KMS keys are being rebuilt every time

[hashibot]

This issue was originally opened by @FransUrbo as hashicorp/terraform#13973. It was migrated here as part of the provider split. The original body of the issue is below.

---

I'm having my aws_kms_key rebuilt every time TF runs.

Terraform Version

0.9.1

Affected Resource(s)

Please list the resources as a list, for example:

• aws_kms_key

Terraform Configuration Files

resource "aws_kms_key" "lambda-slack" {
  description                 = "Lambda/Slack integration key"
  enable_key_rotation         = "true"
  policy                      = <<LAMBDA_SLACK_KEY
{
  "Id": "key-consolepolicy-2",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
            "arn:aws:iam::${var.account_id}:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
LAMBDA_SLACK_KEY
}

Expected Behavior

Not being rebuilt, there's no change.

Actual Behavior

Rebuilt every time.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Solution

        "AWS": "arn:aws:iam::${var.account_id}:root"

[mwarkentin]

Copying my comment from the earlier ticket as well:

I'm seeing this on a kms key w/ policy as well (TF 0.8.8). Policy was generated via KMS key creation form in AWS console:

Terraform plan:

~ aws_kms_key.shared_obfuscated_rds_snapshots
    policy: "{\"Id\":\"shared-obfuscated-rds-snapshots-01\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::<account id 1>:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"},{\"Action\":[\"kms:Create*\",\"kms:Describe*\",\"kms:Enable*\",\"kms:List*\",\"kms:Put*\",\"kms:Update*\",\"kms:Revoke*\",\"kms:Disable*\",\"kms:Get*\",\"kms:Delete*\",\"kms:TagResource\",\"kms:UntagResource\",\"kms:ScheduleKeyDeletion\",\"kms:CancelKeyDeletion\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\"},\"Resource\":\"*\",\"Sid\":\"Allow access for Key Administrators\"},{\"Action\":[\"kms:Encrypt\",\"kms:Decrypt\",\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:DescribeKey\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\",\"arn:aws:iam::<account id 2>:root\"]},\"Resource\":\"*\",\"Sid\":\"Allow use of the key\"},{\"Action\":[\"kms:CreateGrant\",\"kms:ListGrants\",\"kms:RevokeGrant\"],\"Condition\":{\"Bool\":{\"kms:GrantIsForAWSResource\":\"true\"}},\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\",\"arn:aws:iam::<account id 2>:root\"]},\"Resource\":\"*\",\"Sid\":\"Allow attachment of persistent resources\"}],\"Version\":\"2012-10-17\"}" => "{\n  \"Id\": \"shared-obfuscated-rds-snapshots-01\",\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"Enable IAM User Permissions\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::<account id 1>:root\"\n        ]\n      },\n      \"Action\": \"kms:*\",\n      \"Resource\": \"*\"\n    },\n    {\n      \"Sid\": \"Allow access for Key Administrators\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\"\n        ]\n      },\n      \"Action\": [\n        \"kms:Create*\",\n        \"kms:Describe*\",\n        \"kms:Enable*\",\n        \"kms:List*\",\n        \"kms:Put*\",\n        \"kms:Update*\",\n        \"kms:Revoke*\",\n        \"kms:Disable*\",\n        \"kms:Get*\",\n        \"kms:Delete*\",\n        \"kms:TagResource\",\n        \"kms:UntagResource\",\n        \"kms:ScheduleKeyDeletion\",\n        \"kms:CancelKeyDeletion\"\n      ],\n      \"Resource\": \"*\"\n    },\n    {\n      \"Sid\": \"Allow use of the key\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\",\n          \"arn:aws:iam::<account id 2>:root\"\n        ]\n      },\n      \"Action\": [\n        \"kms:Encrypt\",\n        \"kms:Decrypt\",\n        \"kms:ReEncrypt*\",\n        \"kms:GenerateDataKey*\",\n        \"kms:DescribeKey\"\n      ],\n      \"Resource\": \"*\"\n    },\n    {\n      \"Sid\": \"Allow attachment of persistent resources\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\",\n          \"arn:aws:iam::<account id 2>:root\"\n        ]\n      },\n      \"Action\": [\n        \"kms:CreateGrant\",\n        \"kms:ListGrants\",\n        \"kms:RevokeGrant\"\n      ],\n      \"Resource\": \"*\",\n      \"Condition\": {\n        \"Bool\": {\n          \"kms:GrantIsForAWSResource\": true\n        }\n      }\n    }\n  ]\n}\n"

Terraform resource definition:

resource "aws_kms_key" "shared_obfuscated_rds_snapshots" {
  description = "A KMS key shared with *** account to enable sharing of encrypted RDS snapshots (of obfuscated databases)"

  # Policy generated by filling out the creation forms in AWS console
  policy = <<EOF
{
  "Id": "shared-obfuscated-rds-snapshots-01",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account id 1>:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy",
          "arn:aws:iam::<account id 2>:root"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy",
          "arn:aws:iam::<account id 2>:root"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}
EOF
}

[bflad]

Hmm. I've definitely run into this before as well, albeit with even aws_iam_policy and the like. These resource schemas have implemented DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs, on the policy attributes for quite awhile now. Its using jen20/awspolicyequivalence for the equivalence logic. Maybe a new upstream issue needs to be created there?

[bflad]

For what its worth, I tried putting the aws_kms_key policies (using the plan diff above) into https://github.com/jen20/awspolicyequivalence/blob/master/aws_policy_equivalence_test.go and they pass equivalence testing.

[PLaRoche]

I'm coming across this now with Terraform v0.11.2

[endzyme]

Also having this problem with v0.11.2 aws v1.11.0

EDIT: figured out my problem - policy accepts just account ID but modifies it to the account id ARN -- the new plan always says this is non-matching and needs to make it just the account ID again.

[bflad]

Hi folks! 👋 This issue was marked to close in #3832 due to a dependency update to an upstream library we use to compare the equivalence of two IAM policies: https://github.com/jen20/awspolicyequivalence/. The updated library should now treat account ID 123456789012 principals as equivalent to IAM account root ARNs arn:PARTITION:iam::123456789012:root. You can see some examples of what will now match in the upstream library unit testing:

https://github.com/jen20/awspolicyequivalence/blob/9fbcaca9f9f868b9560463d0790aae33b2322945/aws_policy_equivalence_test.go#L1076-L1200

This update will be released in v1.12.0 of the AWS provider, which we expect to release later this week.

I apologize this may not cover all IAM policy equivalence issues, but please do consider opening new Github issues in the https://github.com/terraform-providers/terraform-provider-aws/ or https://github.com/jen20/awspolicyequivalence/ for other specific examples that show as inequivalent.

[bflad]

This has been released in version 1.12.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!