Extend Secrets Manager Rotation Configuration

[fergoid]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Presently the provider only supports configuring secrets rotation by using rotation_rules/automatically_after_days. In the AWS API it is also possible to set a Schedule Expression which is either a cron expression or a rate expression (e.g. rate(30 days). The new Duration attribute that has been added recently to the rotation configuration only works with a schedule expression.

The schedule_expression and automatically_after_days configurations are mutually exclusive.

New or Affected Resource(s)

• aws_secretsmanager_secret_rotation

Potential Terraform Configuration

  rotation_rules {
    schedule_expression = "rate(30 days)"
    duration = 2 
  }

rotation_rules {
  schedule_expression = "0 1 */30 * *"
  duration = 2
}

References

• https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotationRulesType.html
• https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/#SecretsManager.RotateSecret

[fergoid]

Also wondering whether we should add 'RotateImmediately' so you can change the configuration without invoking a rotation straight away?
https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/#RotateSecretInput

[fergoid]

I will pick this one up if no one objects. I've made most of the changes locally already.

[fergoid]

I have hit a bit of a roadblock on this and I think it is related to this part of the AWS API:
https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/#RotateSecretOutput

// In DescribeSecret and ListSecrets, this value is calculated from the rotation
// schedule after every successful rotation. In RotateSecret, you can set the
// rotation schedule in RotationRules with AutomaticallyAfterDays or ScheduleExpression,
// but not both.

My problem is basically that if I supply a schedule_expression as part of my configuration the create function performs a read at the end and I then have both the schedule_expression and automatically_after_days properties present in my resource. The test plan then thinks it did not complete successfully.

This output from the test probably illustrates it best:

 make testacc TESTS=TestAccSecretsManagerSecretRotation_rate PKG=secretsmanager                                                                                                                                                                                                                                                                                                            <aws:default>
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/secretsmanager/... -v -count 1 -parallel 20 -run='TestAccSecretsManagerSecretRotation_rate'  -timeout 180m
=== RUN   TestAccSecretsManagerSecretRotation_rate
=== PAUSE TestAccSecretsManagerSecretRotation_rate
=== CONT  TestAccSecretsManagerSecretRotation_rate
resourceSecretRotationCreate input: {
  RotationLambdaARN: "arn:aws:lambda:us-west-2:1234567890:function:tf-acc-test-846287439286965255-1",
  RotationRules: {
    ScheduleExpression: "rate(90 days)"
  },
  SecretId: "arn:aws:secretsmanager:us-west-2:1234567890:secret:tf-acc-test-846287439286965255-cobqG4"
}
resourceSecretRotationRead: {
  ARN: "arn:aws:secretsmanager:us-west-2:1234567890:secret:tf-acc-test-846287439286965255-cobqG4",
  CreatedDate: 2022-03-02 07:40:38.258 +0000 UTC,
  LastChangedDate: 2022-03-02 07:41:02.644 +0000 UTC,
  Name: "tf-acc-test-846287439286965255",
  RotationEnabled: true,
  RotationLambdaARN: "arn:aws:lambda:us-west-2:1234567890:function:tf-acc-test-846287439286965255-1",
  RotationRules: {
    AutomaticallyAfterDays: 90,
    ScheduleExpression: "rate(90 days)"
  },
  VersionIdsToStages: {
    6D2E25DA-9890-4254-A07C-F3394E344B7D: ["AWSPENDING"]
  }
}
*** Flattened rules: [map[automatically_after_days:90 schedule_expression:rate(90 days)]]
    secret_rotation_test.go:69: Step 1/2 error: After applying this test step, the plan was not empty.
        stdout:
        
        
        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place
        
        Terraform will perform the following actions:
        
          # aws_secretsmanager_secret_rotation.test will be updated in-place
          ~ resource "aws_secretsmanager_secret_rotation" "test" {
                id                  = "arn:aws:secretsmanager:us-west-2:1234567890:secret:tf-acc-test-846287439286965255-cobqG4"
                # (3 unchanged attributes hidden)
        
              ~ rotation_rules {
                  - automatically_after_days = 90 -> null
                    # (1 unchanged attribute hidden)
                }
            }
        
        Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccSecretsManagerSecretRotation_rate (69.89s)
FAIL
FAIL    github.com/hashicorp/terraform-provider-aws/internal/service/secretsmanager     88.256s
FAIL
make: *** [testacc] Error 1

[AndyLonghurstHESA]

Is there any update on this please? I would really like to use a cron expression in Terraform for aws_secretsmanager_secret_rotation resource. Thanks

[tnmetzger]

Are there any updates on this issue? We would also really like to use a cron expression for the secrets rotation. Thanks!

[antnzl]

Any updates on this issue/PR? could really use this feature :)

[lukeemery]

Adding my name to the list of people who would really benefit from this.

[tudoramariei]

This seems to be a duplicate of #28016
The feature has been made available in 4.62.0

[ewbankkit]

Closed via #30425.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.