Terraform AWS KMS Key Policy fails when used with AWS IAM Policy Document on AWS Provider >= 3.68.0 #22895
Comments
github-actions
bot
added
needs-triage
jabouchleih
changed the title
justinretzolk
added
bug
|
A possible workaround for this is to specify the policy directly inline instead of using the {
Version = "2012-10-17"
Statement = [
{
Sid = "AllowSQSAccessToKey"
Effect = "Allow"
Principal = {
Service = "sqs.amazonaws.com"
}
Action = [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
Resource = "*"
}
]
Condition = {
"Bool" = {
"kms:GrantIsForAWSResource" = "true"
}
"StringEquals" = {
"kms:ViaService" = "sqs.${var.aws_region}.amazonaws.com"
}
}
} |
I'm having the same issue with 3.70 (and have tried 4.19.0 as well), and inlining the policy doesn't help. I get the same error. My condition block: Condition = {
"StringLike" = {
"aws:sourceArn" = "arn:aws:lambda:${var.aws_region}:${local.account_id}:function:*"
}
} The error message: I have tried using a policy doc as well as a JSON heredoc. Same error in both cases. |
|
This issue also exists when using the basic example for data.iam_policy_document from the docs (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document). Even without a condition being set. |
|
While i was facing the same error message, the root cause for me was in fact that i was able to screw up the state. Terraform saved an invalid iam policy json in the state when i did an apply (which did not succeed, because the aws api declied the update of the resource). Removing the resource and importing it again fixed the state for me and allowed me to terraform apply the resource again. |
|
@applike-ss facing the same issue; how did you remove it from the state? I don't have neither the document nor the policy in the state |
|
i used |
|
I couldn't see the resource in |
|
I believe this has been fixed. Attempting to reproduce with the latest provider results in a successful
I'll leave this open with the Terraform ConfigShowterraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
}
provider "aws" {}
resource "aws_kms_key" "sqs-key" {
description = "key to encrypt sqs data for a thing"
deletion_window_in_days = 14
policy = data.aws_iam_policy_document.optional-sqs-kms-key-policy.json
}
data "aws_iam_policy_document" "optional-sqs-kms-key-policy" {
# added to prevent "missing principal permissions" error:
# Error: error creating KMS Key: MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future.
#
# ref: https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/
statement {
sid = "RequiredManagement"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["*"]
}
actions = ["kms:*"]
resources = ["*"]
}
statement {
sid = "AllowSQSAccessToKey"
effect = "Allow"
principals {
identifiers = ["sqs.amazonaws.com"]
type = "Service"
}
actions = [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
resources = [
"*"
]
condition {
test = "Bool"
values = ["true"]
variable = "kms:GrantIsForAWSResource"
}
condition {
test = "StringEquals"
values = ["sqs.us-west-2.amazonaws.com"]
variable = "kms:ViaService"
}
}
}Reproduction Attempt$ terraform -v
Terraform v1.3.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v4.37.0
$ terraform apply -auto-approve
data.aws_iam_policy_document.optional-sqs-kms-key-policy: Reading...
data.aws_iam_policy_document.optional-sqs-kms-key-policy: Read complete after 1s [id=3381652016]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_kms_key.sqs-key will be created
+ resource "aws_kms_key" "sqs-key" {
+ arn = (known after apply)
+ bypass_policy_lockout_safety_check = false
+ customer_master_key_spec = "SYMMETRIC_DEFAULT"
+ deletion_window_in_days = 14
+ description = "key to encrypt sqs data for a thing"
+ enable_key_rotation = false
+ id = (known after apply)
+ is_enabled = true
+ key_id = (known after apply)
+ key_usage = "ENCRYPT_DECRYPT"
+ multi_region = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "kms:*"
+ Effect = "Allow"
+ Principal = {
+ AWS = "*"
}
+ Resource = "*"
+ Sid = "RequiredManagement"
},
+ {
+ Action = [
+ "kms:RevokeGrant",
+ "kms:ListGrants",
+ "kms:CreateGrant",
]
+ Condition = {
+ Bool = {
+ "kms:GrantIsForAWSResource" = "true"
}
+ StringEquals = {
+ "kms:ViaService" = "sqs.us-west-2.amazonaws.com"
}
}
+ Effect = "Allow"
+ Principal = {
+ Service = "sqs.amazonaws.com"
}
+ Resource = "*"
+ Sid = "AllowSQSAccessToKey"
},
]
+ Version = "2012-10-17"
}
)
+ tags_all = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
aws_kms_key.sqs-key: Creating...
aws_kms_key.sqs-key: Creation complete after 5s [id=1ff4a026-c7a3-4abe-a8e1-525f4fd140f0]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed. |
jar-b
added
the
waiting-response
|
Closing given no further response to reproduction. |
github-actions
bot
removed
the
waiting-response
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Description
Starting with version 3.68.0 of the AWS provider, the code snippet shown below fails with the mentioned error.
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Panic Output
Further information
Only AWS provider versions >= 3.68.0 are affected by this bug.
Expected Behavior
Terraform should apply the AWS KMS Key Policy correctly
Actual Behavior
Terraform apply fails with the Go output:
Steps to Reproduce
terraform applyThe text was updated successfully, but these errors were encountered: