[Bug]: "kms_master_key_id" is not validated on a "apply_server_side_encryption_by_default" block on "aws_s3_bucket_server_side_encryption_configuration" resource

[jorgellanos91]

Terraform Core Version

1.8.5

AWS Provider Version

=5.0

Affected Resource(s)

• aws_s3_bucket_server_side_encryption_configuration

Expected Behavior

This configuration must fail because the attribute

kms_master_key_id = "aws/s3"

cannot be configured this way, and AWS does not accept this configuration as valid.

Actual Behavior

´terraform apply' command is successful

Relevant Error/Panic Output Snippet

There is no error or output, even when the configuration is not valid for AWS.

Terraform Configuration Files

terraform {
  required_version = ">= 1.5"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0"
    }
  }
}

resource "aws_s3_bucket" "this" {
  bucket = "test"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  bucket = aws_s3_bucket.this.bucket

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = "aws/s3"
      sse_algorithm     = "aws:kms"
    }
  }
}

Steps to Reproduce

terraform init terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[dimaman2001]

@jorgellanos91 - This is not a bug. Per the documentation on the s3_bucket_server_side_encryption_configuration resource:

kms_master_key_id - (Optional) AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms.

Simply omit kms_master_key_id and you should be good to go!

[jorgellanos91]

@jorgellanos91 - This is not a bug. Per the documentation on the s3_bucket_server_side_encryption_configuration resource:

kms_master_key_id - (Optional) AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms.

Simply omit kms_master_key_id and you should be good to go!

Hey @dimaman2001 thanks for your quick reply!

You are right, I understand that I can skip the kms_master_key_id parameter, but that doesn't mean it's not a bug. Anyone can configure an alias to any KMS key, default or not, without the provider raising any error or warning. Also, AWS doesn't support the alias as a valid value.