Error Overwriting AWS Key Pair

[Invasive-Security]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/aws v3.13.0

Affected Resource(s)

• aws_key_pair

Terraform Configuration Files

I have an ssm parameter, with a public key. From within a module I import the public key from the parameter as a key pair.

data "aws_ssm_parameter" "pub_key_path" {
  name = var.svr_pub_key_path
}

resource "aws_key_pair" "pub_key" {
  key_name   = var.svr_pub_key_name
  public_key = data.aws_ssm_parameter.pub_key_path.value
}

Debug Output

If I taint this artefact and then re-run apply

terraform taint module.server.aws_key_pair.pub_key
terraform apply

Expected Behaviour

I would expect it to either overwrite the key, delete any existing keys first or compare the two values to confirm the duplication. If the key pair is a duplicate I would expect the apply command to ignore the key and continue.

Actual Behaviour

The following error is thrown:

Error: Error import KeyPair: InvalidKeyPair.Duplicate: The keypair 'svr_key' already exists.
	status code: 400, request id: 4a6e7895-0d32-4c1b-bb0a-23c0a81ba39d

I can work around this by deleting the key, or untainting that particular artefact. However, it would be neat if there was a way to prevent this error.

Important Factoids

I checked the docs, I was hoping to find an argument similar to:

on_failure = continue

Could this be added?

References

Kind of related to:

• #12579

Thanks,

[ewbankkit]

Hi @Invasive-Security 👋 Thank you for submitting this and this is an excellent use case of somewhere that Terraform and the Terraform AWS Provider could be much more helpful since in many cases they have enough information to return an error upfront during planning instead of unexpected behavior during apply.

I believe this falls under the provider-wide enhancement proposal of #14394, so by adding this link here it will add a reference to that issue so we can include it as a use case when thinking about the implementation details. Since this is likely something we will want more broadly across many resources, I'm going to close this particular issue to consolidate discussions, efforts, and prioritization on the topic while the reference would serve as the cue to make this specific resource one of the initial implementations. I would suggest those 👍 upvoting and subscribing here to do so on #14394 so we can appropriately gauge interest. Please feel free to provide feedback there.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.