Dynamic block deletion

gcmlabs · June 26, 2025, 3:01pm

Hello!

I’m trying to conditionally create/delete a configuration block (AWS Secrets replication)

My code is as follows:

resource "aws_secretsmanager_secret" "postgresql" {
  name       = "${var.rds_name}-secrets"
  kms_key_id = var.kms_outputs.sm_key_arn
  dynamic "replica" {
    for_each = var.aws_disaster_region != "" ? ["enable"] : []
    
    content {
      region     = var.aws_disaster_region
      kms_key_id = "arn:aws:kms:${var.aws_disaster_region}:${data.aws_caller_identity.current.account_id}:key/${var.kms_outputs.sm_key_id}"
    }
  }
  tags = {
    Name = "${var.rds_name}-secrets"
  }
}

The issue I’m encountering is: if I create the resource with var.aws_disaster_region = "", the replica configuration isn’t created. If I then add a region code to the variable, the resource is updated with the replica configuration. However, when I change the variable back to an empty string, the replica configuration block isn’t removed, and terraform shows no changes.

Any suggestions on how to fix this?

Thanks

jbardin · June 27, 2025, 2:27pm

Hi @gcmlabs,

This looks like a provider issue, and indeed there is one already opened here: secretsmanager_secret - Cannot be able to delete a replica · Issue #23316 · hashicorp/terraform-provider-aws · GitHub

The provider is using the legacy SDK still for that resource, which cannot detect when the values have been removed from the configuration entirely.

gcmlabs · June 27, 2025, 2:41pm

Thanks @jbardin! I will wait for the PR to be merged

Topic		Replies	Views
Dynamic block name Terraform	1	966	October 19, 2022
Request for testing: `removed` block Terraform	13	2888	January 17, 2024
How to conditionally remove / add object from a dynamic content Terraform	3	652	February 10, 2024
Imported KMS key being deleted to be redeployed AWS	1	1009	January 11, 2022
Terraform apply says 0 to destroy but then plan errors with x already scheduled for deletion? AWS	1	742	October 12, 2023

Dynamic block deletion

Related topics