-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ARNs for existing KMS keys #2009
Comments
Need a new data source that calls Updated: |
The |
|
This has been released in terraform-provider-aws version 1.8.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
@bflad, in light of #3189 and #3203 I wanted to discuss this feature, and suggest consideration of #2224. I think the issue described in #3189 is actually an AWS API bug which needs to be reported to AWS for fixing. (Which I am glad to do.) From experimental observation, I think that whether the KMS API call
Given:
Thus, I think:
I'm glad to work up a PR for 1); would it be welcomed / accepted? Thoughts in general? (cc @trung re: his PR) Update 1: I have reported the Update 2: Response from AWS Support:
|
Nice investigative work here! I think we should switch the data source to |
As a followup to when #2224 lands (reviewing it now), we might be able to alias (pardon the pun) the |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
There is currently no way to directly retrieve an ARN for a pre-existing KMS Key. This makes it difficult / unnecessarily complicated to assign existing KMS keys to newly created resources.
Terraform Version
0.10.7
Affected Resource(s)
aws_kms_alias
aws_lambda_function
kms_key_arn
argumentTerraform Configuration Files
Expected Behavior
The newly created Lambda function would have the
MyPreExisting
KMS key set.Actual Behavior
The Lambda function gets assigned either no KMS key, or the default
aws/lambda
key.Important Factoids
After failing to have the expected KMS key assigned, I looked at the plan output and saw that the value of
${data.aws_kms_alias.existing_cmk.arn}
was in the format ofarn:aws:kms:eu-west-1:123456789012:alias/MyExistingKey
This is the ARN of the alias, not the key itself, which are seemingly not analogous. Logically this makes sense, but as there is no
aws_kms_key
data provider, there is no way to directly retrieve an ARN for an existing key.You can indirectly solve this by using some substitution, but it would be nice not to have to do this:
The text was updated successfully, but these errors were encountered: