Terraform-provider-aws: Creating and Using a KMS Alias in Same Configuration Fails

Created on 3 Jul 2017 · 4Comments · Source: hashicorp/terraform-provider-aws

Terraform Version

terraform -v
Terraform v0.9.10

Affected Resource(s)

aws_kms_alias (resource)
aws_kms_alias (data)

Terraform Configuration Files

# Module 1
variable "client_name" {}

resource "aws_kms_key" "cmk" {
  description = "${var.client_name} KMS Customer Master Key"
}

resource "aws_kms_alias" "alias" {
  name          = "alias/${var.client_name}"
  target_key_id = "${aws_kms_key.cmk.key_id}"
}

# Module 2
variable "client_name" {}
variable "replica_id"  {}

data "aws_kms_alias" "cmk" {
  name = "alias/${var.client_name}"
}

resource "aws_iam_role_policy" "kms-replica" {
    name = "${var.client_name}-kms-replica-policy"
    role = "${var.replica_id}"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "${data.aws_kms_alias.cmk.arn}"
    ]
  }
}
EOF
}

# Main
module "clientname_kms" {
    source      = "../../modules/kms"
    client_name = "clientname"
}

module "clientname_kms_policy" {
    source      = "../../modules/kms-policy"
    client_name = "clientname"
    replica_id  = "${module.replicas.iam_role_replica_id}"
}

Expected Behavior

According to the documentation, it's fine to reference attributes of resources which have not been created yet:

Actual Behavior

$ terraform plan
...
Error refreshing state: 1 error(s) occurred:

* module.clientname_kms_policy.data.aws_kms_alias.cmk: 1 error(s) occurred:

* module.clientname_kms_policy.data.aws_kms_alias.cmk: data.aws_kms_alias.cmk: No alias with name "alias/clientname" found in this region.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

terraform plan

question

Source

CraigStuntz

👍1

Most helpful comment

For anyone else reading this / stumbling upon this issue when looking for help... I was still facing some issues after reading the above example, but found this, which provided me with some help.

https://github.com/minamijoyo/terraform-kms-example

The main issue was that I had to create the IAM role at the same time - and didn't already have it available like craig had in his example for this issue. I'm sure this isn't news to some people, but hoping this might help someone else who has similar use cases. Always worth bypassing a roadblock, however short it might be.

kmcquade on 3 Feb 2018

👍3

All 4 comments

I'm also having this problem and I'm on terraform version 0.10.6.1.

markmelville on 7 Oct 2017

Hi,
the error you're observing is caused by the fact that data source pulls data before the resource has even chance to create the alias. There is no relationship between those two, which you can verify via terraform graph | dot -Tpng > graph.png, therefore you will run into race conditions.

Also using data source & resource for the exact same resource in the same config is usually unnecessary. I'd recommend you use variables & outputs in this context and they can draw the relationship correctly and save you some lines of code:

# Module 1
variable "client_name" {}

resource "aws_kms_key" "cmk" {
  description = "${var.client_name} KMS Customer Master Key"
}

resource "aws_kms_alias" "alias" {
  name          = "alias/${var.client_name}"
  target_key_id = "${aws_kms_key.cmk.key_id}"
}

output "kms_alias_arn" {
  value = "${aws_kms_alias.alias.arn}"
}

```hcl

Module 2

variable "client_name" {}
variable "replica_id" {}
variable "kms_alias_arn" {}

resource "aws_iam_role_policy" "kms-replica" {
name = "${var.client_name}-kms-replica-policy"
role = "${var.replica_id}"
policy = < {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"${var.kms_alias_arn}"
]
}
}
EOF
}

```hcl
# Main
module "clientname_kms" {
    source      = "../../modules/kms"
    client_name = "clientname"
}

module "clientname_kms_policy" {
    source      = "../../modules/kms-policy"
    client_name = "clientname"
    replica_id  = "${module.replicas.iam_role_replica_id}"
        kms_alias_arn = "${module.clientname_kms.kms_alias_arn}"
}

Sorry for the confusion, but Terraform is working as intended here, hence I'm going to close this issue.

radeksimko on 23 Oct 2017

For anyone else reading this / stumbling upon this issue when looking for help... I was still facing some issues after reading the above example, but found this, which provided me with some help.

https://github.com/minamijoyo/terraform-kms-example

kmcquade on 3 Feb 2018

👍3

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 8 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Plans to support more custom endpoints in provider AWS (lambda, apigateway, ...)

hashibot · 3Comments

tainting an ecs service and running terraform apply receives Creation of service was not idempotent

hashibot · 3Comments

Feature: S3 bucket-wide default encryption

reedloden · 3Comments

providers/aws aws_instance not importing network interfaces

ghost · 3Comments

Failed to destroy AWS node with volume: * aws_volume_attachment.jenkins_disk_attachment: Error waiting for Volume (vol-XXXX) to detach from Instance: i-XXXXX

hashibot · 3Comments