25

I am creating Secrets in AWS using Terraform code. My Jenkins pipeline will create the infrastructure every 2 hours and destroys it. Once Infrastructure re-creates after 2 hours, it happened that, AWS Secrets is not allowing me to re-create again and throwing me with below error. Please suggest.

Error: error creating Secrets Manager Secret: InvalidRequestException: You can't create this secret because a secret with this name is already scheduled for deletion.
    status code: 400, request id: e4f8cc85-29a4-46ff-911d-c5115716adc5

TF code:-

resource "aws_secretsmanager_secret" "secret" {
  description         = "${var.environment}"
  kms_key_id          = "${data.aws_kms_key.sm.arn}"
  name                = "${var.environment}-airflow-secret"
}
resource "random_string" "rds_password" {
  length = 16
  special = true
}


resource "aws_secretsmanager_secret_version" "secret" {
  secret_id     = "${aws_secretsmanager_secret.secret.id}"
  secret_string = <<EOF
{
  "rds_password": "${random_string.rds_password.result}"
  }
EOF
}

TF code plan output:-

  # module.aws_af_aws_secretsmanager_secret.secret will be created
  + resource "aws_secretsmanager_secret" "secret" {
      + arn                     = (known after apply)
      + description             = "dev-airflow-secret"
      + id                      = (known after apply)
      + kms_key_id              = "arn:aws:kms:eu-central-1"
      + name                    = "dev-airflow-secret"
      + name_prefix             = (known after apply)
      + recovery_window_in_days = 30
      + rotation_enabled        = (known after apply)
    }

  # module.aws_af.aws_secretsmanager_secret_version.secret will be created
  + resource "aws_secretsmanager_secret_version" "secret" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }
asur
  • 1,759
  • 7
  • 38
  • 81
  • 3
    If you need to force a deletion of the secret, [follow the instructions here to do so using AWS CLI](https://aws.amazon.com/premiumsupport/knowledge-center/delete-secrets-manager-secret/). Once done so, be sure to use the `recovery_window_in_days` option in your Terraform configuration as mentioned in the answer. – ADTC Nov 15 '21 at 16:16

1 Answers1

33

You need to set the recovery window to 0 for immediate deletion of secrets.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#recovery_window_in_days

recovery_window_in_days - (Optional) Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

FrankyFred
  • 5,272
  • 1
  • 20
  • 19
Chris Fowles
  • 346
  • 3
  • 2
  • 2
    New link to [recovery_window_in_days](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#recovery_window_in_days) – trueCamelType Jan 04 '22 at 00:28
  • 1
    By any chance, does setting `recovery_window_in_days` to 0 after it has been marked for deletion, force delete it? – Touré Holder Jun 08 '22 at 20:49
  • 3
    Just tested that via terraform, and the answer is no. It does not force deletes existing resources. Follow this link for help with the force deletion of secrets that are already has been scheduled - https://aws.amazon.com/premiumsupport/knowledge-center/delete-secrets-manager-secret/ – Zhivko Draganov Aug 30 '22 at 07:32