search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.81k stars 9.16k forks source link

KMS Key Aliases are created but state is not always updated #7891

Closed ghost closed 5 years ago

ghost commented 5 years ago

This issue was originally opened by @tolidano as hashicorp/terraform#20640. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

0.11.7

Terraform Configuration Files

data "aws_caller_identity" "current" {}

resource "aws_kms_key" "key" {
  description             = "${var.description}"
  policy                  = "${data.aws_iam_policy_document.key_policy.json}"
  deletion_window_in_days = "30"
  is_enabled              = "true"
  enable_key_rotation     = "true"

  tags {
    description = "${var.description}"
    cost        = "${var.env == "production" ? "production" : "non-production"}"
    name        = "${var.alias_name}"
    managed     = "Terraform"
  }
}

resource "aws_kms_alias" "key_alias" {
  name          = "alias/${var.alias_name}"
  target_key_id = "${aws_kms_key.key.id}"
}

Debug Output

N/A

Crash Output

N/A

Expected Behavior

When I apply the above, it should create a key and an alias and properly update the state in S3

Actual Behavior

The key and alias were created, but the state was only updated with the key. A subsequent plan against the same environment attempted to recreate the key alias, which resulted in an AWS exception stating the alias already existed (it did).

Steps to Reproduce

Over multiple environments, the first run (in QA) worked as expected, but the second run (in production) did not. The key and alias were created, but the state was only updated with the key. A subsequent plan against the same environment attempted to recreate the key alias, which resulted in an AWS exception stating the alias already existed (it did). Import is non-trivial, so I deleted the resource in AWS directly (aws kms delete-alias) and ran the apply again, and this time it worked properly (as it did in QA)

Additional Context

We are using Terragrunt, but that would not explain the erratic behavior.

References

None found.

bflad commented 5 years ago

Hi @tolidano 👋 Sorry for the strange behavior here.

If you enable Terraform debug logging, e.g. TF_LOG=debug terragrunt apply, do you see log messages like the following when this occurs?

[DEBUG] Removing KMS Alias (alias/XXXXXX) as it's already gone

We have seen sporadic failures like these occur in our daily acceptance testing as well and its due to a slight implementation issue in attempting to handle KMS eventual consistency. We can submit a fix for this in the near future.

bflad commented 5 years ago

Fix submitted: #7907

nywilken commented 5 years ago

The fix has been merged and will release with version 2.2.0 of the Terraform AWS Provider, likely later today.

bflad commented 5 years ago

This has been released in version 2.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!