PuseSecret in AWS SecretManager enforces UUID format

[kalampakas]

Describe the bug
The AWS Secret Manager enforces a UUID and that clashes with secrets created with terraform-aws-provider

To Reproduce
Steps to reproduce the behavior:

1. Create a secret using the terraform AWS provider - or manually create a secret with a VersionId that's a valid random string
2. Try to PushSecret using the previously created secret to bump the version and the value

Expected behavior
The secret version in AWS SSM is bumped with a new value.

Screenshots
Instead, we get an error like:
set secret failed: could not write remote ref token to target secretstore external-secrets: expected secret version in AWS SSM to be a UUID but got 'terraform-20250627043834191900000095'

Additional context
The issue is created because

external-secrets/pkg/provider/aws/secretsmanager/secretsmanager.go

Line 271 in 0c8bff8

oldVersion, ok := n.SetString(strings.ReplaceAll(*id, "-", ""), 16)

while terraform-aws-provider uses https://pkg.go.dev/github.com/hashicorp/terraform-plugin-sdk/v2@v2.37.0/helper/id#UniqueId for the secret's VersionID . We have a use case where a secret is created in terraform but updated via the operator. We hadn't updated the particular use case to use a latest operator, otherwise we'd notice sooner, but the fact remains that the AWS API doesn't specify a UUID , but rather simply a string - a UUID is just typically used as a semantic version ID - https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html#API_GetSecretValue_RequestSyntax

[Skarlso]

You're right. This requires a bit of fiddling as I can see that the version is being increased automatically. Probably that's why it's a UUID. Ugh.

[gusfcarvalho]

hi @kalampakas . Is this happening on which ESO version?

Please, be sure to reproduce this at least on version 0.18.0 as we had merged a major AWS SDK refactor in it.

[kalampakas]

hi @kalampakas . Is this happening on which ESO version?

Please, be sure to reproduce this at least on version 0.18.0 as we had merged a major AWS SDK refactor in it.

The relevant check is there since at least 0.9.5 or thereabouts, you can trace the line to something like September 26 2023. It's not related to the SDK, it's entirely because of an opinionated reading of the versionID.

[Skarlso]

Yah, sadly, this is a check on our side for whatever reason. Because it does a programmatic increment of that UUID on pushes.

[kalampakas]

Yah, sadly, this is a check on our side for whatever reason. Because it does a programmatic increment of that UUID on pushes.

Does it need to be monotonically increasing? What are the chances of a 256-bit ( 64 hex chars ) hash collision? Get the value and a timestamp , hash it.

[Skarlso]

I don't know, I didn't have the time to actually do a deepdive yet. I just checked quickly.