-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for AWS::SecretsManager::SecretTargetAttachment #9183
Comments
Currently working around this by having the The secret itself is deployed as a CloudFormation stack because that causes its ID to be slightly randomized - thus allowing for testing by repeated |
@pwong-rms You can randomize the name with the |
@anGie44 Please re-consider this issue priority. |
Any news on this? |
Also waiting for this feature. It really blocks normal automation with terraform. |
2023 Bump |
+1 |
3 similar comments
+1 |
+1 |
+1 |
This may largely be addressed for RDS resources with the support for |
I disagree. |
Yes, |
agreed - typically we prefer to have the whole set of information about a cluster that SecretTargetAttachment provides which includes endpoint/host information. 1)create db w/ manually created secret: |
Hello everyone - after researching this issue we've composed a design decision document with our findings. The complete document is viewable in #34208, and the proposal section is included below for reference:
Since we're proposing to close this issue, we're planning to leave this issue and the corresponding design document open for two weeks (through 11/15/2023) in order to allow time for community feedback. If you believe there is a viable option for implementing this functionality with publicly available APIs, please leave a review! On a related note - while researching this issue we've added support for modifying managed secret rotation schedules and support for managed passwords with Redshift clusters. Both will be available in |
Hello - We haven't received any objections to the proposal linked above, so we will be marking it as accepted and merging the design document. We will also close this issue, and recommend users pursue the methods outlined in the proposal to achieve this functionality with existing Terraform resources. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
This issue was originally opened by pwong-rms as hashicorp/terraform#21903. It was migrated here as a result of the provider split. The original body of the issue is below.
Current Terraform Version
Use-cases
We are converting from CloudFormation to Terraform. We create a secret with username and password in AWS Secrets Manager, then create a RDS DB instance (not cluster), then use the secret target attachment to attach the secret to the DB instance. This then results in AWS populating the secret with additional information.
Then, we use a rotation schedule and lambda to update the secret. Because the secret is attached to the DB instance, it automatically changes the DB instance's password to match.
The example given here for "Creating a Secret and an RDS DB Instance" is basically what we have in CF: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html
Attempted Solutions
Attempted solutions:
keeper
for a random string resource. But, because the local file's contents are not known until afterapply
, it forces downstream resources to update every time.formatdate("YYYY-MM", timestamp())
as akeeper
for the random string resource. But this too is not known until afterapply
.Proposal
New resource type:
aws_secretsmanager_secret_target_attachment
- supporting all features described here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.htmlAlso a new input for
aws_db_instance
taking a secret's ID / ARN, to implicitly create the secret target attachment.References
The text was updated successfully, but these errors were encountered: