[Bug]: Cannot use AWS Managed Keys for S3Action with aws_ses_receipt_rule in a fresh AWS Acouunt

Terraform Core Version

1.9.1

AWS Provider Version

5.57.0

Affected Resource(s)

aws_ses_receipt_rule

Expected Behavior

In a fresh account (AWS managed keys not generated), one should be able to use aws_ses_receipt_rule with a s3_action that utilizes client side encryption using the default ses kms alias.

e.g.

resource "aws_ses_receipt_rule" "example" {
    name          = "example"
    rule_set_name = aws_ses_receipt_rule_set.example.rule_set_name
    .
    .
    .

    s3_action {
        position          = 1
        bucket_name       = aws_s3_bucket.example.bucket
        kms_key_arn = "arn:<PARTITION>:kms:<REGION>:<ACCOUNT_ID>:alias/aws/ses"
    }

    depends_on = [
        aws_s3_bucket_policy.example,
    ]

}

Or at the very least, the error itself needs to be more detailed on the fact that the KMS key was not generated previously.

Actual Behavior

We receive the following error: InvalidS3Configuration: Could not write to bucket: <EXAMPLE_BUCKET_NAME>

This error occurs because instead of generating the KMS key for the alias like it does in the console, it thinks the KMS key does not exist.

Relevant Error/Panic Output Snippet

InvalidS3Configuration: Could not write to bucket: <EXAMPLE_BUCKET_NAME>
    status code: 400, request id: <...>

Terraform Configuration Files

N/A

Steps to Reproduce

In a fresh account without an existing AWS Managed key alias for SES aws/ses, create a receipt rule as shown in the above code.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

hashicorp / terraform-provider-aws