Terraform-provider-aws: aws_cloudwatch_log_group Unable to validate if specified KMS key is valid
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v0.11.13
- provider.aws v2.2.0
Affected Resource(s)
aws_cloudwatch_log_group
Terraform Configuration Files
provider "aws" {
shared_credentials_file = "$HOME/.aws/credentials"
profile = "default"
region = "us-east-2"
}
resource "aws_kms_key" "cmk" {
description = "master key"
}
resource "aws_cloudwatch_log_group" "log-group" {
kms_key_id = "${aws_kms_key.cmk.arn}"
}
Debug Output
https://gist.github.com/buddhamangler/34f519cca0d06c81579d1157571d4673
Panic Output
Expected Behavior
cloudwatch log group should be created
Actual Behavior
cloudwatch log group fails
Steps to Reproduce
terraform apply
Important Factoids
Nothing atypical here. I am quite new to terraform, but i feel like i'm missing something here. I had cloudwatches creating just fine a couple days ago and then started getting this error every time. I reduced my template down to this very simple example. I don't understand why it is failing. I thought maybe it was my account, but other accounts have the same behavior. Am I missing some sort of policy?
Any help appreciated!
References
buddhamangler
All 5 comments
Same error here.
* aws_cloudwatch_log_group.foo: 1 error(s) occurred:
* aws_cloudwatch_log_group.foo: Creating CloudWatch Log Group failed: InvalidParameterException: Unable to validate if specified KMS key is valid.
Environment:
Terraform v0.11.13
- provider.aws v1.35.0
- provider.template v1.0.0
PicoSushi
on 3 Apr 2019
I added this policy to my key: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html
And looked at the debug ouput with TF_LOG=1 terraform apply and saw that my user was missing the logs/AssociateKmsKey permission.
When I added that permission then it worked for me.
euan-forrester
on 5 Apr 2019
@euan-forrester i will check this out on monday and report back. thanks!
buddhamangler
on 5 Apr 2019
@euan-forrester is correct. Adding the following policy to the aws_kms_key fixed the issue for me.
data "aws_caller_identity" "current" {}
resource "aws_kms_key" "cmk" {
description = "master key"
policy = <<EOF
{
"Version" : "2012-10-17",
"Id" : "key-default-1",
"Statement" : [ {
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action" : "kms:*",
"Resource" : "*"
},
{
"Effect": "Allow",
"Principal": { "Service": "logs.${var.region}.amazonaws.com" },
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
}
]
}
EOF
tags {
Application = "${var.app_name}"
Environment = "${var.environment}"
}
}
Closing this issue
buddhamangler
on 11 Apr 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 30 Mar 2020
Related issues
hashibot
·
3Comments
hashibot
·
3Comments
hashibot
·
3Comments
dvishniakov
·
3Comments
hashibot
·
3Comments
Most helpful comment
@euan-forrester is correct. Adding the following policy to the aws_kms_key fixed the issue for me.
Closing this issue