Allow time for propagation of new IAM resources on KMS policy update

[neinkeinkaffee]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.5
Provider v4.14.0 (HEAD: cffbd38)

Affected Resource(s)

• aws_kms_key

Terraform Configuration Files

Given the distributed nature of AWS, IAM changes take time to propagate. During the creation of KMS keys and their resource policies, a MalformedPolicyDocumentException indicates that IAM changes might not have propagated, and this is handled by the provider, which retries for up to two minutes.

However, when updating the resource policy of an already existing key, the provider fails to handle the same error.

data "aws_caller_identity" "this" {}

#resource "aws_iam_role" "example_role" {
#  name               = "example_role"
#  assume_role_policy = data.aws_iam_policy_document.assume_example_role.json
#}

#data "aws_iam_policy_document" "assume_example_role" {
#  statement {
#    actions = ["sts:AssumeRole"]
#    principals {
#      type        = "AWS"
#      identifiers = [data.aws_caller_identity.this.arn]
#    }
#  }
#}

resource "aws_kms_key" "example_key" {
  policy      = data.aws_iam_policy_document.example_key_policy.json
}

data "aws_iam_policy_document" "example_key_policy" {
#  statement {
#    sid    = "Decrypt"
#    effect = "Allow"
#    principals {
#      type        = "AWS"
#      identifiers = [aws_iam_role.example_role.arn]
#    }
#    actions = [
#      "kms:Decrypt",
#    ]
#    resources = ["*"]
#  }

  statement {
    sid    = "Administrate"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = [data.aws_caller_identity.this.arn]
    }
    actions = [
      "kms:*"
    ]
    resources = ["*"]
  }
}

Debug Output

2022-05-08T18:53:33.578+0100 [ERROR] vertex "aws_kms_key.example_key" error: error updating KMS Key (xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) policy: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
|
│ Error: error updating KMS Key (xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) policy: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
│ 
│   with aws_kms_key.example_key,
│   on kms_update_wait_iam.tf line 18, in resource "aws_kms_key" "example_key":
│   18: resource "aws_kms_key" "example_key" {
│ 

Expected Behavior

As with key creation, the provider should retry the key update until the timeout allowed for IAM propagation (two minutes) is reached.

Actual Behavior

The provider doesn't retry, instead failing on the first MalformedPolicyDocumentException.

Steps to Reproduce

1. terraform apply the Terraform configuration from above to create a KMS key
2. Uncomment the commented lines and terraform apply again to create a new IAM role and reference it in the policy

References

• Eventual consistency issue with aws_iam_service_linked_role #7646

[neinkeinkaffee]

I have opened a PR that fixes the issue: #24697

[github-actions]

This functionality has been released in v4.14.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.