search

pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
460 stars 155 forks source link

`aws.qldb.Ledger` `kms_key` input shows a diff on every `preview` or `up` #2516

Open magreenbaum opened 1 year ago

magreenbaum commented 1 year ago

What happened?

The QLDB ledger module kms_key input shows a continual diff to add kms_key. 

    ~ aws:qldb/ledger:Ledger: (update)
        [id=test-ledger]
        [urn=urn:pulumi:dev::dev-resources::aws:qldb/ledger:Ledger::test-ledger]
        [provider=urn:pulumi:dev::dev-resources::pulumi:providers:aws::default_5_40_0::63b5e5a0-a8fe-49d3-8ce2-7ae0f39bbc3b]
      + kmsKey: "AWS_OWNED_KMS_KEY"

Expected Behavior

kmsKey applies and no longer shows a diff to be added on each subsequent preview or up.

Steps to reproduce

Run pulumi up using this code snipped. Then run subsequent preview or up. 

import pulumi
import pulumi_aws as aws

test = aws.qldb.Ledger(
    resource_name="test-ledger",
    name="test-ledger",
    deletion_protection=False,
    kms_key="AWS_OWNED_KMS_KEY",
    permissions_mode="STANDARD",
)

pulumi.export("test-ledger", test)

Output of pulumi about

CLI          
Version      3.66.0
Go Version   go1.20.3
Go Compiler  gc

Plugins
NAME     VERSION
aws      5.40.0

Host     
OS       darwin
Version  13.2.1
Arch     arm64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

danielrbradley commented 1 year ago

Hi @magreenbaum thanks for reporting this.

It appears this is an oddity in the underlying implementation. AWS treats the KMS key being set to AWS_OWNED_KMS_KEY the same as the field not being set. When it's read back from AWS, if it's managed by AWS it's not set to AWS_OWNED_KMS_KEY but is always not set. API Reference

This issue can be avoided by just not setting the field if you want it to be managed by AWS.

This might be worth logging as an issue for the underlying terraform provider as I expect that is where it would need to be addressed then would be available in the next release of our provider once fixed on their side.

magreenbaum commented 1 year ago

I've opened an issue with the terraform provider. https://github.com/hashicorp/terraform-provider-aws/issues/31403