I am creating Secrets in AWS using Terraform code. My Jenkins pipeline will create the infrastructure every 2 hours and destroys it. Once Infrastructure re-creates after 2 hours, it happened that, AWS Secrets is not allowing me to re-create again and throwing me with below error. Please suggest.
Error: error creating Secrets Manager Secret: InvalidRequestException: You can't create this secret because a secret with this name is already scheduled for deletion.
status code: 400, request id: e4f8cc85-29a4-46ff-911d-c5115716adc5
TF code:-
resource "aws_secretsmanager_secret" "secret" {
description = "${var.environment}"
kms_key_id = "${data.aws_kms_key.sm.arn}"
name = "${var.environment}-airflow-secret"
}
resource "random_string" "rds_password" {
length = 16
special = true
}
resource "aws_secretsmanager_secret_version" "secret" {
secret_id = "${aws_secretsmanager_secret.secret.id}"
secret_string = <<EOF
{
"rds_password": "${random_string.rds_password.result}"
}
EOF
}
TF code plan output:-
# module.aws_af_aws_secretsmanager_secret.secret will be created
+ resource "aws_secretsmanager_secret" "secret" {
+ arn = (known after apply)
+ description = "dev-airflow-secret"
+ id = (known after apply)
+ kms_key_id = "arn:aws:kms:eu-central-1"
+ name = "dev-airflow-secret"
+ name_prefix = (known after apply)
+ recovery_window_in_days = 30
+ rotation_enabled = (known after apply)
}
# module.aws_af.aws_secretsmanager_secret_version.secret will be created
+ resource "aws_secretsmanager_secret_version" "secret" {
+ arn = (known after apply)
+ id = (known after apply)
+ secret_id = (known after apply)
+ secret_string = (sensitive value)
+ version_id = (known after apply)
+ version_stages = (known after apply)
}
You need to set the recovery window to 0 for immediate deletion of secrets.
recovery_window_in_days - (Optional) Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
But this parameter will be evaluated only at the next terraform destroy command. If you already issued a terraform destroy, you will need to clean up the resources manually before Terraform can apply the configuration again. See here for CLI.
To force-delete only the secrets on an existing deployment, you may issue a targeted destroy after having updated your code:
terraform destroy -target=aws_secretsmanager_secret.my_secret