Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bugfix - #4789 AWS Secrets Manager - retrieve json secret as a map #5087

Closed
wants to merge 1 commit into from
Closed

bugfix - #4789 AWS Secrets Manager - retrieve json secret as a map #5087

wants to merge 1 commit into from

Conversation

ozbillwang
Copy link

@ozbillwang ozbillwang commented Jul 5, 2018
edited
Loading

Fixes #4789

Changes proposed in this pull request:

  • AWS Secrets Manager - retrieve json secret as a map (original it is string)

Tasks:

  • bugfix
  • test case
  • document updates.

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSAvailabilityZones'

...

Here is my test code

provider "aws" {
  region = "ap-southeast-2"
}

variable "secret" {
  type = "map"
  default = {
    name = "team_project_dev"
    key = "db_master_password"
  }
}

data "aws_secretsmanager_secret" "secret" {
  name = "${lookup(var.secret, "name")}"
}

data "aws_secretsmanager_secret_version" "secret" {
  secret_id = "${data.aws_secretsmanager_secret.secret.id}"
}

locals {
  master_password = "${lookup(data.aws_secretsmanager_secret_version.secret.secret_string, lookup(var.secret, "key"))}"
}

output "master_password" {
  value = "${local.master_password}"
}

Result:

$ terraform apply 

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

master_password = test

@ghost ghost added the size/XS Managed by automation to categorize the size of a PR. label Jul 5, 2018
@bflad bflad added service/secretsmanager Issues and PRs that pertain to the secretsmanager service. breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. labels Jul 5, 2018
bflad
bflad suggested changes Jul 5, 2018
View reviewed changes
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ozbillwang 👋 Thanks for submitting this. In addition to the below items, which might would prevent us from accepting this pull request, we may opt to not create a second attribute at all.

The next major version of Terraform should support jsondecode() as a built-in function, removing the necessity of needing a separate attribute to break apart the JSON (when it is JSON).

aws/data_source_aws_secretsmanager_secret_version.go
@@ -20,7 +21,7 @@ func dataSourceAwsSecretsManagerSecretVersion() *schema.Resource {
ForceNew: true,
},
"secret_string": {
Type: schema.TypeString,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing an attribute type is a breaking change for existing Terraform configurations. This new behavior should be handled by creating a new attribute and a new acceptance test added to cover if and when this new attribute is available.

There are also other potential issues with introducing this second attribute as briefly outlined in: #4613 (comment)

aws/data_source_aws_secretsmanager_secret_version.go
d.Set("secret_string", output.SecretString)
var sec map[string]interface{}
if err = json.Unmarshal([]byte(*output.SecretString), &sec); err != nil {
return fmt.Errorf("Error getting secret string: %s", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is valid to create a Secrets Manager secret that is a single string value (not JSON). This error should only be logged to not break handling with those types of secrets.

@bflad bflad added the enhancement Requests to existing resources that expand the functionality or scope. label Jul 5, 2018
@bflad
Copy link
Contributor

bflad commented Jul 5, 2018

I provided additional information about this handling in #4789 (comment)

@bflad bflad added the waiting-response Maintainers are waiting on response from community or contributor. label Jul 5, 2018
@ozbillwang ozbillwang mentioned this pull request Jul 5, 2018
Closed
@ozbillwang
Copy link
Author

@bflad

Thanks for reviewing, this PR is not suitable, I will close it and wait for new v0.12 release.

@ozbillwang ozbillwang closed this Jul 5, 2018
@ghost
Copy link

ghost commented Apr 4, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 4, 2020
@breathingdust breathingdust removed the waiting-response Maintainers are waiting on response from community or contributor. label Sep 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bflad bflad bflad requested changes

Assignees
No one assigned
Labels
breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. enhancement Requests to existing resources that expand the functionality or scope. service/secretsmanager Issues and PRs that pertain to the secretsmanager service. size/XS Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWS Secrets Manager - retrieve json secret as a map
3 participants
@ozbillwang @bflad @breathingdust