Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interpolated Values in URL not Updated #89

Open
feigi opened this issue Oct 31, 2023 · 2 comments
Open

Interpolated Values in URL not Updated #89

feigi opened this issue Oct 31, 2023 · 2 comments
Assignees
@giautm

Comments

@feigi
Copy link

feigi commented Oct 31, 2023
edited
Loading

Hi again,

sorry to bother again, but I'm facing another issue that I can't explain. Let me prefix this by saying it may very well be my Terraform code but I don't see the issue.

I have the following Terraform module:

locals {
  master_secret = jsondecode(data.aws_secretsmanager_secret_version.db_master_secret.secret_string)
  master_user   = local.master_secret["username"]
  master_pass   = local.master_secret["password"]

  dev_url = "docker://postgres/15-alpine/dev"
  url     = "postgres://${local.master_user}:${urlencode(local.master_pass)}@${module.db_tunnel.host}:${module.db_tunnel.port}/${var.db_name}?sslmode=disable&search_path=public"
}

data "aws_secretsmanager_secret" "db_master_secret" {
  arn = var.db_master_secret_arn
}

// Fetches the latest version (AWSCURRENT) by default
data "aws_secretsmanager_secret_version" "db_master_secret" {
  secret_id = data.aws_secretsmanager_secret.db_master_secret.id
}

data "atlas_migration" "this" {
  dir = "${var.migrations_folder}?format=atlas"
  url = local.url

  depends_on = [data.aws_secretsmanager_secret_version.db_master_secret]
}

resource "atlas_migration" "this" {
  dir     = "${var.migrations_folder}?format=atlas"
  version = data.atlas_migration.this.latest # Use latest to run all migrations
  url     = local.url
  dev_url = local.dev_url

  depends_on = [data.aws_secretsmanager_secret_version.db_master_secret]
}

As you can see, I pull in the db user name and password via data "aws_secretsmanager_secret_version", parse it in locals and then use the values to build the url. Because I use the output of data "aws_secretsmanager_secret_version" only in locals and therefore won't have a direct dependency from atlas_migration to data "aws_secretsmanager_secret_version" I also added a depends_on in the atlas_migration resources. Unfortunately, it looks to me like when the password changes in SecretManager (it rotates every 7 days), the url being used by atlas_migration does not update, respectively it uses the old one and fails with an authentication error. Removing the state of atlas_migration via terraform state rm atlas_migration.this fixes it. Deleting the data "aws_secretsmanager_secret_version" was not needed.
@feigi
Copy link
Author

feigi commented Nov 2, 2023

P.S. this is probably also the reason why using random ports for the DB doesn't work. I connect via port forwarding, so I'd prefer using a random unused local port instead of a fixed one.

@feigi
Copy link
Author

feigi commented Dec 7, 2023

Hey! Just an fyi: so far I work around this, by removing the state for atlas_migration.this before every apply

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@giautm giautm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@feigi @giautm