地形 |秘密经理 |重复使用现有的秘密而不删除

Posted 2023-03-24

【中文标题】地形 |秘密经理 |重复使用现有的秘密而不删除

【英文标题】：Terraform | Secrets Manager | Reuse of existing secrets without deleting

【发布时间】：2019-12-17 07:03:56

【问题描述】：

我正在使用 Terraform 代码在 AWS 中创建 Secret。我的 Jenkins 管道将每 2 小时创建一次基础架构并销毁它。一旦基础设施在 2 小时后重新创建，AWS Secrets 就不允许我再次重新创建并抛出以下错误。请提出建议。

Error: error creating Secrets Manager Secret: InvalidRequestException: You can't create this secret because a secret with this name is already scheduled for deletion.
    status code: 400, request id: e4f8cc85-29a4-46ff-911d-c5115716adc5

TF 代码：-

resource "aws_secretsmanager_secret" "secret" 
  description         = "$var.environment"
  kms_key_id          = "$data.aws_kms_key.sm.arn"
  name                = "$var.environment-airflow-secret"

resource "random_string" "rds_password" 
  length = 16
  special = true



resource "aws_secretsmanager_secret_version" "secret" 
  secret_id     = "$aws_secretsmanager_secret.secret.id"
  secret_string = <<EOF

  "rds_password": "$random_string.rds_password.result"
  
EOF

TF 代码计划输出：-

  # module.aws_af_aws_secretsmanager_secret.secret will be created
  + resource "aws_secretsmanager_secret" "secret" 
      + arn                     = (known after apply)
      + description             = "dev-airflow-secret"
      + id                      = (known after apply)
      + kms_key_id              = "arn:aws:kms:eu-central-1"
      + name                    = "dev-airflow-secret"
      + name_prefix             = (known after apply)
      + recovery_window_in_days = 30
      + rotation_enabled        = (known after apply)
    

  # module.aws_af.aws_secretsmanager_secret_version.secret will be created
  + resource "aws_secretsmanager_secret_version" "secret" 
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    

【问题讨论】：

如果您需要强制删除密钥，follow the instructions here to do so using AWS CLI。完成后，请务必在您的 Terraform 配置中使用recovery_window_in_days 选项，如答案中所述。

【参考方案1】：

您需要将恢复窗口设置为 0 才能立即删除机密。

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#recovery_window_in_days

recovery_window_in_days -（可选）指定 AWS Secrets Manager 在删除密钥之前等待的天数。此值可以为 0 以强制删除而不恢复，或范围为 7 到 30 天。默认值为 30。

【讨论】：

新链接到recovery_window_in_days