Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KMS keys are being rebuilt every time #13973

Closed
FransUrbo opened this issue Apr 26, 2017 · 3 comments
Closed

KMS keys are being rebuilt every time #13973

FransUrbo opened this issue Apr 26, 2017 · 3 comments
Labels
bug provider/aws

Comments

@FransUrbo
Copy link

FransUrbo commented Apr 26, 2017
edited
Loading

I'm having my aws_kms_key rebuilt every time TF runs.

Terraform Version

0.9.1

Affected Resource(s)

Please list the resources as a list, for example:

  • aws_kms_key

Terraform Configuration Files

resource "aws_kms_key" "lambda-slack" {
  description                 = "Lambda/Slack integration key"
  enable_key_rotation         = "true"
  policy                      = <<LAMBDA_SLACK_KEY
{
  "Id": "key-consolepolicy-2",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
            "arn:aws:iam::${var.account_id}:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
LAMBDA_SLACK_KEY
}

Expected Behavior

Not being rebuilt, there's no change.

Actual Behavior

Rebuilt every time.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

Solution

        "AWS": "arn:aws:iam::${var.account_id}:root"
@FransUrbo FransUrbo changed the title KMS keys are reb KMS keys are being rebuilt every time Apr 26, 2017
@FransUrbo
Copy link
Author

It's also a matter of order it seems. If take the output from the plan and "decipher" it, I get:

{
  "Id": "key-consolepolicy-2",
  "Statement": [
    {
      "Action": "kms:*",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
      },
      "Resource": "*",
      "Sid": "Enable IAM User Permissions"
    },
    {
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:user/turbo"
      },
      "Resource": "*",
      "Sid": "Allow access for Key Administrators"
    },
    {
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:role/ASGNotify"
      },
      "Resource": "*",
      "Sid": "Allow use of the key"
    },
    {
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      },
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:role/ASGNotify"
      },
      "Resource": "*",
      "Sid": "Allow attachment of persistent resources"
    }
  ],
  "Version": "2012-10-17"
}
" => "
{
  "Id": "key-consolepolicy-2",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:user/turbo"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:role/ASGNotify"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:role/ASGNotify"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}

Which, if I separate the before and after in separate files (/tmp/x1 and /tmp/x2 respectively):

--- /tmp/x1     2017-04-26 12:03:51.000000000 +0100
+++ /tmp/x2     2017-04-26 12:03:58.000000000 +0100
@@ -1,16 +1,22 @@
 {
   "Id": "key-consolepolicy-2",
+  "Version": "2012-10-17",
   "Statement": [
     {
-      "Action": "kms:*",
+      "Sid": "Enable IAM User Permissions",
       "Effect": "Allow",
       "Principal": {
         "AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
       },
-      "Resource": "*",
-      "Sid": "Enable IAM User Permissions"
+      "Action": "kms:*",
+      "Resource": "*"
     },
     {
+      "Sid": "Allow access for Key Administrators",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::<ACCOUNT_ID>:user/turbo"
+      },
       "Action": [
         "kms:Create*",
         "kms:Describe*",

@mwarkentin
Copy link
Contributor

I'm seeing this on a kms key w/ policy as well (TF 0.8.8). Policy was generated via KMS key creation form in AWS console:

Terraform plan:

~ aws_kms_key.shared_obfuscated_rds_snapshots
    policy: "{\"Id\":\"shared-obfuscated-rds-snapshots-01\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::<account id 1>:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"},{\"Action\":[\"kms:Create*\",\"kms:Describe*\",\"kms:Enable*\",\"kms:List*\",\"kms:Put*\",\"kms:Update*\",\"kms:Revoke*\",\"kms:Disable*\",\"kms:Get*\",\"kms:Delete*\",\"kms:TagResource\",\"kms:UntagResource\",\"kms:ScheduleKeyDeletion\",\"kms:CancelKeyDeletion\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\"},\"Resource\":\"*\",\"Sid\":\"Allow access for Key Administrators\"},{\"Action\":[\"kms:Encrypt\",\"kms:Decrypt\",\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:DescribeKey\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\",\"arn:aws:iam::<account id 2>:root\"]},\"Resource\":\"*\",\"Sid\":\"Allow use of the key\"},{\"Action\":[\"kms:CreateGrant\",\"kms:ListGrants\",\"kms:RevokeGrant\"],\"Condition\":{\"Bool\":{\"kms:GrantIsForAWSResource\":\"true\"}},\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\",\"arn:aws:iam::<account id 2>:root\"]},\"Resource\":\"*\",\"Sid\":\"Allow attachment of persistent resources\"}],\"Version\":\"2012-10-17\"}" => "{\n  \"Id\": \"shared-obfuscated-rds-snapshots-01\",\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"Enable IAM User Permissions\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::<account id 1>:root\"\n        ]\n      },\n      \"Action\": \"kms:*\",\n      \"Resource\": \"*\"\n    },\n    {\n      \"Sid\": \"Allow access for Key Administrators\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\"\n        ]\n      },\n      \"Action\": [\n        \"kms:Create*\",\n        \"kms:Describe*\",\n        \"kms:Enable*\",\n        \"kms:List*\",\n        \"kms:Put*\",\n        \"kms:Update*\",\n        \"kms:Revoke*\",\n        \"kms:Disable*\",\n        \"kms:Get*\",\n        \"kms:Delete*\",\n        \"kms:TagResource\",\n        \"kms:UntagResource\",\n        \"kms:ScheduleKeyDeletion\",\n        \"kms:CancelKeyDeletion\"\n      ],\n      \"Resource\": \"*\"\n    },\n    {\n      \"Sid\": \"Allow use of the key\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\",\n          \"arn:aws:iam::<account id 2>:root\"\n        ]\n      },\n      \"Action\": [\n        \"kms:Encrypt\",\n        \"kms:Decrypt\",\n        \"kms:ReEncrypt*\",\n        \"kms:GenerateDataKey*\",\n        \"kms:DescribeKey\"\n      ],\n      \"Resource\": \"*\"\n    },\n    {\n      \"Sid\": \"Allow attachment of persistent resources\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy\",\n          \"arn:aws:iam::<account id 2>:root\"\n        ]\n      },\n      \"Action\": [\n        \"kms:CreateGrant\",\n        \"kms:ListGrants\",\n        \"kms:RevokeGrant\"\n      ],\n      \"Resource\": \"*\",\n      \"Condition\": {\n        \"Bool\": {\n          \"kms:GrantIsForAWSResource\": true\n        }\n      }\n    }\n  ]\n}\n"

Terraform resource definition:

resource "aws_kms_key" "shared_obfuscated_rds_snapshots" {
  description = "A KMS key shared with *** account to enable sharing of encrypted RDS snapshots (of obfuscated databases)"

  # Policy generated by filling out the creation forms in AWS console
  policy = <<EOF
{
  "Id": "shared-obfuscated-rds-snapshots-01",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account id 1>:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy",
          "arn:aws:iam::<account id 2>:root"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account id 1>:role/AdminAccessFromLegacy",
          "arn:aws:iam::<account id 2>:root"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}
EOF
}

@hashibot hashibot mentioned this issue Jun 13, 2017
Closed
@ghost
Copy link

ghost commented Apr 9, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mwarkentin @FransUrbo @mbfrahry @hashibot