https://pulumi.com logo
Join Slack
Powered by
Hi all I have this func that creates a secret and ...
# aws
c
Hi all I have this func that creates a secret and its version, it used to work forever until the very recent updates where I started getting these type of errors, any ideas ?
Copy code
def add_secret(name: str, value: Union[str, dict], description: str):
    """Function to add a secret to AWS"""
    secret = aws.secretsmanager.Secret(
        resource_name=name,
        name=name,
        description=description,
    )
    aws.secretsmanager.SecretVersion(
        f"secret-version/{name}",
        secret_id=secret.id,
        secret_string=value,
    )
Copy code
aws:secretsmanager:SecretVersion (secret-version/production-xxxx-platform-xxxx-api-token):
    error:   sdk-v2/provider2.go:515: sdk.helper_schema: deleting Secrets Manager Secret Version (arn:aws:secretsmanager:eu-central-1:xxxx:secret:production-xxxx-platform-xxxx-api-token-Mjdgew|terraform-20250103102936863100000009) stage (AWSPREVIOUS): operation error Secrets Manager: UpdateSecretVersionStage, https response error StatusCode: 400, RequestID: 532437ac-b9a3-4460-bb0c-a60fa8ce552d, InvalidParameterException: When you move staging label AWSPREVIOUS, if you specify RemoveFromVersionId, it must be set to the version that currently has the staging label terraform-20250103114221271600000009.: provider=aws@6.66.2
    error: deleting urn:pulumi:production::platform-platform::aws:secretsmanager/secretVersion:SecretVersion::secret-version/production-xxx-platform-xxxx-api-token: 1 error occurred:
        * deleting Secrets Manager Secret Version (arn:aws:secretsmanager:eu-central-1:495775544086:secret:production-xxxx-platform-xxxx-api-token-Mjdgew|terraform-20250103102936863100000009) stage (AWSPREVIOUS): operation error Secrets Manager: UpdateSecretVersionStage, https response error StatusCode: 400, RequestID: 532437ac-b9a3-4460-bb0c-a60fa8ce552d, InvalidParameterException: When you move staging label AWSPREVIOUS, if you specify RemoveFromVersionId, it must be set to the version that currently has the staging label terraform-20250103114221271600000009.
q
Hey @creamy-beard-50597, does this reproduce in a new stack as well or only with the existing one? Also you mentioned that it stopped working after recent updates. Do you know with which provider version it's still working?
c
actually it works in one stack and fails in another.. the only difference is environment name 🤷 well I was using 
pulumi_aws
6.59
and now using the latest
btw I tried it also on a new stack rn.. works like a charm
one other small detail: • SecretVersion goes through the whole update cycle: 
create-replacement
-> AWSCURRENT version is 
replaced
> 
delete original
( and here it fails at updating the AWSPREVIOUS value )
q
Could there have been some edits outside of pulumi? The staging label not being set on the correct version could explain that. You could check this using CloudTrail.
c
I thought about it also, so I deleted the secrets and recreated them again, works at first but once I update their values again, the same problem kicks in
q
Ok, this definitely sounds odd! Do you see any odd API calls relating to this secret in CloudTrail? This error message would hint at the 
AWSPREVIOUS
label being moved away from the old/replaced version before it's getting deleted. If you manage to create a repro for this please cut an issue here so that we can further dig into it!
22 Views
Open in Slack
PreviousNext
Powered by