Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Cannot create or modify KMS key with tf 1.3.6 and provider 4.46.0 #28390

Open
ghost opened this issue Dec 16, 2022 · 9 comments
Open

[Bug]: Cannot create or modify KMS key with tf 1.3.6 and provider 4.46.0 #28390

ghost opened this issue Dec 16, 2022 · 9 comments
Labels
bug Addresses a defect in current functionality. service/kms Issues and PRs that pertain to the kms service. timeouts Pertains to timeout increases.

Comments

@ghost
Copy link

ghost commented Dec 16, 2022
edited by justinretzolk

Terraform Core Version

1.3.6

AWS Provider Version

4.46.0

Affected Resource(s)

 Error: error waiting for KMS Key (79003f4d-xxxxxxxxx7) policy propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 5m0s)
│

Expected Behavior

Create the key

Actual Behavior

Errors, but I see the key created in the console.

Relevant Error/Panic Output Snippet

see #27641

Terraform Configuration Files

See #27641

Steps to Reproduce

see #27641

Debug Output

see #27641

Panic Output

No response

Important Factoids

This is a huge blocker for us

References

No response

Would you like to implement a fix?

None
@ghost ghost added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Dec 16, 2022
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@justinretzolk justinretzolk added service/kms Issues and PRs that pertain to the kms service. timeouts Pertains to timeout increases. and removed needs-triage Waiting for first response or review from a maintainer. labels Jan 19, 2023
@rajattrikha
Copy link

I am facing the same issue with terraform version 1.3.7 and AWS Provider version 4.5

@mjryan253
Copy link

Also having this same issue with terraform 1.3.6 and AWS provider 4.50.0

@joeybenamy
Copy link

Same issue. Terraform 1.3.9, AWS provider 4.48.0

@dr-yd
Copy link

dr-yd commented Feb 23, 2023
edited

Same, with 1.3.9 and provider 4.55.0. Strangely, it's just for one key, and we have a lot of them across a lot of projects, all deployed via the same module. Granted, though, it's a fairly complicated key policy because it manages access to our central Terraform state bucket CMK (of all things)...

In the console, the individual elements of the policy switch places over and over while Terraform is deploying, so it seems to have to do with sorting - although that might just be a normal behavior that usually doesn't matter and is ignored because it has no effect.

The policy is updated in the end, but Terraform never considers the deployment finished and attempts to update it again on the next run. Removing and reimporting the key does not help - Terraform attempts to update it again immediately after importing.

@dr-yd
Copy link

dr-yd commented Mar 16, 2023

For me, the issue is solved. An arn:aws:sts::<account>:role/role-name ARN instead of arn:aws:iam:: had slipped into there - AWS apparently accepts these as equivalent and converts them to arn:aws:iam:: ARNs. Not sure if that's well-defined behavior and if the provider should take it into account.

@marcofranssen
Copy link

marcofranssen commented Mar 27, 2023
edited

Facing same issue.

We are using the https://github.com/terraform-aws-modules/terraform-aws-eks module.

This module in turn uses the https://github.com/terraform-aws-modules/terraform-aws-kms module.

In the console of my AWS account I see the KMS key is there and the key also has the policy applied as defined by the terraform module.

Still terraform fails with every single apply. Also for us this is a big blocker as all our CI/CD pipelines are failing.

See here how we use the module

  kms_key_deletion_window_in_days = 7
  kms_key_owners                  = var.kms_key_owners
  kms_key_administrators          = var.kms_key_administrators

Both variables are used with roles.

2 similar comments
@marcofranssen
Copy link

Facing same issue.

We are using the https://github.com/terraform-aws-modules/terraform-aws-eks module.

This module in turn uses the https://github.com/terraform-aws-modules/terraform-aws-kms module.

In the console of my AWS account I see the KMS key is there and the key also has the policy applied as defined by the terraform module.

Still terraform fails with every single apply. Also for us this is a big blocker as all our CI/CD pipelines are failing.

See here how we use the module

  kms_key_deletion_window_in_days = 7
  kms_key_owners                  = var.kms_key_owners
  kms_key_administrators          = var.kms_key_administrators

Both variables are used with roles.

@marcofranssen
Copy link

Facing same issue.

We are using the https://github.com/terraform-aws-modules/terraform-aws-eks module.

This module in turn uses the https://github.com/terraform-aws-modules/terraform-aws-kms module.

In the console of my AWS account I see the KMS key is there and the key also has the policy applied as defined by the terraform module.

Still terraform fails with every single apply. Also for us this is a big blocker as all our CI/CD pipelines are failing.

See here how we use the module

  kms_key_deletion_window_in_days = 7
  kms_key_owners                  = var.kms_key_owners
  kms_key_administrators          = var.kms_key_administrators

Both variables are used with roles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/kms Issues and PRs that pertain to the kms service. timeouts Pertains to timeout increases.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@marcofranssen @rajattrikha @justinretzolk @dr-yd @joeybenamy @mjryan253