Terraform-provider-aws: aws_ses_receipt_rule - Invalid KMS encryption key ARN
Terraform Version
0.11.3
Affected Resource(s)
aws_ses_receipt_rule
Terraform Configuration Files
resource "aws_ses_receipt_rule" "ses_resource" {
name = "${var.account}-deploy"
rule_set_name = "default-rule-set"
recipients = ["${var.account}[email protected]"]
enabled = true
scan_enabled = true
provider = "aws.blah-us-east"
s3_action {
bucket_name = "ses-mail"
object_key_prefix = "${var.account}-deploy"
position = 1
}
}
Debug Output
2018-06-21T16:30:56.428+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: 2018/06/21 16:30:56 [DEBUG] [aws-sdk-go] DEBUG: Response email/CreateReceiptRule Details:
2018-06-21T16:30:56.428+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: ---[ RESPONSE ]--------------------------------------
2018-06-21T16:30:56.428+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: HTTP/1.1 400 Bad Request
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: Connection: close
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: Content-Length: 284
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: Content-Type: text/xml
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: Date: Thu, 21 Jun 2018 06:30:56 GMT
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: X-Amzn-Requestid: a7692543-751c-11e8-8518-97ae23c79dbf
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4:
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4:
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: -----------------------------------------------------
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: 2018/06/21 16:30:56 [DEBUG] [aws-sdk-go]
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4:
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4:
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: InvalidParameterValue
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4:
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4:
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4:
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4:
2018-06-21T16:30:56.429+1000 [DEBUG] plugin.terraform-provider-aws_v1.19.0_x4: 2018/06/21 16:30:56 [DEBUG] [aws-sdk-go] DEBUG: Validate Response email/CreateReceiptRule failed, not retrying, error InvalidParameterValue: Invalid KMS encryption key ARN:
Expected Behavior
It should be creating the SES rule
Actual Behavior
Error creating SES rule: InvalidParameterValue: Invalid KMS encryption key ARN
Fails with reference to KMS ARN being invalid even though it's an optional parameter only used if encryption is enabled
Steps to Reproduce
terraform apply
Important Factoids
Previous runs back on the 15th of March were successful. No code changes and the following block
enabled: "" => "true"
name: "" => "blah-deploy"
recipients.#: "" => "1"
recipients.689644031: "" => "[email protected]"
rule_set_name: "" => "default-rule-set"
s3_action.#: "" => "1"
s3_action.3142081338.bucket_name: "" => "ses-mail"
s3_action.3142081338.kms_key_arn: "" => ""
s3_action.3142081338.object_key_prefix: "" => "blah-deploy"
s3_action.3142081338.position: "" => "1"
s3_action.3142081338.topic_arn: "" => ""
scan_enabled: "" => "true"
tls_policy: "" => "<computed>"[0m
However the exact same code run today fails with the above error. I thought it maybe a new provider was released so tried pinning the version back to what was used when the code was run on the 15th (1.19) but it didn't fix the problem.
melbit-anthonyw
All 5 comments
Further investigation looks like there was a KMS key created in my account automatically by AWS on the 21/06/2018 specifically for SES (aws/ses) with the description
Default master key that protects my SES emails when no other key is defined
When done through the GUI and I select encryption it automatically selects the key but it still shouldn't be attempting to use the key if encryption isn't selected... at least logically anyway. Looks like AWS may have changed/screwed something with the API? Setting the value for kms_key_arn to the the ARN of the default key works but isn't ideal for my particular scenario where we just want a copy of the email without encryption.
melbit-anthonyw
on 22 Jun 2018
submitted PR: #4965
saravanan30erd
on 23 Jun 2018
The fix for this has been merged into master and will release with version 1.25.0 of the AWS provider, likely middle of this week.
bflad
on 25 Jun 2018
This has been released in version 1.25.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 27 Jun 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 4 Apr 2020
Related issues
carmas
ยท
3Comments
hashibot
ยท
3Comments
ghost
ยท
3Comments
andywirv
ยท
3Comments
hashibot
ยท
3Comments
Most helpful comment
The fix for this has been merged into master and will release with version 1.25.0 of the AWS provider, likely middle of this week.