`resource: aws_ami` - Nested `ebs_block_device` does not handle `kms_key_id` argument as defined in documentation

Hi there,

I’m currently having some issues using the aws_ami resource whilst trying to utilize the kms_key_id argument. I keep getting an error kms_key_id is not expected here (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami).

After having a look in the source-code (terraform-provider-aws/ami.go at main · hashicorp/terraform-provider-aws · GitHub), I’m wondering whether the kms_key_id argument is missing from the provider, as I don’t see it in the code?

I was going to raise an issue, but wanted to check here first in case my assumption is wrong and maybe I’m just using the resource incorrectly. Any help would be much appreciated, thanks. Please see my configurations for the resource below:


resource "aws_ami" "app_01_ami" {
  name                = var.app_01_ami_name
  virtualization_type = var.app_01_virtualization_type
  root_device_name    = var.app_01_root_device_name

  ebs_block_device {
    device_name = var.app_01_root_device_name
    snapshot_id = var.app_01_root_snapshot_id
    volume_size = var.app_01_root_volume_size
    volume_type = var.app_01_root_volume_type
    iops        = var.app_01_root_volume_iops
    throughput  = var.app_01_root_volume_throughput
    kms_key_id  = module.kms-prod01-ebs.kms_key.arn

app_01_name                   = "xxxxxxxxxxx"
app_01_ami_name               = "XXXXXX-Image"
app_01_virtualization_type    = "hvm"
app_01_root_device_name       = "/dev/sda1"
app_01_root_snapshot_id       = "snap-xxxxxxxxx"
app_01_root_volume_size       = 50
app_01_root_volume_type       = "gp3"
app_01_ebs_optimized          = false
app_01_root_volume_iops       = 3000
app_01_root_volume_throughput = 125

Hi @ishaq-subedar,

I agree that it seems like this is a documentation bug; there isn’t any such argument in the implementation, as far as I can see.

Thinking about what this resource does, I wonder if this argument was copied in error from the aws_ami_copy documentation. For copying an AMI it makes sense to provide the KMS key ID because it will create new EBS snapshots to support the new AMI, but aws_ami just associates pre-existing EBS snapshots with a new AMI and so in that case the KMS key ID would be used by the operation that created the snapshot, not by the operation that creates the AMI.

Hi @apparentlymart thanks for the response. This makes more sense now, so thank you