AWS KMS provider not working

Hi there,

We are having issues in creating AWS KMS key.

Terraform Version

Terraform v0.13.7

Terraform Configuration Files

resource "aws_kms_key" "a" {
  count                   = 1
  description             = "KMS key 1"
  deletion_window_in_days = 10
  policy                  = <<POLICY
      {
          "Statement": [
            {
                  "Sid": "Enable Admin IAM Permissions",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": ["arn:aws:iam::359816056456:role/developer"]
                  },
                  "Action": [
                      "kms:Create*",
                      "kms:Describe*",
                      "kms:Enable*",
                      "kms:List*",
                      "kms:Put*",
                      "kms:Update*",
                      "kms:Revoke*",
                      "kms:Disable*",
                      "kms:Get*",
                      "kms:Delete*",
                      "kms:ScheduleKeyDeletion",
                      "kms:CancelKeyDeletion",
                      "kms:TagResource",
                      "kms:UntagResource"],
                  "Resource": "*"
              }   
          ]
      }
    POLICY
}

Debug Output

Initializing the backend...

Initializing provider plugins...
- Using previously-installed hashicorp/aws v3.54.0

wal-miali-210423:kms-debug miali$ terraform apply
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Enter a value: us-east-1

aws_kms_key.a[0]: Refreshing state... [id=2df3fe4a-fbca-480c-b182-5fd08bb7a4bb]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_kms_key.a[0] is tainted, so must be replaced
-/+ resource "aws_kms_key" "a" {
      ~ arn                                = "arn:aws:kms:us-east-1:359816056456:key/2df3fe4a-fbca-480c-b182-5fd08bb7a4bb" -> (known after apply)
        bypass_policy_lockout_safety_check = false
        customer_master_key_spec           = "SYMMETRIC_DEFAULT"
        deletion_window_in_days            = 10
        description                        = "KMS key 1"
        enable_key_rotation                = false
      ~ id                                 = "2df3fe4a-fbca-480c-b182-5fd08bb7a4bb" -> (known after apply)
        is_enabled                         = true
      ~ key_id                             = "2df3fe4a-fbca-480c-b182-5fd08bb7a4bb" -> (known after apply)
        key_usage                          = "ENCRYPT_DECRYPT"
      ~ policy                             = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                        Action    = [
                            "kms:Create*",
                            "kms:Describe*",
                            "kms:Enable*",
                            "kms:List*",
                            "kms:Put*",
                            "kms:Update*",
                            "kms:Revoke*",
                            "kms:Disable*",
                            "kms:Get*",
                            "kms:Delete*",
                            "kms:ScheduleKeyDeletion",
                            "kms:CancelKeyDeletion",
                            "kms:TagResource",
                            "kms:UntagResource",
                        ]
                        Effect    = "Allow"
                      ~ Principal = {
                          ~ AWS = "arn:aws:iam::359816056456:role/developer" -> [
                              + "arn:aws:iam::359816056456:role/developer",
                            ]
                        }
                        Resource  = "*"
                        Sid       = "Enable Admin IAM Permissions"
                    },
                ]
              - Version   = "2008-10-17" -> null
            }
        )
      - tags                               = {} -> null
      ~ tags_all                           = {} -> (known after apply)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

Crash Output

Error: error waiting for KMS Key (8ed15ac6-9367-49ba-a93c-79d1e8e93e72) policy propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 2m0s)

  on main.tf line 1, in resource "aws_kms_key" "a":
   1: resource "aws_kms_key" "a" {

Expected Behavior

KMS key is created.

Actual Behavior

Error: error waiting for KMS Key (8ed15ac6-9367-49ba-a93c-79d1e8e93e72) policy propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 2m0s)

  on main.tf line 1, in resource "aws_kms_key" "a":
   1: resource "aws_kms_key" "a" {

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

  1. terraform init
Initializing the backend...

Initializing provider plugins...
- Using previously-installed hashicorp/aws v3.54.0

wal-miali-210423:kms-debug miali$ terraform apply
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Enter a value: us-east-1

aws_kms_key.a[0]: Refreshing state... [id=2df3fe4a-fbca-480c-b182-5fd08bb7a4bb]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_kms_key.a[0] is tainted, so must be replaced
-/+ resource "aws_kms_key" "a" {
      ~ arn                                = "arn:aws:kms:us-east-1:359816056456:key/2df3fe4a-fbca-480c-b182-5fd08bb7a4bb" -> (known after apply)
        bypass_policy_lockout_safety_check = false
        customer_master_key_spec           = "SYMMETRIC_DEFAULT"
        deletion_window_in_days            = 10
        description                        = "KMS key 1"
        enable_key_rotation                = false
      ~ id                                 = "2df3fe4a-fbca-480c-b182-5fd08bb7a4bb" -> (known after apply)
        is_enabled                         = true
      ~ key_id                             = "2df3fe4a-fbca-480c-b182-5fd08bb7a4bb" -> (known after apply)
        key_usage                          = "ENCRYPT_DECRYPT"
      ~ policy                             = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                        Action    = [
                            "kms:Create*",
                            "kms:Describe*",
                            "kms:Enable*",
                            "kms:List*",
                            "kms:Put*",
                            "kms:Update*",
                            "kms:Revoke*",
                            "kms:Disable*",
                            "kms:Get*",
                            "kms:Delete*",
                            "kms:ScheduleKeyDeletion",
                            "kms:CancelKeyDeletion",
                            "kms:TagResource",
                            "kms:UntagResource",
                        ]
                        Effect    = "Allow"
                      ~ Principal = {
                          ~ AWS = "arn:aws:iam::359816056456:role/developer" -> [
                              + "arn:aws:iam::359816056456:role/developer",
                            ]
                        }
                        Resource  = "*"
                        Sid       = "Enable Admin IAM Permissions"
                    },
                ]
              - Version   = "2008-10-17" -> null
            }
        )
      - tags                               = {} -> null
      ~ tags_all                           = {} -> (known after apply)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes
2. `terraform apply`


