[Bug]: Error when creating Secrets Manager Secret Rotation due to invalid name validation #39406
Labels
bug
Addresses a defect in current functionality.
needs-triage
Waiting for first response or review from a maintainer.
service/rds
Issues and PRs that pertain to the rds service.
service/secretsmanager
Issues and PRs that pertain to the secretsmanager service.
Terraform Core Version
1.8.3
AWS Provider Version
5.49.0
Affected Resource(s)
resource aws_rds_cluster"
data external
resource aws_secretsmanager_secret_rotation
Expected Behavior
The secret should be created successfully with the specified name and rotation configuration, as long as the name contains only valid characters (alphanumeric characters, or any of the following: -/_+=.@!).
Actual Behavior
The creation of the secret fails with a ValidationException, claiming the name is invalid despite containing only valid characters.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
resource "aws_rds_cluster" "this" {
count = var.create_cluster ? 1 : 0
cluster_identifier = var.use_cluster_instance_prefix == false ? var.identifier : null
cluster_identifier_prefix = var.use_cluster_instance_prefix == false ? null : "${var.identifier}-"
deletion_protection = var.enable_cluster_deletion_protection
master_username = var.replication_source_identifier != null ? null : var.master_username
source_region = var.source_region
final_snapshot_identifier = "${var.identifier}-final-snapshot"
skip_final_snapshot = true
availability_zones = var.azs
backup_retention_period = var.backup_retention_period
preferred_backup_window = local.preferred_backup_window
preferred_maintenance_window = local.preferred_maintenance_window
vpc_security_group_ids = [element(concat(aws_security_group.this.*.id, [""]), 0)]
storage_encrypted = true
replication_source_identifier = var.replication_source_identifier
apply_immediately = true
db_subnet_group_name = local.db_subnet_group_name_id
db_cluster_parameter_group_name = local.cluster_parameter_group_name_id
kms_key_id = var.create_kms ? aws_kms_key.this[0].arn : var.kms_arn
engine = var.engine
engine_mode = var.engine_mode
engine_version = var.engine_version
enable_http_endpoint = var.enable_http_endpoint
enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
snapshot_identifier = var.snapshot_identifier
global_cluster_identifier = var.global_cluster_identifier
database_name = var.database_name != null ? var.database_name : null
allow_major_version_upgrade = var.allow_major_version_upgrade
manage_master_user_password = true
lifecycle {
ignore_changes = [
engine_version,
]
}
data "external" "secret_arn" {$(aws rds describe-db-clusters --db-cluster-identifier $ {element(concat(aws_rds_cluster.this.*.id, [""]), 0)} --output json | jq -r '{'secret_arn': .DBClusters[0].MasterUserSecret.SecretArn}')"]
count = var.create_cluster ? 1 : 0
program = ["bash", "-c", "echo
}
resource "aws_secretsmanager_secret_rotation" "this" {
checkov:skip=CKV2_AWS_34:The parameter type is String not SecureString
checkov:skip=CKV_AWS_337:The parameter type is String and using default KMS key
checkov:skip=CKV_AWS_304:Ensure Secrets Manager secrets should be rotated within 90 days
count = var.create_cluster ? 1 : 0
secret_id = element(concat(data.external.secret_arn.*.result.secret_arn, [""]), 0)
rotation_rules {
schedule_expression = var.secret_rotation_cron
}
Steps to Reproduce
Steps to Reproduce
terraform init
terraform apply
Debug Output
No response
Panic Output
No response
Important Factoids
Automatic secret rotation was enabled, but the issue occurred in our production environment where we have provisioned Aurora instances. The error seems to happen when updates are made in addition to the automatic secret rotation. This behavior is not present in our non-production environments.
References
No response
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: