Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 backend with kms regression #33979

Closed
alex-ikse opened this issue Oct 4, 2023 · 7 comments · Fixed by #33993
Closed

S3 backend with kms regression #33979

alex-ikse opened this issue Oct 4, 2023 · 7 comments · Fixed by #33993
Labels
backend/s3 bug new new issue not yet triaged v1.6 Issues (primarily bugs) reported against v1.6 releases
Milestone
v1.6.1

Comments

@alex-ikse
Copy link

Terraform Version

1.6.0

Terraform Configuration Files

terraform {
  backend "s3" {
    bucket         = "my-state-bucket"
    kms_key_id     = "alias/my-kms-key"
    dynamodb_table = "my-state-bucket-lock"
  }
}

Debug Output

https://gist.github.com/alex-ikse/8cc4fec7464b4386a43d57ff25a5de8b

Expected Behavior

$ terraform init -reconfigure

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Actual Behavior

$ terraform init -reconfigure

Initializing the backend...
╷
│ Error: Invalid KMS Key ID
│ 
│   on remote_state.tf line 4, in terraform:
│    4:     kms_key_id     = "alias/my-kms-key"
│ 
│ Value must be a valid KMS Key ID, got "alias/my-kms-key"

Steps to Reproduce

  1. terraform init -reconfigure

Additional Context

No response

References

No response
@alex-ikse alex-ikse added bug new new issue not yet triaged labels Oct 4, 2023
@alex-ikse alex-ikse mentioned this issue Oct 4, 2023
Closed
@alex-ikse
Copy link
Author

The problem is with the new validation function here : https://github.com/hashicorp/terraform/blob/main/internal/backend/remote-state/s3/validate.go#L33-L46
It doesn't handle alias syntax although it was valid before v1.6.0

@iamnotabout
Copy link

same issue.
as a workaround we downgraded back to 1.5.7

@crw crw added the backend/s3 label Oct 4, 2023
@andrewhertog
Copy link
Contributor

We get the same error with we try use arn:aws:kms:us-east-1:<account-id>:alias/aws/s3

@andrewhertog
Copy link
Contributor

andrewhertog commented Oct 5, 2023
edited
Loading

Took a quick look at the s3 library being used, it supports both alias and arn/alias formats, so I don't know why this is being blocked by terraform? @gdavison made the changes maybe they have context. Here's the PR where the change was made. #33534

@ewbankkit ewbankkit mentioned this issue Oct 5, 2023
Closed
@jonmcewen
Copy link

@gdavison is there any reason to disallow KMS Key aliases, or can this be fixed?

@apparentlymart apparentlymart added the v1.6 Issues (primarily bugs) reported against v1.6 releases label Oct 5, 2023
@andrewhertog andrewhertog mentioned this issue Oct 5, 2023
Merged
@andrewhertog
Copy link
Contributor

andrewhertog commented Oct 5, 2023
edited
Loading

I've proposed a fix, but I'd like to know first if there was a reason for not allowing KMS aliases

@andrewhertog andrewhertog mentioned this issue Oct 5, 2023
Closed
@WtfJoke WtfJoke mentioned this issue Oct 6, 2023
Closed
@gdavison gdavison added this to the v1.6.1 milestone Oct 6, 2023
@apparentlymart apparentlymart modified the milestones: v1.6.1, v1.6.2 Oct 9, 2023
@jar-b jar-b modified the milestones: v1.6.2, v1.6.1 Oct 9, 2023
@teamterraform teamterraform mentioned this issue Oct 9, 2023
Merged
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 9, 2023

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 9, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
backend/s3 bug new new issue not yet triaged v1.6 Issues (primarily bugs) reported against v1.6 releases
Projects
None yet
Milestone
v1.6.1
Development

Successfully merging a pull request may close this issue.

fix(s3): allow aliases for kms key andrewhertog/terraform
8 participants
@apparentlymart @crw @jonmcewen @gdavison @alex-ikse @andrewhertog @jar-b @iamnotabout