Terraform AWS Provider: SecretsManager Error: "Version was deleted"
Problem:
You're trying to apply a Terraform configuration that interacts with AWS Secrets Manager, but you encounter an error saying "Version was deleted." This frustrating issue arises when Terraform tries to manage a secret version that no longer exists, often due to manual intervention or previous Terraform runs.
Scenario:
Imagine you're using Terraform to manage a secret called "my_secret" in Secrets Manager. Your configuration looks something like this:
resource "aws_secretsmanager_secret" "my_secret" {
name = "my_secret"
}
resource "aws_secretsmanager_secret_version" "secret_version" {
secret_id = aws_secretsmanager_secret.my_secret.id
secret_string = "my_secret_value"
}
You've applied this configuration successfully in the past, but now you're getting an error:
Error: Error creating Secret Version: InvalidParameterException: The requested secret version does not exist
This happens because the secret version you're trying to manage has been deleted, either by accident or intentionally.
Analysis and Solutions:
- Identify the Deleted Version: Use the AWS Secrets Manager console or the AWS CLI to list the versions of your secret and see which version is missing. You can find the version ID in the Terraform state file.
- Reconcile with Terraform State: There are two primary approaches:
- Delete and Recreate: If you no longer need the deleted secret version, simply remove the
aws_secretsmanager_secret_versionresource from your Terraform configuration. Runterraform applyto remove the resource from your infrastructure and update the state file. - Recreate the Secret Version: If you need the deleted secret version, recreate it manually using the AWS console or CLI. Then, update the
secret_versionresource in your Terraform configuration to use the newly created version ID. Runterraform applyto ensure Terraform manages the recreated version.
- Delete and Recreate: If you no longer need the deleted secret version, simply remove the
- Understand Version Rotation: AWS Secrets Manager allows for rotating secrets to improve security. If your Terraform configuration was using a specific version, ensure you're aware of any automatic rotation policies in place. You may need to update your Terraform configuration to manage the latest version after a rotation.
Additional Tips:
- State File Sanity Check: Ensure your Terraform state file is accurate and doesn't contain references to deleted resources. Use
terraform state listto check for orphaned resources. - Terraform Locking: If you're working in a team environment, consider using Terraform locking to prevent accidental resource deletions and maintain consistency between your configurations and the actual infrastructure.
References:
Conclusion:
The "Version was deleted" error in Terraform AWS Provider Secrets Manager can be frustrating, but it's often resolved with careful investigation and appropriate remediation. By understanding the underlying problem and employing the right techniques, you can restore consistency and successfully manage your secrets in Terraform.
