AWS: Switching a secret from created to imported causes a runtime error

[jyecusch]

Bug Report

Issue

When a previously deployed nitric AWS stack, which includes a secret, changes the secret to be an imported secret an error occurs due to duplicate resource name resolution.

The cause is that the original secret is deleted and replaced with the imported secret. However, AWS Secrets Manager doesn't immediately delete secrets, instead they are soft deleted and removed after a number of days. In the meantime both secrets exist, tagged with the same nitric name. This causes the nitric runtime code to fail to uniquely identity which is the correct secret to use.

This issue can be confirmed by looking at the Secrets Manager dashboard, which will only show the imported secret:

However, viewing the resource group for the stack will show both the imported secret and the soft deleted secret:

Steps

Steps to reproduce the behavior:

1. Create a new nitric project
2. Add a secret to the project (e.g.)

3. Create a new AWS stack
4. Deploy the stack
5. Create a secret manually in AWS Secrets Manager
6. Update the stack file to import the manually created secret (using the name for the existing secret in the application code)

6. Redeploy the stack

If the stack hasn't been deployed previously, imports won't cause an issue

Expected

The soft deleted secret should be untagged or otherwise identified so that it isn't returned when attempting to resolve resource names.

Workaround

When redeploying a stack with an existing secret that is being replaced by an imported secret, rename the secret in the code (and stack file) before redeploying. This ensures the newly imported secret's name won't conflict with the soft deleted secret.

Eventually the soft deleted secret will be deleted and the issue with resolve on its own