Aws_kms_secrets: Failed to decrypt

had a bit of confusion in the right order of operation and deleted/recreated KMS keys and secrets as part of my plan.

Now I seem to have multiple keys that had the same alias at one point.
I disabled all but the latest. Deleted the secrets and they got recreacted with the apply

The command line ssm can decrypt the secret.

However terraform fails when running the next plan:

│ Error: Failed to decrypt 'client_secret': DisabledException: <arn:aws:kms:> is disabled.
│ with,
│ on ../secrets/ line 3, in data "aws_kms_secrets" "application-secrets":
│ 3: data "aws_kms_secrets" "application-secrets" {

As suggested else where I removed the secrets, the key and the alias from the state file and reimported them. Still no luck though, plan tries to decrypt with the disabled key

I seem to be missing something obvious here.

How can I tell the secrets to just use the KMS key used for creation and not an outdated one that once had that alias?

Is by any chance CMK is disabled and scheduled for deletion?

Yes they were disabled. i now enabled them again as I couldn’t find a way to make it work.

I recreated the secrets with a new key, but somehow they still need the old key to be around.