How to use multiple secretsmanager secret_version in a module?

Hi there!

I’m having a weird issue with aws_secretsmanager_secret when two aws_secretsmanager_secret_version resource putting the values in the same AWS Secret.

This is how I created a SecretsManager Secret:

resource "aws_secretsmanager_secret" "env_secrets" {
  name        = "my-super-secrets"
  kms_key_id  = aws_kms_key.master_kms_key.arn
  description = "${var.aws_acc_name} default secrets"

And then two separate aws_secretsmanager_secret_version adding two sets of secrets (key/value pair) to the same secret-store:

resource "aws_secretsmanager_secret_version" "app_secrets" {
  secret_id     = aws_secretsmanager_secret.env_secrets.id
  secret_string = jsonencode(var.app_secrets)
}
#
resource "aws_secretsmanager_secret_version" "ssh_key" {
  secret_id     = aws_secretsmanager_secret.env_secrets.id
  secret_string = file("${local.ssh_key_file}.pass")
}

What I’m experiencing here, it’s overwriting each-other set. In the AWS AWS Secret Manager console either I see the secrets from app_secrets or ssh_key depends on which one was added first, whilst I was expecting to see secret values from both of the resources.

Is it expected or it’s a bug? Or, I’m doing something wrong here? Any help would be really appreciated!!

-San

1 Like

I am facing the same. Did anyone find a fix?

Though I’ve never used AWS Secrets Manager, I’ve used Terraform and HashiCorp Vault a lot and can extrapolate accordingly.

This looks like it’s simply functioning as designed to me.

You’re literally telling Terraform to set the latest secret version to two different things, so naturally one of them has to win over the other, based on timing.