aws_lambda_function does not update correctly when changing KMS key

[j2clerck]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

• aws_lambda_function

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

provider "aws" {
  region  = "eu-west-1"
}

resource "aws_lambda_function" "name" {
  architectures = ["arm64"]
  function_name = "terraform_debug"
  role          = aws_iam_role.iam_for_lambda.arn
  environment {
    variables = {
      "key" = "value"
    }
  }
  kms_key_arn = aws_kms_key.key_2.arn
  handler     = "app.handler"
  runtime     = "python3.9"
  filename    = "function.zip"

}

# resource "aws_kms_key" "key_1" {
#     deletion_window_in_days = 7
#     description = "key-1"
  
# }
resource "aws_kms_key" "key_2" {
    deletion_window_in_days = 7
    description = "key-2"
  
}


resource "aws_iam_role" "iam_for_lambda" {
  name = "iam_for_lambda"

  assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
    {
    "Action": "sts:AssumeRole",
    "Principal": {
        "Service": "lambda.amazonaws.com"
    },
    "Effect": "Allow",
    "Sid": ""
    }
]
}
EOF
}

Debug Output

Panic Output

Expected Behavior

Terraform should have updated the environment variables so that they are encrypted with the new key

Actual Behavior

Terraform updated the kms_key_arn of Lambda function but the variables were still encoded with the old KMS key
Error returned by Lambda API
Lambda was unable to decrypt your environment variables because the KMS key used is an invalid state. Please check your KMS key settings.KMS Exception: KMSInvalidStateException KMS Message: arn:aws:kms:eu-west-1:123456789012:key/abcdef12-a3a5-4a04-9b93-45202589c25a is pending deletion.

Steps to Reproduce

1. terraform apply with key 1 uncommented and key 2 commented
2. terraform apply with key 2 uncommented and key 1 commented
3. login to aws console and check environment variable on the lambda function. It should return an error about KMS key being disabled.

Important Factoids

References

https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/lambda/function.go#L1102 evaluates if environment variables has changed. I suggest to add a OR condition to also include changes to kms_key_arn d.HasChange("kms_key_arn")

• #0000

[bschaatsbergen]

Hi @j2clerck, thanks for raising this issue. I'm able to reproduce it according to the steps you've listed down. Thanks a lot for flagging this issue, I'll see if I can preprare a fix for it.

[bschaatsbergen]

I've noticed that doing a second terraform apply solves the issue.

[bschaatsbergen]

A simple fix would be to reload the environment variables if the kms_key_arn has changed

[j2clerck]

That's would have been my solution too to add a second check to the hasChanged("environment").

[github-actions]

This functionality has been released in v4.30.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.