secretsmanager: add tag/untag resource handling for deleted secrets (#13662)

shubhiscoding · web-flow · commit 13ed4877f769 · 2026-02-05T13:32:09.000+05:30
diff --git a/localstack-core/localstack/services/secretsmanager/provider.py b/localstack-core/localstack/services/secretsmanager/provider.py
@@ -614,6 +614,32 @@ def backend_update_secret(
     return json.dumps(resp)
 
 
+@patch(SecretsManagerBackend.tag_resource)
+def backend_tag_resource(fn, self, secret_id, tags):
+    if secret_id not in self.secrets:
+        raise SecretNotFoundException()
+
+    if self.secrets[secret_id].is_deleted():
+        raise InvalidRequestException(
+            "You can't perform this operation on the secret because it was marked for deletion."
+        )
+
+    return fn(self, secret_id, tags)
+
+
+@patch(SecretsManagerBackend.untag_resource)
+def backend_untag_resource(fn, self, secret_id, tag_keys):
+    if secret_id not in self.secrets:
+        raise SecretNotFoundException()
+
+    if self.secrets[secret_id].is_deleted():
+        raise InvalidRequestException(
+            "You can't perform this operation on the secret because it was marked for deletion."
+        )
+
+    return fn(self, secret_id, tag_keys)
+
+
 @patch(SecretsManagerResponse.update_secret, pass_target=False)
 def response_update_secret(self):
     secret_id = self._get_param("SecretId")
diff --git a/tests/aws/services/secretsmanager/test_secretsmanager.py b/tests/aws/services/secretsmanager/test_secretsmanager.py
@@ -2458,6 +2458,39 @@ def test_secret_tags(self, aws_client, create_secret, sm_snapshot, cleanups):
         describe_secret_6 = aws_client.secretsmanager.describe_secret(SecretId=secret_arn)
         sm_snapshot.match("describe_secret_6", describe_secret_6)
 
+    @markers.aws.validated
+    def test_tag_untag_resource_on_deleted_secret(self, aws_client, create_secret, sm_snapshot):
+        """Test that tagging/untagging a secret marked for deletion raises InvalidRequestException."""
+        secret_name = short_uid()
+        response = create_secret(
+            Name=secret_name,
+            SecretString="test-secret-value",
+            Tags=[{"Key": "initial-tag", "Value": "initial-value"}],
+        )
+
+        sm_snapshot.add_transformers_list(
+            sm_snapshot.transform.secretsmanager_secret_id_arn(response, 0)
+        )
+        sm_snapshot.match("create_secret", response)
+
+        secret_arn = response["ARN"]
+
+        # Delete the secret (marks for deletion with recovery window)
+        delete_response = aws_client.secretsmanager.delete_secret(SecretId=secret_arn)
+        sm_snapshot.match("delete_secret", delete_response)
+
+        # Attempting to tag a deleted secret should raise InvalidRequestException
+        with pytest.raises(ClientError) as exc_tag:
+            aws_client.secretsmanager.tag_resource(
+                SecretId=secret_arn, Tags=[{"Key": "new-tag", "Value": "new-value"}]
+            )
+        sm_snapshot.match("tag_deleted_secret_error", exc_tag.value.response)
+
+        # Attempting to untag a deleted secret should raise InvalidRequestException
+        with pytest.raises(ClientError) as exc_untag:
+            aws_client.secretsmanager.untag_resource(SecretId=secret_arn, TagKeys=["initial-tag"])
+        sm_snapshot.match("untag_deleted_secret_error", exc_untag.value.response)
+
     @markers.aws.validated
     def test_get_secret_value_errors(self, aws_client, create_secret, sm_snapshot):
         secret_name = short_uid()
diff --git a/tests/aws/services/secretsmanager/test_secretsmanager.snapshot.json b/tests/aws/services/secretsmanager/test_secretsmanager.snapshot.json
@@ -4761,5 +4761,50 @@
         }
       }
     }
+  },
+  "tests/aws/services/secretsmanager/test_secretsmanager.py::TestSecretsManager::test_tag_untag_resource_on_deleted_secret": {
+    "recorded-date": "29-01-2026, 22:02:37",
+    "recorded-content": {
+      "create_secret": {
+        "ARN": "arn:<partition>:secretsmanager:<region>:111111111111:secret:<SecretId-0idx><ArnPart-0idx>",
+        "Name": "<SecretId-0idx>",
+        "VersionId": "<version_uuid:1>",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      },
+      "delete_secret": {
+        "ARN": "arn:<partition>:secretsmanager:<region>:111111111111:secret:<SecretId-0idx><ArnPart-0idx>",
+        "DeletionDate": "datetime",
+        "Name": "<SecretId-0idx>",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      },
+      "tag_deleted_secret_error": {
+        "Error": {
+          "Code": "InvalidRequestException",
+          "Message": "You can't perform this operation on the secret because it was marked for deletion."
+        },
+        "Message": "You can't perform this operation on the secret because it was marked for deletion.",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 400
+        }
+      },
+      "untag_deleted_secret_error": {
+        "Error": {
+          "Code": "InvalidRequestException",
+          "Message": "You can't perform this operation on the secret because it was marked for deletion."
+        },
+        "Message": "You can't perform this operation on the secret because it was marked for deletion.",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 400
+        }
+      }
+    }
   }
 }
diff --git a/tests/aws/services/secretsmanager/test_secretsmanager.validation.json b/tests/aws/services/secretsmanager/test_secretsmanager.validation.json
@@ -134,6 +134,15 @@
   "tests/aws/services/secretsmanager/test_secretsmanager.py::TestSecretsManager::test_secret_version_not_found": {
     "last_validated_date": "2024-06-13T08:04:35+00:00"
   },
+  "tests/aws/services/secretsmanager/test_secretsmanager.py::TestSecretsManager::test_tag_untag_resource_on_deleted_secret": {
+    "last_validated_date": "2026-01-29T22:02:38+00:00",
+    "durations_in_seconds": {
+      "setup": 0.79,
+      "call": 1.51,
+      "teardown": 0.23,
+      "total": 2.53
+    }
+  },
   "tests/aws/services/secretsmanager/test_secretsmanager.py::TestSecretsManager::test_update_secret_description": {
     "last_validated_date": "2024-03-15T08:12:49+00:00"
   },
