aws_kms_grant does not fail if a grant by given name already exists #15386
Labels
bug
Addresses a defect in current functionality.
service/kms
Issues and PRs that pertain to the kms service.
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform: 0.13.3
AWS Provider: 3.3.0
Affected Resource(s)
Terraform Configuration Files
Debug Output
N/A
Panic Output
N/A
Expected Behavior
Deployment of the second environment should fail, because the grant by the name
bastion-grant
already exists.Actual Behavior
Each terraform workspace "thinks" it has it's own instance of KMS Grant resources. Then when I destroy one environment, the KMS Grant gets destroyed, and the other environment is unable to scale more EC2s.
Steps to Reproduce
terraform workspace new one
terraform apply
terraform workspace new two
terraform apply
Important Factoids
We're creating AWS environments for every Git Branch. Each environment gets a VPC and a Autoscaling Group with Bastion Host. The Bastion AMI is built with packer on another account and encrypted with CMK on that account (referenced as
var.shared_account_id
). On the "DEV" AWS Account - where all dev environments are created - we create a KMS Grant, so that ASG would be able to re-encrypt the EBS of the AMI.Mistakenly, we did not prefix the grant name with the environment name, causing each environment to try to create KMS Grant named
bastion-grant
. This led to terraform on all environments thinking it has KMS Grant resource of its own, when in fact, AWS always returned the same grant. AWS did not fail, so Terraform did not fail. And put the sameGrantID
into each environment's statefile.The problem arised when one of the Git Branchech was merged, and the dev environment destroyed. Because terraform "thinks" the KMS Grant was created especially for it, it deletes it, but because there was always only one Grant, all other dev environments are broken and unable to reencrypt bastion AMIs.
The text was updated successfully, but these errors were encountered: