Implement Pushsecrets `updatePolicy: IfNotExists` for AWS Secrets Manager

[ricosega]

Describe the bug
Just tried to push a secret and did not work. v0.9.15-2

To Reproduce

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: postgresql
  namespace: controlplane
spec:
  updatePolicy: IfNotExists
  deletionPolicy: Delete
  refreshInterval: 168h
  secretStoreRefs:
    - name: default
      kind: ClusterSecretStore
  selector:
    secret:
      name: postgresql
  data:
    - match:
        remoteRef:
          remoteKey: controlplane/postgresql-smg

Expected behavior
The secret to be pushed

Screenshots
{"level":"error","ts":1713276193.4958684,"msg":"Reconciler error","controller":"pushsecret","controllerGroup":"external-secrets.io","controllerKind":"PushSecret","PushSecret":{"name":"postgresql","namespace":"controlplane"},"namespace":"controlplane","name":"postgresql","reconcileID":"8012f29d-4fe7-4c13-a811-d08d54b51574","error":"could not verify if secret exists in store: not implemented","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.2/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).proc essNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.2/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.2/pkg/internal/controller/controller.go:227"} {"level":"info","ts":1713276208.7876587,"logger":"provider.aws","msg":"using aws session","region":"eu-west-1","external id":"","credentials":null}

[ricosega]

Jus tried with SecretStore instead of ClusterSecretStore and got the same error:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secretsmanager
  namespace: controlplane
spec:
  provider:
    aws:
      service: SecretsManager
      region: eu-west-1
---
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: postgresql
  namespace: controlplane
spec:
  updatePolicy: IfNotExists
  deletionPolicy: Delete
  refreshInterval: 168h
  secretStoreRefs:
    - name: aws-secretsmanager
      kind: SecretStore
  selector:
    secret:
      name: postgresql
  data:
    - match:
        remoteRef:
          remoteKey: controlplane/postgresql-smg

│ {"level":"error","ts":1713278342.1391892,"msg":"Reconciler error","controller":"pushsecret","controllerGroup":"external-secrets.io","controllerKind":"PushSecret","PushSecret":{"name":"postgresql","namespace":"controlplane"},"namespace":"controlplane","name":"postgresql","reconcileID":"31091df3-9a45-4696-a43d-6bd2b4ef8c6f","error":"could │
│  not verify if secret exists in store: not implemented","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.2/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).proc │
│ essNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.2/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.2/pkg/internal/controller/controller.go:227"}

[Skarlso]

updatePolicy: IfNotExists -> this is not yet available for some stores. Please remove it. It should work after that.

[gusfcarvalho]

updated issue name and type appropriately :)

[ppatel1604]

@gusfcarvalho I have made an attempt to implement this for the secret store. I did test the change locally and works fine when a secret is pushed however pushing the whole secret is still not implemented so that won't work.

I also need to check if similar implementation should be done for the aws parameter store?

[gusfcarvalho]

@gusfcarvalho I have made an attempt to implement this for the secret store. I did test the change locally and works fine when a secret is pushed however pushing the whole secret is still not implemented so that won't work.

I also need to check if similar implementation should be done for the aws parameter store?

Having only AWS SM is fine