[Bug]: Error updating KMS Key Policy: timeout while waiting for state to become 'TRUE'

[ghost]

Terraform Core Version

1.2.6

AWS Provider Version

4.37

Affected Resource(s)

After creating a kms key with policy, trying to update the key policy results in:

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

module.kms.aws_kms_key.kms_key: Modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 10s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 20s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 30s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 40s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 50s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m0s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m10s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m20s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m30s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m40s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m50s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m0s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m10s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m20s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m30s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m40s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m50s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m0s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m10s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m20s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m30s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m40s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m50s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m0s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m10s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m20s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m30s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m40s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m50s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 5m0s elapsed]
╷
│ Error: error waiting for KMS Key (d553e6ae-c32e-4e1b-a466-896bb706f781) policy propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 5m0s)
│
│ with module.kms.aws_kms_key.kms_key,
│ on kms/main.tf line 2, in resource "aws_kms_key" "kms_key":
│ 2: resource "aws_kms_key" "kms_key" {

Expected Behavior

Key policy should update no errors

Actual Behavior

Timeouts with above error.

Relevant Error/Panic Output Snippet

╷
│ Error: error waiting for KMS Key (d553e6ae-c32e-4e1b-a466-896bb706f781) policy propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 5m0s)
│
│   with module.kms.aws_kms_key.kms_key,
│   on kms/main.tf line 2, in resource "aws_kms_key" "kms_key":
│    2: resource "aws_kms_key" "kms_key" {

Terraform Configuration Files

terraform.tf:

terraform {
backend "s3" {
encrypt = true
bucket = "plat-euw1-terraform-state"
dynamodb_table = "terraform-state-lock-dynamo"
key = "test/state.tfstate"
region = "eu-west-1"
}

required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.30.0"
}
}
}

main.tfprovider "aws" {
region = "eu-west-1"
}

module "kms" {
source = "./kms"
}

kms module:

resource "aws_kms_key" "kms_key" {
description = "s3acct_kms_key_test"
deletion_window_in_days = 7
policy = data.template_file.kms_key_policy.rendered
}

resource "aws_kms_alias" "kms_key_alias" {
name = "alias/${aws_kms_key.kms_key.description}"
target_key_id = aws_kms_key.kms_key.key_id
depends_on = [aws_kms_key.kms_key]
}

data "template_file" "kms_key_policy" {
template = file("./kms/templates/kms_key_policy.json.tpl")
}

template file:
{
"Version": "2012-10-17",
"Id": "key-policy",
"Statement": [{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::xxxxxx:root"]
},
"Action": "kms:",
"Resource": ""
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::xxxxxx:root"]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}

Steps to Reproduce

Apply the terraform. The key and policy apply correctly. Modify the policy template file (add another AWS resource for example) and apply again. The apply errors out the the above error. The error is still there if run again after waiting awhile

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

#27611

Would you like to implement a fix?

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @jhwal47 👋 Thanks for taking the time to submit this issue. It looks like this is a duplicate of #27611. We like to try to keep discussions consolidated, so we’re going to close this new issue in favor of that one.

Duplicate of #27611

[ghost]

Thx! It did look similar. Appreciate it.

[ghost]

Any thoughts of an ETA on this one? or a work around. Many thanks @justinretzolk

[justinretzolk]

Hey @jhwal47 👋 Unfortunately, I'm not able to provide an estimate on when this will be looked into due to the potential of shifting priorities (we prioritize work by count of ":+1:" reactions, as well as a few other things). For more information on how we prioritize, check out out prioritization guide.

[breisig]

Having the EXACT same issue!!!!

[ghost]

I am still getting this issue with tf 1.3.6 and provider 4.46.0. this is a huge blocker for us and we've been manually working around this issue for months now. The related issue did not fix thie.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.