Terraform-provider-aws: KMS keys return 400s directly after creation

Reproduced this in 0.9.8. Additional info and full bug report available in https://github.com/hashicorp/terraform/issues/6576.

Reproduced in 0.9.11. Full report:

Terraform Version

0.9.11

Affected Resource(s)

• aws_kms_key

Terraform Configuration Files

...
resource "aws_kms_key" "LambdaBackend_config" {
  description             = "LambdaBackend_config_key"
  deletion_window_in_days = 7
  policy                  = <<POLICY
{
  "Version" : "2012-10-17",
  "Id" : "key-consolepolicy-3",
  "Statement" : [ {
    "Sid" : "Enable IAM User Permissions",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
    },
    "Action" : "kms:*",
    "Resource" : "*"
  }, {
    "Sid" : "Allow use of the key",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "${aws_iam_role.LambdaBackend_master_lambda.arn}"
    },
    "Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ],
    "Resource" : "*"
  }, {
    "Sid" : "Allow attachment of persistent resources",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "${aws_iam_role.LambdaBackend_master_lambda.arn}"
    },
    "Action" : [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ],
    "Resource" : "*",
    "Condition" : {
      "Bool" : {
        "kms:GrantIsForAWSResource" : "true"
      }
    }
  } ]
}
POLICY
}
...

Full: https://gist.github.com/OliverCole/a1c5a804723765f8666f29eb337d9c53#file-terraform-tf-pgp

Debug Output

First apply
Second apply - this exhibits a different, unrelated error after the aws_kms_key works.

Expected Behavior

Applied.

Actual Behavior

1 error(s) occurred:

* aws_kms_key.LambdaBackend_config: 1 error(s) occurred:

* aws_kms_key.LambdaBackend_config: MalformedPolicyDocumentException:
        status code: 400, request id: 09abcc4f-6340-11e7-a49b-07d14d2bff1f

Steps to Reproduce

1. terraform apply

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

• https://github.com/hashicorp/terraform/issues/6576

anyone looking at this? having the same issue

We're having the same issue as well

Just come across this, a re-apply didn't resolve, had to rename the resource, run it and then rename it back to get past the error. Strange.

Found this too. Was able to reproduce it outside of tf. Below you can see a simple batch script, works the second time always

+ aws kms create-key --policy file:///tmp/KEYPOLICY
An error occurred (MalformedPolicyDocumentException) when calling the CreateKey operation: Policy contains a statement with one or more invalid principals.
+ aws kms create-key --policy file:///tmp/KEYPOLICY

Terraform v0.11.13

* aws_kms_key.customer_master_key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.

This issue is present in Terraform version 0.11.14.4 using AWS provider 2.39.0.

I am facing the same issue for version v0.11.08

Error: Error applying plan:

1 error(s) occurred:

• aws_kms_key.mnca: 1 error(s) occurred:
• aws_kms_key.mnca: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.

This happens to us when we try to create a key policy right after an IAM role referenced in it was created. There is a lag between IAM creating the role and KMS service seeing it. We successfully work around it by using sleep in the aws_iam_role's local-exec provisioner. E.g.

resource aws_iam_role role {
...
provisioner "local-exec" {
    command = "sleep 15"
}
...