Terraform-provider-aws: aws_kms_ciphertext 'unstable' output

Created on 23 Jun 2017  ·  7Comments  ·  Source: hashicorp/terraform-provider-aws

Terraform Version

Terraform v0.9.8

Affected Resource(s)

Please list the resources as a list, for example:

  • aws_kms_ciphertext

Terraform Configuration Files

data "aws_caller_identity" "current" {}

provider "aws" {
    region = "eu-west-1"
}

resource "aws_iam_role" "LambdaBackend_master_lambda" {
    name               = "LambdaBackend_master_lambda"
    path               = "/"
    assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "LambdaBackend_master_lambda_AmazonS3ReadOnlyAccess" {
    role       = "${aws_iam_role.LambdaBackend_master_lambda.name}"
    policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}

resource "aws_iam_role_policy_attachment" "LambdaBackend_master_lambda_AmazonDynamoDBFullAccess" {
    role       = "${aws_iam_role.LambdaBackend_master_lambda.name}"
    policy_arn = "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
}

resource "aws_iam_role_policy_attachment" "LambdaBackend_master_lambda_CloudWatchFullAccess" {
    role       = "${aws_iam_role.LambdaBackend_master_lambda.name}"
    policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
}

resource "aws_lambda_function" "LambdaBackend_lambda" {
  filename         = "email_lambda.zip"
  function_name    = "SpikeLambda"
  role             = "${aws_iam_role.LambdaBackend_master_lambda.arn}"
  handler          = "index.handler"
  source_code_hash = "${base64sha256(file("email_lambda.zip"))}"
  runtime          = "nodejs6.10"
  timeout          = 15
  publish          = true

  environment {
    variables = {
      apikey = "${data.aws_kms_ciphertext.apikey.ciphertext_blob}"
    }
  }
}

resource "aws_kms_key" "config" {
  description = "env config"
  is_enabled = true
  policy                  = <<POLICY
{
  "Version" : "2012-10-17",
  "Id" : "key-consolepolicy-3",
  "Statement" : [ {
    "Sid" : "Enable IAM User Permissions",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
    },
    "Action" : "kms:*",
    "Resource" : "*"
  }, {
    "Sid" : "Allow use of the key",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "${aws_iam_role.LambdaBackend_master_lambda.arn}"
    },
    "Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ],
    "Resource" : "*"
  }, {
    "Sid" : "Allow attachment of persistent resources",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "${aws_iam_role.LambdaBackend_master_lambda.arn}"
    },
    "Action" : [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ],
    "Resource" : "*",
    "Condition" : {
      "Bool" : {
        "kms:GrantIsForAWSResource" : "true"
      }
    }
  } ]
}
POLICY
}

data "aws_kms_ciphertext" "apikey" {
  key_id = "${aws_kms_key.config.key_id}"
  plaintext = "hunter2"
}

Debug Output

Run 1: https://gist.github.com/OliverCole/5feb1409f098a5ad5de523ed907cf93a
Run 2: https://gist.github.com/OliverCole/74ee789489a4582b6548a24cb180c07e

Expected/Desired Behavior

Ciphertext data source should be static, resulting in no changes to downstream dependencies.

Actual Behavior

λ terraform plan

...

~ aws_lambda_function.LambdaBackend_lambda
    environment.0.variables.apikey: "AQICAHhrx94Wb5zY2paCTEFBiotjAnNA5JkowPRTlnNgFDShRwEwemJy4XaanTNiJw/c4f5nAAAAazBpBgkqhkiG9w0BBwagXDBaAgEAMFUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMNrQujwxAygW7NzoxAgEQgCjhQxFc+GZco8upPiXoqg7tBbyI+UmQvTX7Rk4Zrx+7mwGpcH0S8tlM" => "AQICAHhrx94Wb5zY2paCTEFBiotjAnNA5JkowPRTlnNgFDShRwGg+4IumuMxfn0LhPLisPCNAAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMCWnWVlL7BZdI9/QcAgEQgCIJrOrW56mdVTpYGt6k/rhqvgF+0EMx2gwxx5JB1dzsegQ/"


Plan: 0 to add, 1 to change, 0 to destroy.

λ terraform plan

...

~ aws_lambda_function.LambdaBackend_lambda
    environment.0.variables.apikey: "AQICAHhrx94Wb5zY2paCTEFBiotjAnNA5JkowPRTlnNgFDShRwEwemJy4XaanTNiJw/c4f5nAAAAazBpBgkqhkiG9w0BBwagXDBaAgEAMFUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMNrQujwxAygW7NzoxAgEQgCjhQxFc+GZco8upPiXoqg7tBbyI+UmQvTX7Rk4Zrx+7mwGpcH0S8tlM" => "AQICAHhrx94Wb5zY2paCTEFBiotjAnNA5JkowPRTlnNgFDShRwEsP80A7AA1DNwPeQjBwUQfAAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM8S3Dt92qSVRXrEeAAgEQgCLiwJB1lND0Md3fKEr23kBmTj3rRkXUg/EcbXY191xLwsY5"


Plan: 0 to add, 1 to change, 0 to destroy.

Calls to data.aws_kms_ciphertext.apikey.ciphertext_blob in terraform console are stable and match the ...0S8tlM value above.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan

References

@apparentlymart - https://groups.google.com/forum/#!topic/terraform-tool/7K4dLBmMrik

bug servickms serviclambda
Source
picture OliverCole

Most helpful comment

Running into this as well, would love to see this fixed!

picture pikeas on 24 Apr 2018
👍2

All 7 comments

Thanks for filing this, @OliverCole.

Our usual rule for data sources is that they must be "generally stable", which is to say that they only change value in response to intentional actions. It might well be that, like many things that do crypto, there is no way to get a stable result out of this, and in that case we will probably need to recast this as a resource, thus allowing it to be generated once and referenced many times similar to resources such as tls_private_key, tls_self_signed_cert, etc.

apparentlymart picture apparentlymart on 23 Jun 2017
👍1

Yes, I should have mentioned in the report, this constant change in value is consistent with the AWS CLI, and also with my understanding of KMS' use of envelope encryption, per the KMS whitepaper.

OliverCole picture OliverCole on 24 Jun 2017

I am also running into this problem. The input to aws_kms_ciphertext does not change yet the output does.

Has anyone started working on a fix? Possibly converting it to a resource? Would you be open to a PR for converting to a resource?

JoelSpeed picture JoelSpeed on 6 Dec 2017

Running into this as well, would love to see this fixed!

pikeas picture pikeas on 24 Apr 2018
👍2

A new aws_kms_ciphertext resource has been merged and will release with version 2.4.0 of the Terraform AWS Provider, likely in the next two days. Thanks to @JoelSpeed and @cperilla-rival.

bflad picture bflad on 26 Mar 2019

This has been released in version 2.4.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad picture bflad on 29 Mar 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 30 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

blaltarriba picture blaltarriba  ·  3Comments
joelittlejohn picture joelittlejohn  ·  3Comments
hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments
dvishniakov picture dvishniakov  ·  3Comments