[Bug]: Cannot create or modify KMS key with tf 1.3.6 and provider 4.46.0

[ghost]

Terraform Core Version

1.3.6

AWS Provider Version

4.46.0

Affected Resource(s)

 Error: error waiting for KMS Key (79003f4d-xxxxxxxxx7) policy propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 5m0s)
│

Expected Behavior

Create the key

Actual Behavior

Errors, but I see the key created in the console.

Relevant Error/Panic Output Snippet

see https://github.com/hashicorp/terraform-provider-aws/issues/27641

Terraform Configuration Files

See https://github.com/hashicorp/terraform-provider-aws/issues/27641

Steps to Reproduce

see https://github.com/hashicorp/terraform-provider-aws/issues/27641

Debug Output

see https://github.com/hashicorp/terraform-provider-aws/issues/27641

Panic Output

No response

Important Factoids

This is a huge blocker for us

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[rajattrikha]

I am facing the same issue with terraform version 1.3.7 and AWS Provider version 4.5

[mjryan253]

Also having this same issue with terraform 1.3.6 and AWS provider 4.50.0

[joeybenamy]

Same issue. Terraform 1.3.9, AWS provider 4.48.0

[dr-yd]

Same, with 1.3.9 and provider 4.55.0. Strangely, it's just for one key, and we have a lot of them across a lot of projects, all deployed via the same module. Granted, though, it's a fairly complicated key policy because it manages access to our central Terraform state bucket CMK (of all things)...

In the console, the individual elements of the policy switch places over and over while Terraform is deploying, so it seems to have to do with sorting - although that might just be a normal behavior that usually doesn't matter and is ignored because it has no effect.

The policy is updated in the end, but Terraform never considers the deployment finished and attempts to update it again on the next run. Removing and reimporting the key does not help - Terraform attempts to update it again immediately after importing.

[dr-yd]

For me, the issue is solved. An arn:aws:sts::<account>:role/role-name ARN instead of arn:aws:iam:: had slipped into there - AWS apparently accepts these as equivalent and converts them to arn:aws:iam:: ARNs. Not sure if that's well-defined behavior and if the provider should take it into account.

[marcofranssen]

Facing same issue.

We are using the https://github.com/terraform-aws-modules/terraform-aws-eks module.

This module in turn uses the https://github.com/terraform-aws-modules/terraform-aws-kms module.

In the console of my AWS account I see the KMS key is there and the key also has the policy applied as defined by the terraform module.

Still terraform fails with every single apply. Also for us this is a big blocker as all our CI/CD pipelines are failing.

See here how we use the module

  kms_key_deletion_window_in_days = 7
  kms_key_owners                  = var.kms_key_owners
  kms_key_administrators          = var.kms_key_administrators

Both variables are used with roles.

[marcofranssen]

Facing same issue.

We are using the https://github.com/terraform-aws-modules/terraform-aws-eks module.

This module in turn uses the https://github.com/terraform-aws-modules/terraform-aws-kms module.

In the console of my AWS account I see the KMS key is there and the key also has the policy applied as defined by the terraform module.

Still terraform fails with every single apply. Also for us this is a big blocker as all our CI/CD pipelines are failing.

See here how we use the module

  kms_key_deletion_window_in_days = 7
  kms_key_owners                  = var.kms_key_owners
  kms_key_administrators          = var.kms_key_administrators

Both variables are used with roles.

[marcofranssen]

Facing same issue.

We are using the https://github.com/terraform-aws-modules/terraform-aws-eks module.

This module in turn uses the https://github.com/terraform-aws-modules/terraform-aws-kms module.

In the console of my AWS account I see the KMS key is there and the key also has the policy applied as defined by the terraform module.

Still terraform fails with every single apply. Also for us this is a big blocker as all our CI/CD pipelines are failing.

See here how we use the module

  kms_key_deletion_window_in_days = 7
  kms_key_owners                  = var.kms_key_owners
  kms_key_administrators          = var.kms_key_administrators

Both variables are used with roles.