[Bug]: data aws_kms_key cannot recognize key_id via ARN, only via ALIAS ARN (bug in 4.53.0?)

[davesade]

Terraform Core Version

0.13.7

AWS Provider Version

4.53.0

Affected Resource(s)

data "aws_kms_key"

Expected Behavior

We use this construction for many years successfully:

data "aws_kms_key" "default" {
  key_id = "arn:aws:kms:${data.aws_region.current.name}:${account_id}:key/${some_key_id}"
}

It should return data about object.

Actual Behavior

on .terraform/modules/... in data "aws_kms_key" "default":
185:   key_id = "arn:aws:kms:${data.aws_region.current.name}:xxxxx:key/xxx-xxxx"

Error: "key_id" (arn:aws:kms:us-east-1:xxxxx:key/xxx-xxx) is not a valid KMS Key ARN
on .terraform/modules/database.database/main.tf line 185, in data "aws_kms_key" "default":
185:   key_id = "arn:aws:kms:${data.aws_region.current.name}:211678869282:key/mrk-162b1f21e1444952a1a093731aba90a3"

Error: invalid value for key_id (must be a KMS Key Alias)
on .terraform/modules/database.database/main.tf line 185, in data "aws_kms_key" "default":
185:   key_id = "arn:aws:kms:${data.aws_region.current.name}:xxx:key/xxx-xxx"

Error: "key_id" (arn:aws:kms:us-east-1:xxxx:key/xxx-xxx) is not a valid KMS Key Alias ARN
on .terraform/modules/database.database/main.tf line 185, in data "aws_kms_key" "default":
185:   key_id = "arn:aws:kms:${data.aws_region.current.name}:xxxx:key/xxx-xxx"

Relevant Error/Panic Output Snippet

Only format which works:

arn:aws:kms:us-east-1:xxxx:alias/our/kmskeyalias

For some reason, it won't work with any other option.

This works up to 4.52.0.

### Terraform Configuration Files

data "aws_kms_key" "default" {
  key_id = "arn:aws:kms:${data.aws_region.current.name}:xxxx:key/xxx-xxx"
}

### Steps to Reproduce

terraform plan

### Debug Output

_No response_

### Panic Output

_No response_

### Important Factoids

_No response_

### References

_No response_

### Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

Relevant code modified in #29189.

[darkwizard242]

This appears to be due to the key_id validation occurring when using data.aws_kms_key. It happens to be validating with a very specific regex pattern (released in v4.53.0): https://github.com/hashicorp/terraform-provider-aws/blob/v4.53.0/internal/verify/verify.go#L9

Reference code links:

• diff of v4.52.0 vs v4.53.0
• go constant for UUIDRegexPattern
• Validation function call

However, Multi Region keys don't conform to that pattern and have a distinctive prefix mrk-*, as documented in aws docs here.

Might be best to flexibly validate both single region and multi region KMS key id patterns.

[ewbankkit]

We are getting an error in CI from an acceptance test:

=== RUN   TestAccKMSKeyDataSource_multiRegionConfiguration
=== PAUSE TestAccKMSKeyDataSource_multiRegionConfiguration
=== CONT  TestAccKMSKeyDataSource_multiRegionConfiguration
key_data_source_test.go:86: Step 1/1 error: Error running apply: exit status 1
Error: invalid value for key_id (must be a KMS Key ID)
with data.aws_kms_key.test,
on terraform_plugin_test.tf line 9, in data "aws_kms_key" "test":
9:   key_id = aws_kms_key.test.key_id
Error: "key_id" (mrk-362c283328f84956bf6f4b544de91aa7) is an invalid ARN: arn: invalid prefix
with data.aws_kms_key.test,
on terraform_plugin_test.tf line 9, in data "aws_kms_key" "test":
9:   key_id = aws_kms_key.test.key_id
Error: invalid value for key_id (must be a KMS Key Alias)
with data.aws_kms_key.test,
on terraform_plugin_test.tf line 9, in data "aws_kms_key" "test":
9:   key_id = aws_kms_key.test.key_id
Error: "key_id" (mrk-362c283328f84956bf6f4b544de91aa7) is an invalid ARN: arn: invalid prefix
with data.aws_kms_key.test,
on terraform_plugin_test.tf line 9, in data "aws_kms_key" "test":
9:   key_id = aws_kms_key.test.key_id
--- FAIL: TestAccKMSKeyDataSource_multiRegionConfiguration (66.00s)
FAIL

and I get a similar error if I use an MRK's ARN as key_id.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.