terraform-provider-aws: KMS resource Key Policy propagation consistent fail

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraforn Core: 1.0.5 AWS Provider: 3.62.0

Affected Resource(s)

aws_kms_key

Terraform Configuration Files

Same as per #20588 which isn’t resolved in latest provider.

Workaround is to roll back to 3.52 which allows to create a key with policy having multiple statements.

Note: providing a policy that is equivalent to the default (non lock out) policy will create successfully, when adding an additional statement, provisioning will fail.

There are new comments on #20588 that provide additional detail.

Thanks for helping resolve.

Expected Behavior

I should be able to create a CMK key with a custom policy.

Actual Behavior

Provisioning fails with failure to propagate key policy.

Steps to Reproduce

Create a aws_key_resource with the policy attribute set to a policy with multiple statements.

References

#20588

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 22
Comments: 15 (3 by maintainers)

Most upvoted comments

I’m facing this issue but can’t downgrade to 3.52 because I need to use autoscaling_group_tag which has only been added in v3.56.0.

I attempted to debug the issue and in my case it was related to me using the following in my policy (note the boolean represented as an actual bool)

{
  "Condition": {
    "Bool": {
      "kms:GrantIsForAWSResource": true
    }
  }
}

I debugged awspolicy.PoliciesAreEquivalent and found that the equals implemetation fails, because the policy retrieved via the KMS APIs (the “theirs” side of the comparison) has kms:GrantIsForAWSResource set to "true" instead (boolean represented as string).

I changed my condition to the following:

{
  "Condition": {
    "Bool": {
      "kms:GrantIsForAWSResource": "true"
    }
  }
}

and it seems to work now. Terraform was also continously showing a diff before this change but I assumed this to be unrelated. Changing true to "true" has fixed this was well.

This might not be the cause in the case of @AshMenhennett but may be of help to others. Cheers

CrawX on Oct 20, 2021

This is also occurring for me on hashicorp/aws v4.1

jkmerriam on Apr 18, 2022

https://github.com/hashicorp/terraform-provider-aws/blob/040f37e8d6a1b13fe796c5cdbfebbebb833ae90a/aws/internal/service/kms/waiter/waiter.go#L96-L122

Potentially caused by awspolicy.PoliciesAreEquivalent incorrectly returning false?

ewbankkit on Oct 9, 2021

Same for me to on v3.74.3.

lsacco-nutreense on Mar 15, 2022

Still occurring for me

trallnag on Feb 24, 2022

Thanks to @CrawX’s pointer, we also fixed our issue and now use hashicorp/aws v3.67.0. Here’s the summary, instead of using

    principals {
      identifiers = [data.aws_caller_identity.current.user_id]
      type        = "AWS"
    }

we now use

    principals {
      identifiers = [data.aws_caller_identity.current.arn]
      type        = "AWS"
    }

which allows us to avoid updates-in-place related to the principals block of our key policies like the one below.

~ Principal = {
        ~ AWS = "arn:aws:iam::***:user/foobar" -> "AY6MGURNFAFDLAID2CBNV"
}

So it looks like the validation between user_id and arn is either not working or does so after the 5m0s timeout.

ellaqezi on Nov 30, 2021

Hey @CrawX,

That’s awesome to find workaround AND use the new features. I also appreciate that you took the time to debug it, as that’s helpful us as well!

Seeing this thread looks like it’s related, when I find some time I’ll see if we can remedy as you have.

AshMenhennett on Oct 20, 2021