Hi all I have this func that creates a secret and its version, it used to work forever until the very recent updates where I started getting these type of errors, any ideas ?

def add_secret(name: str, value: Union[str, dict], description: str):
    """Function to add a secret to AWS"""
    secret = aws.secretsmanager.Secret(
        resource_name=name,
        name=name,
        description=description,
    )
    aws.secretsmanager.SecretVersion(
        f"secret-version/{name}",
        secret_id=secret.id,
        secret_string=value,
    )

aws:secretsmanager:SecretVersion (secret-version/production-xxxx-platform-xxxx-api-token):
    error:   sdk-v2/provider2.go:515: sdk.helper_schema: deleting Secrets Manager Secret Version (arn:aws:secretsmanager:eu-central-1:xxxx:secret:production-xxxx-platform-xxxx-api-token-Mjdgew|terraform-20250103102936863100000009) stage (AWSPREVIOUS): operation error Secrets Manager: UpdateSecretVersionStage, https response error StatusCode: 400, RequestID: 532437ac-b9a3-4460-bb0c-a60fa8ce552d, InvalidParameterException: When you move staging label AWSPREVIOUS, if you specify RemoveFromVersionId, it must be set to the version that currently has the staging label terraform-20250103114221271600000009.: provider=aws@6.66.2
    error: deleting urn:pulumi:production::platform-platform::aws:secretsmanager/secretVersion:SecretVersion::secret-version/production-xxx-platform-xxxx-api-token: 1 error occurred:
        * deleting Secrets Manager Secret Version (arn:aws:secretsmanager:eu-central-1:495775544086:secret:production-xxxx-platform-xxxx-api-token-Mjdgew|terraform-20250103102936863100000009) stage (AWSPREVIOUS): operation error Secrets Manager: UpdateSecretVersionStage, https response error StatusCode: 400, RequestID: 532437ac-b9a3-4460-bb0c-a60fa8ce552d, InvalidParameterException: When you move staging label AWSPREVIOUS, if you specify RemoveFromVersionId, it must be set to the version that currently has the staging label terraform-20250103114221271600000009.

Hey @creamy-beard-50597, does this reproduce in a new stack as well or only with the existing one? Also you mentioned that it stopped working after recent updates. Do you know with which provider version it's still working?

actually it works in one stack and fails in another.. the only difference is environment name 🤷 well I was using

pulumi_aws

6.59

and now using the latest

Could there have been some edits outside of pulumi? The staging label not being set on the correct version could explain that. You could check this using CloudTrail.

I thought about it also, so I deleted the secrets and recreated them again, works at first but once I update their values again, the same problem kicks in

Ok, this definitely sounds odd! Do you see any odd API calls relating to this secret in CloudTrail? This error message would hint at the

AWSPREVIOUS

label being moved away from the old/replaced version before it's getting deleted. If you manage to create a repro for this please cut an issue here so that we can further dig into it!