[Bug]: Error when creating Secrets Manager Secret Rotation due to invalid name validation

[asambon]

Terraform Core Version

1.8.3

AWS Provider Version

5.49.0

Affected Resource(s)

1. resource aws_rds_cluster"

2. data external

3. resource aws_secretsmanager_secret_rotation

Expected Behavior

The secret should be created successfully with the specified name and rotation configuration, as long as the name contains only valid characters (alphanumeric characters, or any of the following: -/_+=.@!).

Actual Behavior

The creation of the secret fails with a ValidationException, claiming the name is invalid despite containing only valid characters.

Relevant Error/Panic Output Snippet

Error: creating Secrets Manager Secret Rotation (): operation error Secrets Manager: RotateSecret, https response error StatusCode: 400, RequestID: f65503b7-1e21-49d1-9d26-22c8c6a78d2b, api error ValidationException: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!
│
│ with module.backend.module.provisioned_aurora_0_virginia.aws_secretsmanager_secret_rotation.this[0],
│ on .terraform/modules/backend.provisioned_aurora_0_virginia/main.tf line 374, in resource "aws_secretsmanager_secret_rotation" "this":
│ 374: resource "aws_secretsmanager_secret_rotation" "this" {

Terraform Configuration Files

resource "aws_rds_cluster" "this" {
count = var.create_cluster ? 1 : 0
cluster_identifier = var.use_cluster_instance_prefix == false ? var.identifier : null
cluster_identifier_prefix = var.use_cluster_instance_prefix == false ? null : "${var.identifier}-"
deletion_protection = var.enable_cluster_deletion_protection
master_username = var.replication_source_identifier != null ? null : var.master_username
source_region = var.source_region
final_snapshot_identifier = "${var.identifier}-final-snapshot"
skip_final_snapshot = true
availability_zones = var.azs
backup_retention_period = var.backup_retention_period
preferred_backup_window = local.preferred_backup_window
preferred_maintenance_window = local.preferred_maintenance_window
vpc_security_group_ids = [element(concat(aws_security_group.this.*.id, [""]), 0)]
storage_encrypted = true
replication_source_identifier = var.replication_source_identifier
apply_immediately = true
db_subnet_group_name = local.db_subnet_group_name_id
db_cluster_parameter_group_name = local.cluster_parameter_group_name_id
kms_key_id = var.create_kms ? aws_kms_key.this[0].arn : var.kms_arn
engine = var.engine
engine_mode = var.engine_mode
engine_version = var.engine_version
enable_http_endpoint = var.enable_http_endpoint
enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
snapshot_identifier = var.snapshot_identifier
global_cluster_identifier = var.global_cluster_identifier
database_name = var.database_name != null ? var.database_name : null
allow_major_version_upgrade = var.allow_major_version_upgrade
manage_master_user_password = true

lifecycle {
ignore_changes = [
engine_version,
]
}

data "external" "secret_arn" {
count = var.create_cluster ? 1 : 0
program = ["bash", "-c", "echo $(aws rds describe-db-clusters --db-cluster-identifier ${element(concat(aws_rds_cluster.this.*.id, [""]), 0)} --output json | jq -r '{'secret_arn': .DBClusters[0].MasterUserSecret.SecretArn}')"]
}

resource "aws_secretsmanager_secret_rotation" "this" {

checkov:skip=CKV2_AWS_34:The parameter type is String not SecureString

checkov:skip=CKV_AWS_337:The parameter type is String and using default KMS key

checkov:skip=CKV_AWS_304:Ensure Secrets Manager secrets should be rotated within 90 days

count = var.create_cluster ? 1 : 0
secret_id = element(concat(data.external.secret_arn.*.result.secret_arn, [""]), 0)
rotation_rules {
schedule_expression = var.secret_rotation_cron
}

Steps to Reproduce

Steps to Reproduce
terraform init
terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

Automatic secret rotation was enabled, but the issue occurred in our production environment where we have provisioned Aurora instances. The error seems to happen when updates are made in addition to the automatic secret rotation. This behavior is not present in our non-production environments.

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.