-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_lambda_function does not update correctly when changing KMS key #26692
Comments
Hi @j2clerck, thanks for raising this issue. I'm able to reproduce it according to the steps you've listed down. Thanks a lot for flagging this issue, I'll see if I can preprare a fix for it. |
I've noticed that doing a second |
A simple fix would be to reload the environment variables if the |
That's would have been my solution too to add a second check to the hasChanged("environment"). |
This functionality has been released in v4.30.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Panic Output
Expected Behavior
Terraform should have updated the environment variables so that they are encrypted with the new key
Actual Behavior
Terraform updated the kms_key_arn of Lambda function but the variables were still encoded with the old KMS key
Error returned by Lambda API
Lambda was unable to decrypt your environment variables because the KMS key used is an invalid state. Please check your KMS key settings.KMS Exception: KMSInvalidStateException KMS Message: arn:aws:kms:eu-west-1:123456789012:key/abcdef12-a3a5-4a04-9b93-45202589c25a is pending deletion.
Steps to Reproduce
terraform apply
with key 1 uncommented and key 2 commentedterraform apply
with key 2 uncommented and key 1 commentedImportant Factoids
References
https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/lambda/function.go#L1102 evaluates if environment variables has changed. I suggest to add a OR condition to also include changes to kms_key_arn
d.HasChange("kms_key_arn")
The text was updated successfully, but these errors were encountered: