-
-
Save bschaatsbergen/cec07997d0d187d8e8c7889af96a8c45 to your computer and use it in GitHub Desktop.
| provider "aws" { | |
| region = "us-west-2" | |
| } | |
| ephemeral "random_password" "db_password" { | |
| length = 16 | |
| } | |
| resource "aws_secretsmanager_secret" "db_password" { | |
| name = "db-password" | |
| } | |
| resource "aws_secretsmanager_secret_version" "db_password" { | |
| secret_id = aws_secretsmanager_secret.db_password.id | |
| secret_string_wo = ephemeral.random_password.db_password.result | |
| secret_string_wo_version = 1 | |
| } | |
| ephemeral "aws_secretsmanager_secret_version" "db_password" { | |
| secret_id = aws_secretsmanager_secret_version.db_password.secret_id | |
| } | |
| resource "aws_db_instance" "example" { | |
| instance_class = "db.t3.micro" | |
| allocated_storage = "5" | |
| engine = "postgres" | |
| username = "example" | |
| skip_final_snapshot = true | |
| password_wo = ephemeral.aws_secretsmanager_secret_version.db_password.secret_string | |
| password_wo_version = aws_secretsmanager_secret_version.db_password.secret_string_wo_version | |
| } | |
Actually, I will retract my last comment, I realized that the code in your Gist is actually an old version of your code.
I see that in hashicorp/terraform#36605, instead of
ephemeral "aws_secretsmanager_secret_version" "db_password" {
secret_id = aws_secretsmanager_secret.db_password.id
}
you have
ephemeral "aws_secretsmanager_secret_version" "db_master" {
secret_id = aws_secretsmanager_secret_version.db_password.secret_id
}
This resolves the "timing" concern I mentioned above with respect to when the ephemeral resource attempts to read the value for a secret version, and which version to read (which is whatever AWSCURRENT is pointing to after TF creates/re-creates the aws_secretsmanager_secret_version resource)
I have one suggestion to make it more explicit and clear in https://github.com/hashicorp/terraform/pull/36605/files#r1980138389
Thank you for catching the outdated reference, @ktham, and ++ for finding the updated documentation improvement I had submitted! I noticed I had shown you the plan and apply output of the correct example, but the Gist did not match that. Thanks again!
This is how the dependency graph should look like, using:
ephemeral "aws_secretsmanager_secret_version" "db_master" {
secret_id = aws_secretsmanager_secret_version.db_password.secret_id
}
Thank you for explaining!
I understand that the ephemeral
aws_secretsmanager_secret_versionresource runs every time on each plan/apply and fetches a new value each time. My concern is about when it fetches the new value during the TF apply-phase. In particular, is there a possibility that it runs/fetches the new value before theaws_secretsmanager_secret_version.db_passwordresource gets recreated?In your TF apply, I see that
ephemeral.aws_secretsmanager_secret_version.db_password:is "opened" afteraws_secretsmanager_secret_version.db_passwordis re-created in your particular example, which is what we'd want. However, I just want to confirm that this will always be the case?Normally, Terraform set implicit dependencies between resources based attribute access, but in this case, the ephemeral
aws_secretsmanager_secret_versionis only dependent onaws_secretsmanager_secretand not theaws_secretsmanager_secret_version, so I wasn't sure if I can correctly assume that the ephemeralaws_secretsmanager_secret_versionresource will always run afteraws_secretsmanager_secret_version.db_passwordresource gets recreated