### Additional Context
wal-miali-210423:kms-debug miali$ terraform init

Initializing the backend...

Initializing provider plugins...
- Using previously-installed hashicorp/aws v3.54.0

wal-miali-210423:kms-debug miali$ terraform apply
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Enter a value: us-east-1

aws_kms_key.a[0]: Refreshing state... [id=2df3fe4a-fbca-480c-b182-5fd08bb7a4bb]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_kms_key.a[0] is tainted, so must be replaced
-/+ resource "aws_kms_key" "a" {
      ~ arn                                = "arn:aws:kms:us-east-1:359816056456:key/2df3fe4a-fbca-480c-b182-5fd08bb7a4bb" -> (known after apply)
        bypass_policy_lockout_safety_check = false
        customer_master_key_spec           = "SYMMETRIC_DEFAULT"
        deletion_window_in_days            = 10
        description                        = "KMS key 1"
        enable_key_rotation                = false
      ~ id                                 = "2df3fe4a-fbca-480c-b182-5fd08bb7a4bb" -> (known after apply)
        is_enabled                         = true
      ~ key_id                             = "2df3fe4a-fbca-480c-b182-5fd08bb7a4bb" -> (known after apply)
        key_usage                          = "ENCRYPT_DECRYPT"
      ~ policy                             = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                        Action    = [
                            "kms:Create*",
                            "kms:Describe*",
                            "kms:Enable*",
                            "kms:List*",
                            "kms:Put*",
                            "kms:Update*",
                            "kms:Revoke*",
                            "kms:Disable*",
                            "kms:Get*",
                            "kms:Delete*",
                            "kms:ScheduleKeyDeletion",
                            "kms:CancelKeyDeletion",
                            "kms:TagResource",
                            "kms:UntagResource",
                        ]
                        Effect    = "Allow"
                      ~ Principal = {
                          ~ AWS = "arn:aws:iam::359816056456:role/developer" -> [
                              + "arn:aws:iam::359816056456:role/developer",
                            ]
                        }
                        Resource  = "*"
                        Sid       = "Enable Admin IAM Permissions"
                    },
                ]
              - Version   = "2008-10-17" -> null
            }
        )
      - tags                               = {} -> null
      ~ tags_all                           = {} -> (known after apply)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_kms_key.a[0]: Destroying... [id=2df3fe4a-fbca-480c-b182-5fd08bb7a4bb]
aws_kms_key.a[0]: Destruction complete after 0s
aws_kms_key.a[0]: Creating...
aws_kms_key.a[0]: Still creating... [10s elapsed]
aws_kms_key.a[0]: Still creating... [20s elapsed]
aws_kms_key.a[0]: Still creating... [30s elapsed]
aws_kms_key.a[0]: Still creating... [40s elapsed]
aws_kms_key.a[0]: Still creating... [50s elapsed]
aws_kms_key.a[0]: Still creating... [1m0s elapsed]
aws_kms_key.a[0]: Still creating... [1m10s elapsed]
aws_kms_key.a[0]: Still creating... [1m20s elapsed]
aws_kms_key.a[0]: Still creating... [1m30s elapsed]
aws_kms_key.a[0]: Still creating... [1m40s elapsed]
aws_kms_key.a[0]: Still creating... [1m50s elapsed]
aws_kms_key.a[0]: Still creating... [2m0s elapsed]

Error: error waiting for KMS Key (8ed15ac6-9367-49ba-a93c-79d1e8e93e72) policy propagation: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 2m0s)

  on main.tf line 1, in resource "aws_kms_key" "a":
   1: resource "aws_kms_key" "a" {

I also have been having this happen recently. The strange thing is, is the key is created with a valid policy according to the AWS console.

Edit: Seems to be related to the AWS module version. I downgraded to an older version (3.37) and it works fine.

We tested on 3.52 and it worked. It sounds, like 3.53 introduced a change which is breaking this functionality.

1 Like

Same thing here. We had the exact same issue, and 3.52 works as intended.

This seems to be the matching bug on the aws providers bug tracker: KMS doesn't work with newest verision of provider · Issue #20588 · hashicorp/terraform-provider-aws · GitHub