This error occurs when Terraform attempts to create an AWS Secrets Manager secret with a name that already exists or is marked for deletion. AWS keeps deleted secrets in a recovery window (default 30 days) during which the name cannot be reused.
AWS Secrets Manager prevents secret name reuse to protect against accidental overwrites. When you run 'terraform destroy' followed by 'terraform apply', the secret is not immediately deleted—it's marked for deletion during a recovery period. Attempting to create a secret with the same name during this period triggers a ResourceExistsException. This is a safety mechanism that prevents concurrent access or accidental data loss. The error can also occur if the secret was created manually in the AWS console or through another Terraform configuration, and Terraform's state file doesn't know about it.
Use the AWS CLI to list all secrets including those marked for deletion:
aws secretsmanager list-secrets --include-planned-deletion --region us-east-1Look for your secret name in the output. If it appears with a "DeletedDate" field, it's in the recovery period.
If the secret is in recovery and you want to recreate it, force-delete it without the recovery window:
aws secretsmanager delete-secret --secret-id YOUR_SECRET_NAME --force-delete-without-recovery --region us-east-1This immediately removes the secret, allowing Terraform to create a new one with the same name.
Update your Terraform configuration to disable the recovery window for this secret:
resource "aws_secretsmanager_secret" "example" {
name = "my-secret"
recovery_window_in_days = 0
}This setting forces immediate deletion without a recovery period, preventing this error in the future when you destroy and recreate the secret.
If the secret already exists in AWS but not in your Terraform state, import it:
terraform import aws_secretsmanager_secret.example arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-AbCdEReplace the ARN with your actual secret ARN (available from the AWS console or aws secretsmanager describe-secret command). This brings the existing resource under Terraform management.
For secrets that need to be recreated frequently, consider using name_prefix instead of hardcoding name:
resource "aws_secretsmanager_secret" "example" {
name_prefix = "my-secret-"
}Terraform will generate unique names like "my-secret-abc123xyz", avoiding conflicts with pending-deletion secrets.
AWS Secrets Manager enforces name uniqueness at the account and region level. The default recovery window is 30 days, but you can configure it between 7-30 days or set it to 0 for immediate deletion. In production environments, be cautious with recovery_window_in_days = 0 as it prevents recovery of accidentally deleted secrets. Consider using separate AWS accounts or regions for different environments to isolate secrets and avoid conflicts. For CI/CD pipelines, ensure only one deployment process manages each secret to prevent race conditions.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform