Terraform apply says 0 to destroy but then plan errors with x already scheduled for deletion?

deantray · October 12, 2023, 11:48am

My terraform plan yielded

Plan: 72 to add, 0 to change, 0 to destroy.

but then when I apply, I get 3 errors on like this

│ Error: creating Secrets Manager Secret: InvalidRequestException: You can’t create this secret because a secret with this name is already scheduled for deletion.

│ with module.ecs_backend[“orders_task”].module.backend_secrets.aws_secretsmanager_secret.sm[“devops-orders-env-secrets”],
│ on …/…/…/modules/aws/secrets_manager/main.tf line 1, in resource “aws_secretsmanager_secret” “sm”:
│ 1: resource “aws_secretsmanager_secret” “sm” {

I checked BEFORE I ran and the secret referred to does not exist. My ‘terraform show -json’ also does not contain this secret. Why is it saying it is scheduled for deletion when my plan shows 72 adds, 0 to destroy?

terraform version 1.4.6

looking at that terraform file, I see this

resource “aws_secretsmanager_secret” “sm” {
for_each = var.credentials

name = each.key

tags = {
Owner = “Terraform”
Environment = var.environment
}

lifecycle {
ignore_changes = [arn]
create_before_destroy = true
}
}

I did delete the secret from AWS and it is in a scheduled for deletion state but I was hoping terraform can bring it back here.

I then cancel deletion hoping it will sync but instead get the ‘resource already exists exception’. I look for attributes that will bring back cancellation or just revive and use existing secret but do not see anything on that either. (the secret is empty in tf and filled in by humans)

I see in docs the count = var.create_instance ? 1 : 0 but really want for this specific secrets to create if not exist (if scheduled for deletion, error is fine as we can revive manually and rerun). Anyway to do that perhaps as a best effort to create and manage?

apparentlymart · October 12, 2023, 3:22pm

Hi @deantray,

I’m not familiar enough with these AWS features to give a full answer but I did want to try to resolve an ambiguity I see in this error message:

This message is coming from the AWS provider rather than from Terraform itself, and the shape of the message suggests that the provider is just relaying verbatim a message returned from the underlying remote API.

Therefore this idea of “scheduled for deletion” is a concept of the remote API rather than of Terraform, and it’s independent of Terraform’s own action “destroy” as would be tallied in the plan summary you quoted. Terraform is not proposing to destroy anything here, but the remote API seems to have its own idea of planned or asynchronous deletion which is what this error is about.

I don’t know enough to say what it means for a secret to be “scheduled for deletion” in this AWS service, but I hope that the above is at least useful in separating Terraform’s own behavior from the remote API’s behavior, even though there’s some clashing terminology between the two here.

Topic		Replies	Views
Updated secrets_manager secrets values manually , now terraform is giving error AWS	4	1503	January 8, 2024
Error: Invalid index... resource.name is an empty tuple - Failure in plan on destroy Terraform	2	2232	May 31, 2020
Terraform Update RDS Proxy without Deleting Existing Secrets AWS	16	1037	April 6, 2023
Retrieving multiple secrets and assigning to multiple resources AWS	2	378	March 23, 2022
"Plan: 1 to add, 0 to change, 1 to destroy." : I want Terraform only to keep adding and destroy nothing Terraform	6	93	September 2, 2024

Terraform apply says 0 to destroy but then plan errors with x already scheduled for deletion?

Related topics