Hi,
I hope someone can kindly help explain/ confirm if the TF’s AWS provider can create a KMS key without scheduled deletion?
From this document it seems that is impossible: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#deletion_window_in_days
Actually, there was an issue exactly asked the same question, but it is closed without information:
opened 06:33PM - 22 Jul 19 UTC
closed 07:47PM - 22 Jul 19 UTC
enhancement
### Community Note
* Please vote on this issue by adding a 👍 [reaction](https… ://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request
* Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
* If you are interested in working on this issue or have submitted a pull request, please leave a comment
### Description
When I create a new KMS key using terraform with something simple like this:
```
resource "aws_kms_key" "secret_key" {
desciption = "Secret Key"
enable_key_rotation = false
}
```
The new key is create but it is already scheduled for deletion in 30 days. AWS won't let me encrypt anything with it because it's scheduled for deletion! I can go into the AWS console and cancel the deletion but then I have to re-activate it.
### New or Affected Resource(s)
* aws_kms_key
### References
It looks like the resource has an OPTIONAL field for deletion that has to be between 7 and 30 days https://github.com/terraform-providers/terraform-provider-aws/blob/0d09f499fdfcc636d7eba3a3089921118e93e5c5/aws/resource_aws_kms_key.go#L70
and it seems like it's defaulting to 30 but ... if i don't specify an optional field shouldn't it not schedule the key for deletion at all? How can I create keys that aren't automatically scheduled for deletion if i can't specify a 0 and it defaults to 30 days?
Thanks for your time
Did someone managed to fix that we have same issue.
Based on the implementation here, it appears that this value is only used when the KMS key is deleted. In other words, the key will not be deleted until 30 days after Terraform tries to delete it. If you never run “terraform destroy” then it should last forever.