RDS instances try to be recreated when associated with a KMS Alias

[hashibot]

This issue was originally opened by @rcostanzo as hashicorp/terraform#8259. It was migrated here as part of the provider split. The original body of the issue is below.

---

You can properly create a RDS instance with the KMS Alias ARN as the kms_key_id, but subsequent runs then want to recreate that resource because the AWS returned value is the actual KMS Key's ARN, not the Alias's.

Terraform Version

0.7.0

Affected Resource(s)

• aws_db_instance
• aws_kms_alias

Terraform Configuration Files

resource "aws_kms_key" "rds" {
    ...
}

resource "aws_kms_alias" "rds" {
    name = "alias/key-rds-qa"
    target_key_id = "${aws_kms_key.rds.key_id}"
}

resource "aws_db_instance" "db-profile-2" {
    kms_key_id = "${aws_kms_alias.rds.arn}"
}

Expected Behavior

No changes should be detected

Actual Behavior

Terraform detects that the KMS Key changed and wants to recreate the RDS db resource:
kms_key_id: "arn:aws:kms:stuff:key/keyid" => "arn:aws:kms:stuff:alias/key-rds-qa" (forces new resource)

Steps to Reproduce

1. Create a RDS instance with the kms_key_id equal to an alias
2. Run a plan afterwards and see it wants to recreate it vs. being a no-op

[ktel1218]

+1

[mogaal]

+1 facing the same issue. Does someone found a workaround?

[ktel1218]

I used the workaround here: #1477 (comment from @trung)

[weskerfoot]

I also have this issue

[CyrilDevOps]

+1

[pnduati]

+1

[bflad]

Hi everyone 👋 Since this issue was raised awhile ago, both the aws_kms_alias resource and data source now support a target_key_arn attribute, which is compatible with all kms_key_id arguments across all Terraform AWS Provider resources. This is the recommended path for all configurations experiencing this issue.

For some additional context, the maintainers do not intend to directly support KMS Alias ARNs due to how the AWS APIs always return the KMS Key ID. Since Terraform performs drift detection with configured values against the value stored in the Terraform state when refreshed by the resource, this difference would always show unless we introduced additional cross-service API calls to every resource that supports this parameter. This API call would occur every Terraform plan for every resource and could dramatically affect account-level KMS rate limiting along with permissions issues for restrictive environments. Given these operational concerns, we prefer to recommend the target_key_arn attribute.

If the documentation around this can be improved, please reach out.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!