-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Error updating KMS Key Policy: timeout while waiting for state to become 'TRUE' #27641
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
Thx! It did look similar. Appreciate it. |
Any thoughts of an ETA on this one? or a work around. Many thanks @justinretzolk |
Hey @jhwal47 👋 Unfortunately, I'm not able to provide an estimate on when this will be looked into due to the potential of shifting priorities (we prioritize work by count of ":+1:" reactions, as well as a few other things). For more information on how we prioritize, check out out prioritization guide. |
Having the EXACT same issue!!!! |
I am still getting this issue with tf 1.3.6 and provider 4.46.0. this is a huge blocker for us and we've been manually working around this issue for months now. The related issue did not fix thie. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Core Version
1.2.6
AWS Provider Version
4.37
Affected Resource(s)
After creating a kms key with policy, trying to update the key policy results in:
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
module.kms.aws_kms_key.kms_key: Modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 10s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 20s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 30s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 40s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 50s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m0s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m10s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m20s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m30s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m40s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 1m50s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m0s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m10s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m20s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m30s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m40s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 2m50s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m0s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m10s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m20s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m30s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m40s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 3m50s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m0s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m10s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m20s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m30s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m40s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 4m50s elapsed]
module.kms.aws_kms_key.kms_key: Still modifying... [id=d553e6ae-c32e-4e1b-a466-896bb706f781, 5m0s elapsed]
╷
│ Error: error waiting for KMS Key (d553e6ae-c32e-4e1b-a466-896bb706f781) policy propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 5m0s)
│
│ with module.kms.aws_kms_key.kms_key,
│ on kms/main.tf line 2, in resource "aws_kms_key" "kms_key":
│ 2: resource "aws_kms_key" "kms_key" {
Expected Behavior
Key policy should update no errors
Actual Behavior
Timeouts with above error.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
terraform.tf:
terraform {
backend "s3" {
encrypt = true
bucket = "plat-euw1-terraform-state"
dynamodb_table = "terraform-state-lock-dynamo"
key = "test/state.tfstate"
region = "eu-west-1"
}
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.30.0"
}
}
}
main.tfprovider "aws" {
region = "eu-west-1"
}
module "kms" {
source = "./kms"
}
kms module:
resource "aws_kms_key" "kms_key" {
description = "s3acct_kms_key_test"
deletion_window_in_days = 7
policy = data.template_file.kms_key_policy.rendered
}
resource "aws_kms_alias" "kms_key_alias" {
name = "alias/${aws_kms_key.kms_key.description}"
target_key_id = aws_kms_key.kms_key.key_id
depends_on = [aws_kms_key.kms_key]
}
data "template_file" "kms_key_policy" {
template = file("./kms/templates/kms_key_policy.json.tpl")
}
template file:
{
"Version": "2012-10-17",
"Id": "key-policy",
"Statement": [{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::xxxxxx:root"]
},
"Action": "kms:",
"Resource": ""
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::xxxxxx:root"]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
Steps to Reproduce
Apply the terraform. The key and policy apply correctly. Modify the policy template file (add another AWS resource for example) and apply again. The apply errors out the the above error. The error is still there if run again after waiting awhile
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
#27611
Would you like to implement a fix?
No response
The text was updated successfully, but these errors were encountered: