terraform-provider-aws: KMS doesn't work with newest verision of provider

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

0.14.7

Affected Resource(s)

aws_kms_key

Terraform Configuration Files

tested with below aws providers: 3.49 - works 3.53 - does not work 3.54 - does not work

Debug Output

Panic Output

Expected Behavior

aws_iam_policy.kms: Creation complete after 1s [id=arn:aws:iam::.....]

Actual Behavior

Error: error waiting for KMS Key (...) policy propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 2m0s)

  on kms.tf line 1, in resource "aws_kms_key" "tg":

   1: resource "aws_kms_key" "tg" {

Steps to Reproduce

terraform apply

Important Factoids

References

#0000

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 18
Comments: 20

Most upvoted comments

Heya @oaksenov

Opened #21225 to continue the discussion.

AshMenhennett on Oct 9, 2021

I’m also still seeing this error in 3.60

Kaydub00 on Sep 29, 2021

I’m still seeing this error with 3.59.0. (Terraform 1.0.2).

error waiting for KMS Key (...) policy propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 5m0s)

hligit on Sep 22, 2021

we should probably open new issue as this issue is closed and I doubt anybody is paying attention to the chat in closed issues

oaksenov on Oct 8, 2021

Still seeing this error in 3.61.

Issue was:

Creating key w/ inline policy with two statements (one for account lockout and one for XYZ)
Ran the plan twice with same errors as above.

Tried removing the second statement in the policy (leaving just the account lockout statement) and it created the key w/ policy.

Tried making an update to the policy by adding second statement back but apply operation fails to complete successfully, same errors as above.

AshMenhennett on Oct 6, 2021

I am also seeing the same… I had to go back to 3.52 again.

vat-gatepost-BARQUE on Sep 22, 2021

Also 3.58.0 is affected somehow in different combinations but not all the time. It seems that setting enable_key_rotation and providing tags causes a problem.

See test scenarios below:

Working 1 (description only)

resource "aws_kms_key" "this" {
  description = "Some description"
}

aws_kms_key.this: Creating...
aws_kms_key.this: Creation complete after 1s [id=777fcd30-dc0c-487a-a42e-b7b4c359e73e]

Working 2 (description AND tags)

resource "aws_kms_key" "this" {
  description = "Some description"
  tags =  {
    Name = "tf-provider-test"
  }
}

aws_kms_key.this: Creating...
aws_kms_key.this: Creation complete after 6s [id=bc64c1e8-630a-49ea-a030-17c1c1529688]

Working 3 (description, enable_key_rotation, NO tags)

resource "aws_kms_key" "this" {
  description = "Some description"
  enable_key_rotation = true
}

aws_kms_key.this: Creating...
aws_kms_key.this: Creation complete after 6s [id=f8f7726e-d15d-4767-a485-f69d7098accb]

Working 4 (description, enable_key_rotation, policy, NO tags)

resource "aws_kms_key" "this" {
  description = "Some description"
  enable_key_rotation = true
  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow direct access to key metadata to the account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${var.account_id}:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}
POLICY
}

aws_kms_key.this: Creating...
aws_kms_key.this: Creation complete after 10s [id=d6ba1227-66d2-4b71-85d4-eaecb566a712]

Not working 1 (description, enable_key_rotation and tags)

resource "aws_kms_key" "this" {
  description = "Some description"

  enable_key_rotation = true

  tags =  {
    Name = "tf-provider-test"
  }
}

aws_kms_key.this: Creating...
aws_kms_key.this: Still creating... [10s elapsed]
(...)
aws_kms_key.this: Still creating... [2m0s elapsed]
╷
│ Error: error waiting for KMS Key (c116ac55-ce22-4990-880c-45c2d3e3c990) tag propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 2m0s)
│ 
│   with aws_kms_key.this,
│   on eks copy.tf line 1, in resource "aws_kms_key" "this":
│    1: resource "aws_kms_key" "this" {

Not working 2 (description, enable_key_rotation, tags and policy):

resource "aws_kms_key" "this" {
  description = "Some description"

  enable_key_rotation = true

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow direct access to key metadata to the account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${var.account_id}:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}
POLICY

  tags =  {
    Name = "tf-provider-test"
  }
}

aws_kms_key.this: Creating...
aws_kms_key.this: Still creating... [10s elapsed]
(.......)
aws_kms_key.this: Still creating... [2m10s elapsed]
│ Error: error waiting for KMS Key (abe4656f-f887-4c5f-9cbc-b792e5026966) tag propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 2m0s)
│ 
│   with aws_kms_key.this,
│   on eks copy.tf line 1, in resource "aws_kms_key" "this":
│    1: resource "aws_kms_key" "this" {

tgip-work on Sep 13, 2021