Terraform-provider-aws: Can't create aws_sqs_queue with kms encryption in eu-west-1 (Ireland)
Terraform Version
Terraform v0.10.3
Affected Resource(s)
- aws_sqs_queue
Terraform Configuration Files
resource "aws_sqs_queue" "queue" {
name = "alb-logs-notification-queue-${var.environment}"
delay_seconds = 0
max_message_size = 262144 # 256 KiB
visibility_timeout_seconds = 30
message_retention_seconds = 345600 # 4 days
receive_wait_time_seconds = 0
kms_master_key_id = "alias/aws/sqs"
kms_data_key_reuse_period_seconds = 300
}
Debug Output
module.s3.aws_sqs_queue.queue: Still creating... (33m50s elapsed)
module.s3.aws_sqs_queue.queue: Still creating... (34m0s elapsed)
module.s3.aws_sqs_queue.queue: Still creating... (34m10s elapsed)
Expected Behavior
The queue should be created under 2 minutes.
Actual Behavior
The queue is never created
Steps to Reproduce
I'm not sure but I suspect that using kms_master_key_id & kms_data_key_reuse_period_seconds caused this issue. After I removed them the problem was gone, also the option is not available in the console, at least I could not find the option described in this blog post.
Techbrunch
All 4 comments
@Techbrunch @Ninir Hey - Just wanted to say that I don't think this is Terraform's fault. I'm in the same boat as you as requring KMS-based encryption in the eu-west-1 region, but Amazon state that:
Starting at 15:45 Sept. 22, 2017 UTC, we noticed that your account in eu-west-1 region starts to call CreateQueue API with the "KmsMasterKeyId" attribute to create encrypted FIFO queues. SQS server-side encryption support is currently not available in eu-west-1 region.
Due to a known issue in SQS, these CreateQueue calls result in Internal Error exceptions instead of InvalidAttributeName exceptions, and they are invalid. We are actively working to fix the incorrect exception. To continue to use FIFO queues, you can call the CreateQueue API without providing "KmsMasterKeyId" attribute, or you can retry your CreateQueue request in SQS server-side encryption enabled regions.
The SQS Server-side encryption support is currently available in the US East (N. Virginia), US East (Ohio), and US West (Oregon) regions with more regions to follow: https://aws.amazon.com/about-aws/whats-new/2017/05/amazon-simple-queue-service-sqs-server-side-encryption-is-now-available-in-the-us-east-n-virginia-region/
So it looks like we'll be playing the waiting game for AWS - But hopefully it won't be too long.
Raising a ticket on Amazon might be a way to propel it forward in terms of priority (I'll do the same).
Cheers!
lskillen
on 23 Sep 2017
I'm not able to reproduce this. Looks like support was added upstream.
brandonstevens
on 21 Jun 2018
Thanks @brandonstevens! The SQS Developer Guide seems to confirm this as available everywhere (but AWS China) now:
Server-side encryption (SSE) for Amazon SQS is available in all commercial regions where Amazon SQS is available, except for the China Regions.
bflad
on 22 Jun 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 5 Apr 2020
Related issues
andywirv
ยท
3Comments
dvishniakov
ยท
3Comments
hashibot
ยท
3Comments
joelittlejohn
ยท
3Comments
gothrek22
ยท
3Comments
Most helpful comment
@Techbrunch @Ninir Hey - Just wanted to say that I don't think this is Terraform's fault. I'm in the same boat as you as requring KMS-based encryption in the eu-west-1 region, but Amazon state that:
So it looks like we'll be playing the waiting game for AWS - But hopefully it won't be too long.
Raising a ticket on Amazon might be a way to propel it forward in terms of priority (I'll do the same).
Cheers!