[Bug]: Perpetual recreation of DynamoDB table replica when using default KMS key

[virtualdom]

Terraform Core Version

1.15

AWS Provider Version

4.55.0

Affected Resource(s)

aws_dynamodb_table

Expected Behavior

No proposed changes when my aws_dynamodb_table is not changed

Actual Behavior

Perpetual diff in plan

  # aws_dynamodb_table.table will be updated in-place
  ~ resource "aws_dynamodb_table" "table" {
        id               = "table"
        name             = "table"
        tags             = {
            "foo" = "bar"
        }
        # (10 unchanged attributes hidden)

      - replica {
          - arn                    = <REPLICA ARN> -> null
          - point_in_time_recovery = false -> null
          - propagate_tags         = false -> null
          - region_name            = <REPLICA REGION> -> null
          - stream_arn             = <STREAM ARN> -> null
          - stream_label           = <STREAM LABEL> -> null
        }
      + replica {
          + arn                    = (known after apply)
          + kms_key_arn            = <DEFAULT KMS KEY ARN>
          + point_in_time_recovery = false
          + propagate_tags         = false
          + region_name            = <SAME REPLICA REGION>
          + stream_arn             = (known after apply)
          + stream_label           = (known after apply)
        }

        # (9 unchanged blocks hidden)
    }

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_dynamodb_table" "table" {
  name             = "table"
  billing_mode     = "PAY_PER_REQUEST"
  hash_key         = ...
  stream_enabled   = true
  stream_view_type = "NEW_IMAGE"

  server_side_encryption {
    enabled = true
  }

  attribute {
  ...
  }

  global_secondary_index {
  ...
  }

  ttl {
  ...
  }

  point_in_time_recovery {
    enabled = true
  }

  dynamic "replica" {
    for_each = local.replica_regions
    content {
      region_name = replica.value.region_name
      kms_key_arn = replica.value.kms_key_arn
    }
  }

  tags = {
    "foo" = "bar"
  }
}

Steps to Reproduce

With an existing DynamoDB table and replica (aka at least one defined local.replica_regions), run plan with no config changes

Debug Output

No response

Panic Output

No response

Important Factoids

I'll add that when I pinned AWS provider version 4.51, this bug didn't appear

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[mycroft]

I think I've hit the exact same issue (or very similar and if required I'll open my own issue), but on my end it when using hashicorp/aws version 4.58.0, I'm ending up with:

terraform plan:

~ resource "aws_dynamodb_table" "terraform_locks" {
        id             = "mycroft-terraform-state-locks"
        # (7 unchanged attributes hidden)

      ~ server_side_encryption {
          + kms_key_arn = "arn:aws:kms:us-east-1:***:key/1234-this-key-is-the-same-key-5678"
            # (1 unchanged attribute hidden)
        }

        # (4 unchanged blocks hidden)
    }

And the apply will eventually fail:

│ Error: updating DynamoDB Table (mycroft-terraform-state-locks) SSE: ValidationException: One or more parameter values were invalid: Table is already encrypted with given KMSMasterKeyId. Use KMSMasterKeyId parameter if you want to change Master Key
│   status code: 400, request id: 3FNGL1aterrificrequestidislyinghere
│ 
│   with aws_dynamodb_table.terraform_locks,
│   on main.tf line 1, in resource "aws_dynamodb_table" "terraform_locks":
│    1: resource "aws_dynamodb_table" "terraform_locks" {

I tried deleting the resource from the state file and import it, but next terraform plan will still throw me the same error.

[jnsaff]

I think the regression happened in this PR: https://github.com/hashicorp/terraform-provider-aws/pull/29102

[leonardocaylent]

Any updates on this issue?