'kms_key_id' of 'aws_s3_object' does not support alias notation

pspot2 commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform 1.2.0 AWS Provider 4.15.1

Affected Resource(s)

aws_s3_object

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_s3_object" "test" {
    bucket     = "mybucket"
    acl        = "private"
    key        = "myobject"
    source     = "/dev/null"
    server_side_encryption = "aws:kms"
    kms_key_id = "alias/my-kms-key-alias"
}

Debug Output

Panic Output

Expected Behavior

S3 object created. Object encrypted with the CMK pointed to by "alias/my-kms-key-alias".

Actual Behavior

Error: "kms_key_id" (alias/my-kms-key-alias) is an invalid ARN: arn: invalid prefix

Steps to Reproduce

terraform apply

Important Factoids

As far as I understand, this happens because the ARN validation function is applied to kms_key_id by the provider:

            "kms_key_id": {
                Type:         schema.TypeString,
                Optional:     true,
                Computed:     true,
                ValidateFunc: verify.ValidARN,

S3 API supports the alias notation directly when creating objects, e.g. the following CLI command executes successfully:

aws s3api put-object --acl private --bucket "mybucket" --key "myobject" --server-side-encryption aws:kms --ssekms-key-id "alias/my-kms-key-alias"

Besides, Terraform does support the alias notation in other places, for example in the remote backend config:

terraform {
    backend "s3" {
        ...
        encrypt        = true
        kms_key_id     = "alias/my-kms-key-alias"
        ...
    }
}

Without direct support for the alias notation, the config becomes more complex as the ARN of the key needs to be fetched first.

References

0000

jeremychauvet commented 1 year ago

Hello 👋🏼 Working on this issue 👍🏼

newman-dani commented 1 month ago

any news here?

hashicorp / terraform-provider-aws