-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RDS resource not resolving KMS Alias on subsequent plans #1477
Comments
I hit the same issue data "aws_kms_alias" "kms_key" {
name = "alias/${var.kms_key_alias}"
}
resource "aws_db_instance" "db" {
...
kms_key_id = "${data.aws_kms_alias.kms_key.arn}"
...
} After
|
Referencing the provider-split question of providing code, I believe trung's example is sufficient. Its pretty cut/dry. Referencing an Alias creates an instance that is properly tied to Key, but the Alias is seen as a difference by subsequent plans. |
I just lost an entire day to this. Very frustrating! It essentially means we can't use pre-existing keys (referenced via |
You can use the |
ListAliases API used by CreateDBInstance API used by I think the fix could be to expose key-identifier ARN in E.g: resource "aws_db_instance" "db" {
...
kms_key_id = "${replace(data.aws_kms_alias.kms_key.arn, data.aws_kms_alias.name, format("key/%s", data.aws_kms_alias.target_key_id))}"
...
} Note: I haven't tried it myself. Another potential issue with Updated: fixed the replacement string |
Added @tombuildsstuff to review the issue |
Related to #2009 |
+1 facing the same issue. |
+1 kms_key_id is a replacement call to RDS. Please include support |
nightmare...lost a day on this issue |
@bmacauley-reward heh, fancy seeing you here :) hit this too, major pain. |
Hi everyone 👋 Since this issue was raised awhile ago, both the For some additional context, the maintainers do not intend to directly support KMS Alias ARNs due to how the AWS APIs always return the KMS Key ID. Since Terraform performs drift detection with configured values against the value stored in the Terraform state when refreshed by the resource, this difference would always show unless we introduced additional cross-service API calls to every resource that supports this parameter. This API call would occur every Terraform plan for every resource and could dramatically affect account-level KMS rate limiting along with permissions issues for restrictive environments. Given these operational concerns, we prefer to recommend the If the documentation around this can be improved, please reach out. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
This issue was originally opened by @wv-cfromm as hashicorp/terraform#15883. It was migrated here as a result of the provider split. The original body of the issue is below.
If I create an RDS instance and reference a KMS key via Alias ARN, the instance is created and properly refers to the Alias' target. However, on subsequent plans, this forces perpetual recreation, as the ARN in state (the alias arn) does not match the ARN on the instance (the key arn).
Refreshing state should resolve the Alias before comparing to existing instance. This would allow Aliases to be usable on RDS resources.
The text was updated successfully, but these errors were encountered: