aws_kms_ciphertext 'unstable' output

[OliverCole]

Terraform Version

Terraform v0.9.8

Affected Resource(s)

Please list the resources as a list, for example:

• aws_kms_ciphertext

Terraform Configuration Files

data "aws_caller_identity" "current" {}

provider "aws" {
    region = "eu-west-1"
}

resource "aws_iam_role" "LambdaBackend_master_lambda" {
    name               = "LambdaBackend_master_lambda"
    path               = "/"
    assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "LambdaBackend_master_lambda_AmazonS3ReadOnlyAccess" {
    role       = "${aws_iam_role.LambdaBackend_master_lambda.name}"
    policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}

resource "aws_iam_role_policy_attachment" "LambdaBackend_master_lambda_AmazonDynamoDBFullAccess" {
    role       = "${aws_iam_role.LambdaBackend_master_lambda.name}"
    policy_arn = "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
}

resource "aws_iam_role_policy_attachment" "LambdaBackend_master_lambda_CloudWatchFullAccess" {
    role       = "${aws_iam_role.LambdaBackend_master_lambda.name}"
    policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
}

resource "aws_lambda_function" "LambdaBackend_lambda" {
  filename         = "email_lambda.zip"
  function_name    = "SpikeLambda"
  role             = "${aws_iam_role.LambdaBackend_master_lambda.arn}"
  handler          = "index.handler"
  source_code_hash = "${base64sha256(file("email_lambda.zip"))}"
  runtime          = "nodejs6.10"
  timeout          = 15
  publish          = true

  environment {
    variables = {
      apikey = "${data.aws_kms_ciphertext.apikey.ciphertext_blob}"
    }
  }
}

resource "aws_kms_key" "config" {
  description = "env config"
  is_enabled = true
  policy                  = <<POLICY
{
  "Version" : "2012-10-17",
  "Id" : "key-consolepolicy-3",
  "Statement" : [ {
    "Sid" : "Enable IAM User Permissions",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
    },
    "Action" : "kms:*",
    "Resource" : "*"
  }, {
    "Sid" : "Allow use of the key",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "${aws_iam_role.LambdaBackend_master_lambda.arn}"
    },
    "Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ],
    "Resource" : "*"
  }, {
    "Sid" : "Allow attachment of persistent resources",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "${aws_iam_role.LambdaBackend_master_lambda.arn}"
    },
    "Action" : [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ],
    "Resource" : "*",
    "Condition" : {
      "Bool" : {
        "kms:GrantIsForAWSResource" : "true"
      }
    }
  } ]
}
POLICY
}

data "aws_kms_ciphertext" "apikey" {
  key_id = "${aws_kms_key.config.key_id}"
  plaintext = "hunter2"
}

Debug Output

Run 1: https://gist.github.com/OliverCole/5feb1409f098a5ad5de523ed907cf93a
Run 2: https://gist.github.com/OliverCole/74ee789489a4582b6548a24cb180c07e

Expected/Desired Behavior

Ciphertext data source should be static, resulting in no changes to downstream dependencies.

Actual Behavior

λ terraform plan

...

~ aws_lambda_function.LambdaBackend_lambda
    environment.0.variables.apikey: "AQICAHhrx94Wb5zY2paCTEFBiotjAnNA5JkowPRTlnNgFDShRwEwemJy4XaanTNiJw/c4f5nAAAAazBpBgkqhkiG9w0BBwagXDBaAgEAMFUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMNrQujwxAygW7NzoxAgEQgCjhQxFc+GZco8upPiXoqg7tBbyI+UmQvTX7Rk4Zrx+7mwGpcH0S8tlM" => "AQICAHhrx94Wb5zY2paCTEFBiotjAnNA5JkowPRTlnNgFDShRwGg+4IumuMxfn0LhPLisPCNAAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMCWnWVlL7BZdI9/QcAgEQgCIJrOrW56mdVTpYGt6k/rhqvgF+0EMx2gwxx5JB1dzsegQ/"


Plan: 0 to add, 1 to change, 0 to destroy.

λ terraform plan

...

~ aws_lambda_function.LambdaBackend_lambda
    environment.0.variables.apikey: "AQICAHhrx94Wb5zY2paCTEFBiotjAnNA5JkowPRTlnNgFDShRwEwemJy4XaanTNiJw/c4f5nAAAAazBpBgkqhkiG9w0BBwagXDBaAgEAMFUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMNrQujwxAygW7NzoxAgEQgCjhQxFc+GZco8upPiXoqg7tBbyI+UmQvTX7Rk4Zrx+7mwGpcH0S8tlM" => "AQICAHhrx94Wb5zY2paCTEFBiotjAnNA5JkowPRTlnNgFDShRwEsP80A7AA1DNwPeQjBwUQfAAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM8S3Dt92qSVRXrEeAAgEQgCLiwJB1lND0Md3fKEr23kBmTj3rRkXUg/EcbXY191xLwsY5"


Plan: 0 to add, 1 to change, 0 to destroy.

Calls to data.aws_kms_ciphertext.apikey.ciphertext_blob in terraform console are stable and match the ...0S8tlM value above.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan

References

@apparentlymart - https://groups.google.com/forum/#!topic/terraform-tool/7K4dLBmMrik

[apparentlymart]

Thanks for filing this, @OliverCole.

Our usual rule for data sources is that they must be "generally stable", which is to say that they only change value in response to intentional actions. It might well be that, like many things that do crypto, there is no way to get a stable result out of this, and in that case we will probably need to recast this as a resource, thus allowing it to be generated once and referenced many times similar to resources such as tls_private_key, tls_self_signed_cert, etc.

[OliverCole]

Yes, I should have mentioned in the report, this constant change in value is consistent with the AWS CLI, and also with my understanding of KMS' use of envelope encryption, per the KMS whitepaper.

[JoelSpeed]

I am also running into this problem. The input to aws_kms_ciphertext does not change yet the output does.

Has anyone started working on a fix? Possibly converting it to a resource? Would you be open to a PR for converting to a resource?

[pikeas]

Running into this as well, would love to see this fixed!

[bflad]

A new aws_kms_ciphertext resource has been merged and will release with version 2.4.0 of the Terraform AWS Provider, likely in the next two days. Thanks to @JoelSpeed and @cperilla-rival.

[bflad]

This has been released in version 2.4.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!