删除 Terraform 资源 aws_secretsmanager_secret_version 不会删除 Secrets Manager 秘密条目
Delete Terraform resource aws_secretsmanager_secret_version does not delete Secrets Manager secret entry
我使用 Terraform 创建了一个 AWS 机密管理器和一个机密键值条目,如下所示。但是,在我在 aws_secretsmanager_secret_version 资源和 terraform 应用下面注释掉之后,terraform 显示它删除了秘密键值条目,但我仍然可以在 AWS 控制台中看到该条目并且我仍然可以使用 CLI 获取秘密密钥 -使用 aws secretsmanager get-secret-value --secret-id myTestName.
的值
这个条目真的被删除了吗?为什么我仍然在 AWS 控制台中看到它?或者它可能已被删除但控制台和 cli 中显示的是旧版本?至少 Terraform 从它的状态文件中删除了它。
resource "aws_secretsmanager_secret" "test" {
name = "myTestName"
}
# I deleted secret key-value entry by
# commenting out below and apply terraform again
resource "aws_secretsmanager_secret_version" "test" {
secret_id = aws_secretsmanager_secret.test.id
secret_string = <<EOF
{
"test-key": "test-value"
}
EOF
}
根据 AWS documentation:
...Secrets Manager does not immediately delete secrets. Instead,
Secrets Manager immediately makes the secrets inaccessible and
scheduled for deletion after a recovery window of a minimum of
seven days...
由于机密的关键性质,此功能存在是有原因的 - 防止您意外删除重要的 production-grade 机密,这会导致访问服务出现严重问题。
如果你还想删除密文,可以强行删除:
aws secretsmanager delete-secret --secret-id your-secret --force-delete-without-recovery --region your-region
如果您想立即创建同名的新密文,您可能需要强制删除它,以避免名称冲突。
更新:正如您所澄清的,对于您的特定情况 - 如果您希望删除密钥版本,则无法完成,因为您只有一个具有 AWSCURRENT[= 的密钥版本29=]标签:
aws secretsmanager get-secret-value --secret-id myTestName
...
"Name": "myTestName",
"SecretString": " ...
"VersionStages": [
"AWSCURRENT"
]
...
来自 terraform documentation:
If the AWSCURRENT staging label is present on this version during
resource deletion, that label cannot be removed and will be skipped to
prevent errors when fully deleting the secret. That label will leave
this secret version active even after the resource is deleted from
Terraform unless the secret itself is deleted. Move the AWSCURRENT
staging label before or after deleting this resource from Terraform to
fully trigger version deprecation if necessary.
我使用 Terraform 创建了一个 AWS 机密管理器和一个机密键值条目,如下所示。但是,在我在 aws_secretsmanager_secret_version 资源和 terraform 应用下面注释掉之后,terraform 显示它删除了秘密键值条目,但我仍然可以在 AWS 控制台中看到该条目并且我仍然可以使用 CLI 获取秘密密钥 -使用 aws secretsmanager get-secret-value --secret-id myTestName.
这个条目真的被删除了吗?为什么我仍然在 AWS 控制台中看到它?或者它可能已被删除但控制台和 cli 中显示的是旧版本?至少 Terraform 从它的状态文件中删除了它。
resource "aws_secretsmanager_secret" "test" {
name = "myTestName"
}
# I deleted secret key-value entry by
# commenting out below and apply terraform again
resource "aws_secretsmanager_secret_version" "test" {
secret_id = aws_secretsmanager_secret.test.id
secret_string = <<EOF
{
"test-key": "test-value"
}
EOF
}
根据 AWS documentation:
...Secrets Manager does not immediately delete secrets. Instead, Secrets Manager immediately makes the secrets inaccessible and scheduled for deletion after a recovery window of a minimum of seven days...
由于机密的关键性质,此功能存在是有原因的 - 防止您意外删除重要的 production-grade 机密,这会导致访问服务出现严重问题。
如果你还想删除密文,可以强行删除:
aws secretsmanager delete-secret --secret-id your-secret --force-delete-without-recovery --region your-region
如果您想立即创建同名的新密文,您可能需要强制删除它,以避免名称冲突。
更新:正如您所澄清的,对于您的特定情况 - 如果您希望删除密钥版本,则无法完成,因为您只有一个具有 AWSCURRENT[= 的密钥版本29=]标签:
aws secretsmanager get-secret-value --secret-id myTestName
...
"Name": "myTestName",
"SecretString": " ...
"VersionStages": [
"AWSCURRENT"
]
...
来自 terraform documentation:
If the AWSCURRENT staging label is present on this version during resource deletion, that label cannot be removed and will be skipped to prevent errors when fully deleting the secret. That label will leave this secret version active even after the resource is deleted from Terraform unless the secret itself is deleted. Move the AWSCURRENT staging label before or after deleting this resource from Terraform to fully trigger version deprecation if necessary.