[Terraform AWS provider] Create a KMS key without scheduled deletion

khoanguyen5288 · November 14, 2021, 2:03pm

Hi,
I hope someone can kindly help explain/ confirm if the TF’s AWS provider can create a KMS key without scheduled deletion?
From this document it seems that is impossible: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#deletion_window_in_days

Actually, there was an issue exactly asked the same question, but it is closed without information:

github.com/hashicorp/terraform-provider-aws

KMS Keys get created with deletion scheduled for 30d in the future

opened 06:33PM - 22 Jul 19 UTC

closed 07:47PM - 22 Jul 19 UTC

andrewwatson

enhancement

### Community Note * Please vote on this issue by adding a 👍 [reaction](https…://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request * Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request * If you are interested in working on this issue or have submitted a pull request, please leave a comment ### Description When I create a new KMS key using terraform with something simple like this: ``` resource "aws_kms_key" "secret_key" { desciption = "Secret Key" enable_key_rotation = false } ``` The new key is create but it is already scheduled for deletion in 30 days. AWS won't let me encrypt anything with it because it's scheduled for deletion! I can go into the AWS console and cancel the deletion but then I have to re-activate it. ### New or Affected Resource(s) * aws_kms_key ### References It looks like the resource has an OPTIONAL field for deletion that has to be between 7 and 30 days https://github.com/terraform-providers/terraform-provider-aws/blob/0d09f499fdfcc636d7eba3a3089921118e93e5c5/aws/resource_aws_kms_key.go#L70 and it seems like it's defaulting to 30 but ... if i don't specify an optional field shouldn't it not schedule the key for deletion at all? How can I create keys that aren't automatically scheduled for deletion if i can't specify a 0 and it defaults to 30 days?

Thanks for your time

Mais316 · March 31, 2022, 9:42pm

Did someone managed to fix that we have same issue.

saholman · September 29, 2022, 5:21pm

Based on the implementation here, it appears that this value is only used when the KMS key is deleted. In other words, the key will not be deleted until 30 days after Terraform tries to delete it. If you never run “terraform destroy” then it should last forever.

github.com

hashicorp/terraform-provider-aws/blob/main/internal/service/kms/key.go

package kms

import (
	"fmt"
	"log"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/service/kms"
	"github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr"
	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/structure"
	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
	"github.com/hashicorp/terraform-provider-aws/internal/conns"
	tftags "github.com/hashicorp/terraform-provider-aws/internal/tags"
	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
	"github.com/hashicorp/terraform-provider-aws/internal/verify"
)

func ResourceKey() *schema.Resource {

This file has been truncated. show original