enforced. Given the following basic resources that generate a random password
and a secret:
``` hcl
resource "random_password" "main" {
length = 64
}
resource "aws_secretsmanager_secret" "main" {
name = "secret"
}
```
A secret version stage can be enforced with:
``` hcl
resource "aws_secretsmanager_secret_version" "main" {
secret_id = aws_secretsmanager_secret.main.id
secret_string = random_password.main.result
version_stages = ["AWSCURRENT"]
}
```
The important attribute in the context of this article is `version_stages`.
Though optional and not mentioned in [the example usages of the resource's
documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version),
it is what properly enforces this secret's value as the current version.
## Conclusion
I am in awe that I managed to go on for so many years without encountering this
particular issue! Systematically specifying the `version_stages` attribute in
all secret version resources is a boilerplate that I could have lived without,
but necessary to ensure reliability. I find solace knowing that any manual changes to a secret value performed
outside of OpenTofu/Terraform are now properly detected and corrected.