Add ability to disable validation step for s3 backend `kms_key_id`

PeppaTheC commented 4 months ago

Terraform Version

1.7.3

Use Cases

Hi, we have our own s3 like storage to save terraform state.

  backend "s3" {
    endpoints = {
      s3 = "https://private.storage.net"
    }
    bucket   = "<BUCKET>"
    region   = "ua-central1"
    key      = "terraform.tfstate"

    skip_s3_checksum            = true
    skip_region_validation      = true
    skip_requesting_account_id  = true
    skip_credentials_validation = true

    encrypt = true
    access_key = "<KEY>"
    secret_key = "<SECRET>"
    kms_key_id = "<KEY_ID>"
  }

Starting from terraform version 1.6.0 there is a validation step for kms_key_id field, here.

And so, we have error

2024-02-19T18:36:52.200+0300 [INFO]  Terraform version: 1.7.3

| Error: Invalid KMS Key ID
| 
|   on provider.tf line 29, in terraform:
|   29:     kms_key_id = "****"
| 
| Value must be a valid KMS Key ID, got "****"

Attempted Solutions

There is no existing solution.

Proposal

Can we add new flag/parameter to s3 backend configuration to disable kms_key_id validation?

References

No response

crw commented 4 months ago

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions.

This issue would be handled by the AWS Provider team at HashiCorp, so the request has been put into their backlog.

Thanks again!

opportunity356 commented 2 weeks ago

Hi! Any updates?

| Value must be a valid KMS Key ID, got "" For clarity, I'm adding the example of KMS Key ID: "abjl6mft1vop****"

In versions under 1.6.0 we had an ability to use alternative S3-like backends (for example Yandex Storage) and alternative KMS-like services (Yandex KMS)

But now it is impossible to use new versions of terraform with yandex provider in such scenarios according to this issue

hashicorp / terraform