Creating keys fails after switching subdomain for AWS account

[erkwish]

When trying to create a new KMS key via Thales after a switch of the subdomain for that account was done fails when it is done via Terraform but works in the Thales console. The Provider get connected to Thales. The new key is created in Thales but not in AWS. There is no trace in AWS Cloud trail of a API call for creating the key. What is ran: ciphertrust_aws_key What error is given: Error: error creating aws key [NCERRBadRequest: Bad HTTP request]: Error Creating AWS Key : MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future. The last logged in Terraform before the error (TF_LOG=debug): 2024-10-15T14:13:09.114Z [INFO] provider.terraform-provider-ciphertrust_v0.10.5-beta: 2024/10/15 14:13:09 [DEBUG] setting computed for "key_admins" from ComputedKeys: timestamp=2024-10-15T14:13:09.112Z

Key created with the same key policy in AWS works and via the GUI in Thales. We only get this error via the Terraform provider.

Versions: thalesgroup/ciphertrust 0.10.5-beta Terraform 1.6.6

[SarahThompson]

Hi, sorry to hear the provider is doing that. Could you add log_level=debug in the provider block and run again. By default this will create ctp.log or you can specify log_file parameter as well. This log the api request and response.

[erkwish]

This is what I get from the ctp.log: Error: -16T07:52:36.815Z [ERROR] AWSCreateKey Status: 400 Bad Request Error: -16T07:52:36.816Z [ERROR] AWSCreateKey Error: [NCERRBadRequest: Bad HTTP request]: Error Creating AWS Key : MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future.

But as mentioned above the exact same policy works both in AWS and Thales GUI it only fails via Terraform. And no trace is seen in AWS.

[erkwish]

It was an issue with the container id for the provider. No so straight forward error on this.