diff --git a/providers-sdk/v1/vault/awssecretsmanager/secretsmanager.go b/providers-sdk/v1/vault/awssecretsmanager/secretsmanager.go index 4ee77b1483..6c1f4d9791 100644 --- a/providers-sdk/v1/vault/awssecretsmanager/secretsmanager.go +++ b/providers-sdk/v1/vault/awssecretsmanager/secretsmanager.go @@ -5,9 +5,11 @@ package awssecretsmanager import ( "context" + "errors" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/secretsmanager" + "github.com/aws/aws-sdk-go-v2/service/secretsmanager/types" "github.com/aws/aws-sdk-go/aws/arn" "github.com/rs/zerolog/log" "go.mondoo.com/cnquery/v11/providers-sdk/v1/vault" @@ -88,6 +90,29 @@ func (v *Vault) Set(ctx context.Context, cred *vault.Secret) (*vault.SecretID, e SecretBinary: cred.Data, KmsKeyId: kmsKeyID, }) + if err != nil { + var aerr *types.ResourceExistsException + if errors.As(err, &aerr) { + return v.updateSecret(ctx, cred) + } + + return nil, err + } + + return &vault.SecretID{Key: *o.ARN}, err +} + +func (v *Vault) updateSecret(ctx context.Context, cred *vault.Secret) (*vault.SecretID, error) { + var kmsKeyID *string + if len(v.kmsKeyID) > 0 { + kmsKeyID = &v.kmsKeyID + } + + c := secretsmanager.NewFromConfig(v.cfg) + o, err := c.UpdateSecret(ctx, &secretsmanager.UpdateSecretInput{ + SecretBinary: cred.Data, + KmsKeyId: kmsKeyID, + }) if err != nil { return nil, err } diff --git a/providers-sdk/v1/vault/awssecretsmanager/secretsmanager_test.go b/providers-sdk/v1/vault/awssecretsmanager/secretsmanager_test.go index ed45c8798b..8e361d7704 100644 --- a/providers-sdk/v1/vault/awssecretsmanager/secretsmanager_test.go +++ b/providers-sdk/v1/vault/awssecretsmanager/secretsmanager_test.go @@ -32,3 +32,27 @@ func TestAwsSecretsManager(t *testing.T) { require.NoError(t, err) assert.Equal(t, cred.Data, get.Data) } + +func TestAwsSecretsManagerOverwrite(t *testing.T) { + ctx := context.Background() + cfg, err := config.LoadDefaultConfig(ctx) + require.NoError(t, err) + v := New(cfg, WithKmsKey("alias/aws/secretsmanager")) + + cred := &vault.Secret{ + Data: []byte("my-secret-data"), + Key: "mik-test-secret-2", + } + s, err := v.Set(ctx, cred) + require.NoError(t, err) + get, err := v.Get(ctx, &vault.SecretID{Key: s.Key}) + require.NoError(t, err) + assert.Equal(t, cred.Data, get.Data) + + cred.Data = []byte("my-even-more-secret-data") + s, err = v.Set(ctx, cred) + require.NoError(t, err) + get, err = v.Get(ctx, &vault.SecretID{Key: s.Key}) + require.NoError(t, err) + assert.Equal(t, cred.Data, get.Data) +}