[Bug]: cannot update an AWS keypair value in Terraform / must use console

[jorhett]

Terraform Core Version

1.4.4

AWS Provider Version

4.61

Affected Resource(s)

• aws_key_pair

Expected Behavior

When the value for a key has changed, the key pair should be replaced as per the plan output:

# aws_key_pair.service_keypair must be replaced
+/- resource "aws_key_pair" "service_keypair" {
      ~ arn             = "arn:aws:ec2:us-east-0:1234567890:key-pair/production" -> (known after apply)
      ~ fingerprint     = "*******************=" -> (known after apply)
      ~ id              = "production" -> (known after apply)
      + key_name_prefix = (known after apply)
      ~ key_pair_id     = "key-abcdef123456789" -> (known after apply)
      ~ key_type        = "ed25519" -> (known after apply)
      ~ public_key      = (sensitive value) # forces replacement

Actual Behavior

aws_key_pair.service_keypair: Creating...
╷
│ Error: importing EC2 Key Pair (production): InvalidKeyPair.Duplicate: The keypair already exists

The only possible way to make this succeed is to delete the keypair from the console then run terraform again.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_key_pair" "service_keypair" {
  key_name = "production"
  public_key = data.vault_generic_secret.service_ssh_key.data["public_key"]
}

I tried adding a lifecycle parameter to ensure it was deleted before creation but that didn't change the outcome.

resource "aws_key_pair" "service_keypair" {
  key_name = "production"
  public_key = data.vault_generic_secret.service_ssh_key.data["public_key"]
  lifecycle {
    create_before_destroy = false
  }
}

Steps to Reproduce

1. Create the key using one value
2. Change the public key value
3. Run plan and confirm that it will replace the key
4. Run apply ... and get failure

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[kbasdf]

This resolved the issue for myself. I was undertaking a popular terraform course on youtube. It seems you too have taken same course.

try this - >

generate new ssh file. Keep the name of new ssh file same as before. overwrite the file.

rename the aws keypair resource 'key_name'

in my case, I changed it from key_name = "mtckey"

to key_name = "mtckey1"

If this does not work. Try importing. More information on docs

Docs say"In Terraform v1.5.0 and later, use an import block to import Key Pairs using the key_name. For example:"

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair

[jorhett]

This resolved the issue for myself. I was undertaking a popular terraform course on youtube. It seems you too have taken same course.

I've never taken any course. I've been using Terraform for 12+ years.

try this - > ... rename the aws keypair resource 'key_name' in my case, I changed it from key_name = "mtckey"

You created a new resource. What about the 15,000 nodes which have the existing keypair associated with their instance? If you change the key associated, they will all be destroyed and rebuilt.

But none of this is relevant. The Amazon API allows updating the key. Terraform should allow the same.

If this does not work. Try importing. More information on docs

I'm sorry, you appear to be confused about purpose. You are new and learning about Terraform -- good for you. But your advice is not relevant to this bug, and you don't have the experience (yet) to understand the impact of creating a new resource and all the relationships between resources, etc. I wish you the best in your learning, but please don't further respond to this bug as if I require some basic learning about Terraform.