aws_secretsmanager_secret_version performs lookup when using write-only arguments

[gr-georgeshort]

Terraform and AWS Provider Version

1.11.4

Affected Resource(s) or Data Source(s)

aws_secretsmanager_secret_version

Expected Behavior

It may be my misunderstanding of the expected behaviour so apologies in advance if so but when using write-only arguments I believe that the resource shouldn't attempt to read the secret value when performing a plan.

Actual Behavior

The provider attempts to perform secretsmanager:GetSecretValue on the resource during plan.

Relevant Error/Panic Output

Error: reading Secrets Manager Secret Version (arn:aws:secretsmanager:eu-west-1:123456789999:secret:example-password|*): operation error Secrets Manager: GetSecretValue, https response error StatusCode: 400, RequestID: e0821cc1-dd6f-4a28-b138-a5e38749743c, api error AccessDeniedException: User: arn:aws:sts::123456789999:assumed-role/my-read-only-role is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:eu-west-1:123456789999:secret:example-password because no identity-based policy allows the secretsmanager:GetSecretValue action

Sample Terraform Configuration

Click to expand configuration

ephemeral "random_password" "example_password" {
  length           = 16
  override_special = "!#$%&*()-_=+[]{}<>:?"
}

resource "aws_secretsmanager_secret" "example_password" {
  name = "example-password"
}

resource "aws_secretsmanager_secret_version" "example_password" {
  secret_id                = aws_secretsmanager_secret.example_password.id
  secret_string_wo         = ephemeral.random_password.example_password.result
  secret_string_wo_version = 1
}

Steps to Reproduce

1. Run plan and apply to create initial secret version
2. Run plan again for provider to attempt to perform secretsmanager:GetSecretValue action

Debug Logging

Click to expand log output

GenAI / LLM Assisted Development

n/a

Important Facts and References

We are using dynamic provider credentials within Terraform Enterprise and are splitting plan / apply roles into read-only and read-write respectively. This functionality as a result is causing a problem for us as the read-only role used for plans does not have secretsmanager:GetSecretValue permission available.

Would you like to implement a fix?

No

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[drewmullen]

One possible solution to this could be modifying the Read() function. If a wo attribute is passed then use list-secrets API instead of read API. This would allow checking to see if the secret exists and setting other values (not the secret value) for diff purposes... all without requiring reading the secret

This hasnt been tested and might not work and the implementation would have to be accepted by the provider dev team. Also, the implementer would need to validate that the values returned by list overlap with read enough to satisfy.