had a bit of confusion in the right order of operation and deleted/recreated KMS keys and secrets as part of my plan.
Now I seem to have multiple keys that had the same alias at one point.
I disabled all but the latest. Deleted the secrets and they got recreacted with the apply
The command line ssm can decrypt the secret.
However terraform fails when running the next plan:
│ Error: Failed to decrypt 'client_secret': DisabledException: <arn:aws:kms:> is disabled.
│ with module.secrets.data.aws_kms_secrets.application-secrets,
│ on ../secrets/data.tf line 3, in data "aws_kms_secrets" "application-secrets":
│ 3: data "aws_kms_secrets" "application-secrets" {
As suggested else where I removed the secrets, the key and the alias from the state file and reimported them. Still no luck though, plan tries to decrypt with the disabled key
I seem to be missing something obvious here.
How can I tell the secrets to just use the KMS key used for creation and not an outdated one that once had that alias?