[Sanctuary] Old secret versions are not disabled/destroyed
👓 What did you see?
It was noticed while working on https://gitlab.developers.cam.ac.uk/uis/devops/devhub/gitlab-deploy/-/issues/425, that despite sanctuary prints the line
[info ] Destroying previous versions of secret name=...
all secret versions stay enabled:
✅ What did you expect to see?
Latest version - enabled, previous versions destroyed
💻 Where does this happen?
Examples:
(same behaviour in gitlab prod project)
🔬 How do I recreate this?
The problem mentioned in gitlab-deploy repository, where we use sanctuary to sync up secrets between 1p and google sm.
Steps:
- Sanctuary config (example):
sanctuary:
secrets:
somename:
from:
op-cli-item:
item-id: ITEM_ID
use_field_labels: true
fields:
- FIELD_1
- FIELD_2
With this config in .logan.yaml, run sanctuary sync --verbose
. In log you will see sanctuary prints that it destroys version.
- Open Google cloud console and check all versions are "enabled"