From bd8aa341f22a3ffe8f41a86468538ec5835137ef Mon Sep 17 00:00:00 2001
From: Chris Kilding <user@fake>
Date: Thu, 18 Apr 2019 16:47:15 +0100
Subject: [PATCH] Also throw exception if client tries to RotateSecret on a
 soft-deleted secret

---
 moto/secretsmanager/models.py                    |  8 +++++++-
 tests/test_secretsmanager/test_secretsmanager.py | 16 +++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/moto/secretsmanager/models.py b/moto/secretsmanager/models.py
index c272957ad..af8846a66 100644
--- a/moto/secretsmanager/models.py
+++ b/moto/secretsmanager/models.py
@@ -49,7 +49,7 @@ class SecretsManagerBackend(BaseBackend):
 
         if 'deleted_date' in self.secrets[secret_id]:
             raise InvalidRequestException(
-                "An error occurred (InvalidRequestException) when calling the DeleteSecret operation: You tried to \
+                "An error occurred (InvalidRequestException) when calling the GetSecretValue operation: You tried to \
                 perform the operation on a secret that's currently marked deleted."
             )
 
@@ -127,6 +127,12 @@ class SecretsManagerBackend(BaseBackend):
         if not self._is_valid_identifier(secret_id):
             raise ResourceNotFoundException
 
+        if 'deleted_date' in self.secrets[secret_id]:
+            raise InvalidRequestException(
+                "An error occurred (InvalidRequestException) when calling the RotateSecret operation: You tried to \
+                perform the operation on a secret that's currently marked deleted."
+            )
+
         if client_request_token:
             token_length = len(client_request_token)
             if token_length < 32 or token_length > 64:
diff --git a/tests/test_secretsmanager/test_secretsmanager.py b/tests/test_secretsmanager/test_secretsmanager.py
index 7ce8788e2..48cce5077 100644
--- a/tests/test_secretsmanager/test_secretsmanager.py
+++ b/tests/test_secretsmanager/test_secretsmanager.py
@@ -43,7 +43,7 @@ def test_get_secret_value_that_is_marked_deleted():
     conn.create_secret(Name='test-secret',
                        SecretString='foosecret')
 
-    deleted_secret = conn.delete_secret(SecretId='test-secret')
+    conn.delete_secret(SecretId='test-secret')
 
     with assert_raises(ClientError):
         result = conn.get_secret_value(SecretId='test-secret')
@@ -380,6 +380,20 @@ def test_rotate_secret_enable_rotation():
     assert rotated_description['RotationEnabled'] is True
     assert rotated_description['RotationRules']['AutomaticallyAfterDays'] == 42
 
+
+@mock_secretsmanager
+def test_rotate_secret_that_is_marked_deleted():
+    conn = boto3.client('secretsmanager', region_name='us-west-2')
+
+    conn.create_secret(Name='test-secret',
+                       SecretString='foosecret')
+
+    conn.delete_secret(SecretId='test-secret')
+
+    with assert_raises(ClientError):
+        result = conn.rotate_secret(SecretId='test-secret')
+
+
 @mock_secretsmanager
 def test_rotate_secret_that_does_not_exist():
     conn = boto3.client('secretsmanager', 'us-west-2')