Confused about aws-secretsmanager-secret-version resource behaviour

I have a secret in aws secret manager in my teraform like so. I have turned on the password rotation.

resource "aws_secretsmanager_secret" "secret" {
name = "secret"
description = "Secret"
}

resource "aws_secretsmanager_secret_version" "secretversion" {
secret_id = aws_secretsmanager_secret.secret.id
secret_string = <<EOF
{
"username": "${var.username}",
"password": "${var.password}",
"engine": "postgres",
"host": "${var.db_address}",
"port": "5432",
"dbname": "db",
"dbClusterIdentifier": "db"
}
EOF
}

Now when the password rotation happens and if I ran terraform apply after the rotation, the terraform will update the state with the new password but will ignore the value of var.password that I am supplying through my configuration.

My understanding of the terraform what that configuration is always the source of truth but in this case terraform is somehow ignoring the var.password value and says no changes to apply. Why is that?

I’d imagine that’s because of how AWS Secrets Manager deals with versions. Technically speaking, the version of the secret that you created didn’t change, it still exists as a non-current version.

You can probably check if that’s the case with the command aws secretsmanager list-secret-version-ids --profile <your_profile> --secret-id <secret_id>.

What has changed is: a new version was created and attached the label AWSCURRENT. Since you didn’t specify in your Terraform code that your version needs to always be the current one, Terraform updates the state with the new current version but makes no changes to the old one.

If you want to force your Terraform version to always be the latest (AWSCURRENT), then add the version_stages attribute to your aws_secretsmanager_secret_version resource.