I am using Terraform v1.9.3 with aws provider v5.71.2.
The KMS Policy is a fairly complex policy and it will not update.
Any time I try to do an apply, even if no updates are needed to be done, Terraform thinks the key policy has changed and tries to update it.
The update fails with a 10m timeout:
Error: waiting for KMS Key (xxxxxx) policy update: timeout while waiting for state to become ‘TRUE’ (last state: ‘FALSE’, timeout: 10m0s)
The policy key is not changed.
The issue appears to be that the Terraform aws provider looks at the policy string returned by the AWS API and it does not match what is stored in the Terraform state file. This is caused by the AWS API providing inconsistently ordered Principles and Actions. The AWS API appears to return the Principal and Action lists in random orders and this causes the Terraform aws provider to think it is different, even though it is not really different in content.
This also happens when a real change to the Policy in terraform is made. Terraform pushes the updated Policy and it is accepted by AWS and then Terraform pulls the policy to do a compare and see if it has been updated. The two do not match due to the differently ordered items in the Principal and/or Action lists.
This causes any slightly complex KMS policy to fail.
What can I do?