[Bug]: aws_launch_template.block_device_mapping.ebs.kms_key_id is not accept arn now

[cn00]

Terraform Core Version

1.9.x

AWS Provider Version

5.50+

Affected Resource(s)

• aws_instance
• aws_ebs_volume
• aws_launch_template
• aws_kms_key

Expected Behavior

success launching a new EC2 instance

Actual Behavior

aws_launch_template.block_device_mapping.ebs.kms_key_id is not accept arn now, maybe this is due to the recent updates of aws

Relevant Error/Panic Output Snippet

Launching a new EC2 instance: i-03781f2dd0af0684e. Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state

Terraform Configuration Files

# Define a kms resource
resource "aws_kms_key" "ebs" {}
# Define launch template
resource "aws_launch_template" "app_1" {
  image_id = data.aws_ami.ubuntu.id
  instance_type = "t2.micro"
  block_device_mappings {
    device_name = "/dev/sda1"
    ebs {
      volume_size = 10
      volume_type = "gp2"

      # terrafrom plan Error: "block_device_mappings.0.ebs.0.kms_key_id" \
      #(60ce0cae-a6be-4ac5-ab4e-135cc2636db6) is an invalid ARN: arn: invalid prefix
      kms_key_id = aws_kms_key.ebs.key_id 

      # terrafrom plan&apply ok,but launching instance failed: \
      # Launching a new EC2 instance: i-03781f2dd0af0684e. \
      # Status Reason: Instance became unhealthy while \
      # waiting for instance to be in InService state. \
      # Termination Reason: Client.InvalidKMSKey.InvalidState: \
      # The KMS key provided is in an incorrect state
      kms_key_id = aws_kms_key.ebs.arn 
    }
  }
}

Steps to Reproduce

terraform plan

Debug Output

No response

Panic Output

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: "block_device_mappings.0.ebs.0.kms_key_id" (60ce0cae-a6be-4ac5-ab4e-135cc2636db6) is an invalid ARN: arn: invalid prefix
│ 
│   with module.main.aws_launch_template.default,
│   on ../../main/ec2.tf line 73, in resource "aws_launch_template" "default":
│   73:       kms_key_id = aws_kms_key.ebs.id
│ 
╵
make: *** [plan] Error 1

Important Factoids

No response

References

• launch_template

Would you like to implement a fix?

Yes

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @cn00 👋 Thank you for taking the time to raise this! While the argument that you're setting within the aws_launch_template argument is called kms_key_id, an ARN is expected here (note: the naming of this matches the underlying API). With that in mind, using aws_kms_key.ebs.arn as the value for that argument is the correct solution.

As far as the error that you received when using that value, the key detail is here:

      # Termination Reason: Client.InvalidKMSKey.InvalidState:
      # The KMS key provided is in an incorrect state

I found what seems to be a fairly helpful post in AWS' forums. Ultimately the error message points to an issue with the state of the KMS key (in all likelihood a configuration issue), rather than the aws_launch_template resource itself. With that in mind, I'm going to close this issue. If you experience unexpected behavior with the provider in the future, please do let us know!

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[davidh38]

@justinretzolk Hi Justin, i have the same problem. The plan is showing me, the kms id and not the arn. The user is then inclined to use the kms id as parameter for the parameter kms_key_id, but then again the plan fails, because it is not an arn. This seems inconsistent. The state file shows the arn of kms.

I would suggest to either get the arn as kms_key_id from the plan or you can use the kms id as kms_key_id, but in this way, as it is currently, there seems no way to fix the terraform configuration without changing the resource.