2.1 KiB
| title | description | date | tags | |||
|---|---|---|---|---|---|---|
| Enforcing AWS Secret version with OpenTofu/Terraform | A common pitfall | 2025-07-08 |
|
Introduction
Managing secrets in AWS is a common task. It is therefore surprising that the
default aws_secretsmanager_secret_version usage does not properly enforce a
secret value.
At first glance, it appears to enforce secret versions properly because updating the secret's value results in an updated AWS secret version accordingly. Furthermore, if the secret is deleted then OpenTofu/Terraform will recreate it with the proper value as well! However, the unexpected behavior occurs when the value of the secret is manually changed: in that case, OpenTofu/Terraform will do nothing to reconcile or restore the value.
Properly enforcing a secret value
To solve this issue, the stage of the managed secret version needs to be enforced. Given the following basic resources that generate a random password and a secret:
resource "random_password" "main" {
length = 64
}
resource "aws_secretsmanager_secret" "main" {
name = "secret"
}
A secret version stage can be enforced with:
resource "aws_secretsmanager_secret_version" "main" {
secret_id = aws_secretsmanager_secret.main.id
secret_string = random_password.main.result
version_stages = ["AWSCURRENT"]
}
The important attribute in the context of this article is version_stages.
Though optional and not mentioned in the example usages of the resource's
documentation,
it is what properly enforces this secret's value as the current version.
Conclusion
I am in awe that I managed to go on for so many years without encountering this
particular issue! Systematically specifying the version_stages attribute in
all secret version resources is a boilerplate that I could have lived without,
but necessary to ensure reliability. I find solace knowing that any manual changes to a secret value performed
outside of OpenTofu/Terraform are now properly detected and corrected.