Knowledge Base

Issue retrieving the full ARN in Secret Managers without the random suffix

View full discussion in GitHub

Answer

Hi, Using the reference architecture deployed by GW, I'm trying to modify the `terragrunt.hcl` file in `services\myservice` to add a reference to a secret without the random suffix. My code is: ``` locals { manual_secrets_manager_arn = "arn:aws:secretsmanager:${include.envcommon.locals.aws_region}:${include.envcommon.locals.account_id}:secret:br-dev/manual-created/test-secret" # List of environment variables and container images for each container that are specific to this environment. The map # key here should correspond to the map keys of the _container_definitions_map input defined in envcommon. service_environment_variables = { (include.envcommon.locals.service_name) = [ { name = "MANUAL_SUPER_SECRET" value = format("%s:%s::",local.manual_secrets_manager_arn,"MANUAL_SUPER_SECRET") } ] } container_images = { (include.envcommon.locals.service_name) = "${include.envcommon.locals.container_image}:${local.tag}" } # Specify the app image tag here so that it can be overridden in a CI/CD pipeline. tag = "latest" } . . . secrets_access = [ local.manual_secrets_manager_arn ] } ``` But when I try to apply these changes I get this error: ``` Error: Secrets Manager Secret "arn:aws:secretsmanager:us-east-2:XXXXXXXXXX:secret:br-dev/manual-created/test-secret" not found │ │ with data.aws_secretsmanager_secret.secrets_arn_exchange["arn:aws:secretsmanager:us-east-2:XXXXXXXXXX:secret:br-dev/manual-created/test-secret"], │ on main.tf line 219, in data "aws_secretsmanager_secret" "secrets_arn_exchange": │ 219: data "aws_secretsmanager_secret" "secrets_arn_exchange" { ``` And looking into the error line in the module, it looks like it's trying to do what I need to (use arn secret without random fix) ``` # This allows the user to pass either the full ARN of a Secrets Manager secret (including the randomly generated # suffix) or the ARN without the random suffix. The data source will find the full ARN for use in the IAM policy. data "aws_secretsmanager_secret" "secrets_arn_exchange" { for_each = { for secret in var.secrets_access : secret => secret } arn = each.value } ``` But unfortunately, it's only working when I add the random fix in `manual_secrets_manager_arn` Anything am I missing? Thanks.

Hello, AFAIK secret lookup will fail if name ends with a dash followed by exactly 6 characters 🤷 https://github.com/aws/aws-cdk/issues/11526#issuecomment-729596165 https://awscli.amazonaws.com/v2/documentation/api/2.1.30/reference/secretsmanager/describe-secret.html#options > To avoid this situation, we recommend that you don’t create secret names ending with a hyphen followed by six characters.