Warning: Available Write-only Attribute Alternative

[MattiaEffendi]

Description

Terraform v1.11.0 introduced the concept of write-only attributes, documented here. When creating a secret with a secret_string attribute set, the AWS provider now complains that "Available Write-only Attribute Alternative" is present, suggesting instead to use the secret_string_wo attribute.

│ Warning: Available Write-only Attribute Alternative
│ 
│   with module.secrets.aws_secretsmanager_secret_version.ignore_changes,
│   on .terraform/modules/secrets/main.tf line 105, in resource "aws_secretsmanager_secret_version" "ignore_changes":
│  105:   secret_string  = var.create_random_password ? random_password.this[0].result : var.secret_string
│ 
│ The attribute secret_string has a write-only alternative secret_string_wo
│ available. Use the write-only alternative of the attribute when possible.

• [x] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 1.3.1

• Terraform version: v1.11.0

Terraform v1.11.0
on darwin_arm64

• Provider version(s):

+ provider registry.terraform.io/hashicorp/aws v5.88.0
+ provider registry.terraform.io/hashicorp/random v3.7.1
+ provider registry.terraform.io/hashicorp/tfe v0.60.1

Reproduction Code [Required]

module "secrets" {
  source  = "terraform-aws-modules/secrets-manager/aws"
  version = "1.3.1"

  name                    = "foo-secret"
  description             = "foo"

  create_policy          = false
  create_random_password = false

  secret_string = jsonencode({ foo = "bar" })
}

Steps to reproduce the behavior:

• Create a secret setting the secret_string attribute using Terraform 1.11.0
• Run terraform plan
• A warning is thrown suggesting to use the secret_string_wo writeonly parameter

Expected behavior

• terraform plan does not throw any warnings

Actual behavior

• A warning is shown suggesting to use the writeonly parameter

Terminal Output

│ Warning: Available Write-only Attribute Alternative
│ 
│   with module.secrets.aws_secretsmanager_secret_version.ignore_changes,
│   on .terraform/modules/secrets/main.tf line 105, in resource "aws_secretsmanager_secret_version" "ignore_changes":
│  105:   secret_string  = var.create_random_password ? random_password.this[0].result : var.secret_string
│ 
│ The attribute secret_string has a write-only alternative secret_string_wo
│ available. Use the write-only alternative of the attribute when possible.

[estar-platform-team]

We are having a related issue on which we want to feed the module secret_string with an ephemeral value which are not supported. I believe supporting the write-only value i.e. secret_string_wo for the resource aws_secretsmanager_secret_version will allow us to do just that.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[pawelpesz]

Still a valid issue.

[bryantbiggs]

can someone describe the workflow for using these new write-only attributes?

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[pawelpesz]

Remove stale.

[wilblack]

I am getting a similar error using Terraform v1.11.4

│ Warning: Failed to decode resource from state
│ 
│ Error decoding
│ "module.XXXXX.module.container_secrets[\"XXXXX\"].aws_secretsmanager_secret_version.ignore_changes[0]"
│ from prior state: unsupported attribute "has_secret_string_wo"

[antonbabenko]

This issue has been resolved in version 2.0.0 :tada:

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.