[Bug]: Importing aws_secretsmanager_secret_version causes recreation due to secret_id changing from arn to path

[nitrocode]

Terraform Core Version

1.8.1

AWS Provider Version

5.53.0

Affected Resource(s)

• aws_secretsmanager_secret_version

Expected Behavior

Import without recreation on a subsequent plan/apply

Actual Behavior

Import

terraform import \
  'aws_secretsmanager_secret_version.default["test"]' \
  'arn:aws:secretsmanager:us-east-1:snip:secret:devops/test/oidc-H0eZ70|terraform-20240612163038549200000002'

Plan

  # aws_secretsmanager_secret_version.default["test"] must be replaced
-/+ resource "aws_secretsmanager_secret_version" "default" {
      ~ arn            = "arn:aws:secretsmanager:us-east-1:snip:secret:devops/test/oidc-H0eZ70" -> (known after apply)
      ~ id             = "arn:aws:secretsmanager:us-east-1:snip:secret:devops/test/oidc-H0eZ70|terraform-20240612163038549200000002" -> (known after apply)
      ~ secret_id      = "arn:aws:secretsmanager:us-east-1:snip:secret:devops/test/oidc-H0eZ70" -> "devops/test/oidc" # forces replacement
      ~ version_id     = "terraform-20240612163038549200000002" -> (known after apply)
      ~ version_stages = [
          - "AWSCURRENT",
        ] -> (known after apply)
        # (1 unchanged attribute hidden)
    }

The secret_id wants to change from the full arn arn:aws:secretsmanager:us-east-1:snip:secret:devops/test/oidc-H0eZ70 to only the path devops/test/oidc.

I also tried modifying the secret_id by pulling the state, modifying, and pushing it back up. Same result.

I also tried deleting from the state and reimporting using only the path instead of the full arn and the import did not work.

Relevant Error/Panic Output Snippet

N/A

Terraform Configuration Files

resource "aws_secretsmanager_secret" "default" {
  for_each = okta_app_oauth.default

  name = "devops/${each.key}/oidc"

  force_overwrite_replica_secret = false
}

resource "aws_secretsmanager_secret_version" "default" {
  for_each = okta_app_oauth.default

  secret_id = aws_secretsmanager_secret.default[each.key].id
  secret_string = jsonencode({
    clientID     = each.value.client_id
    clientSecret = each.value.client_secret
  })
}

Steps to Reproduce

See above

Debug Output

N/A

Panic Output

N/A

Important Factoids

N/A

References

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version#import

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.