-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS provider: KMS key creation fails if the policy references a recently created IAM entity #6576
Comments
Hey @jimmycuadra – This is happening because Terraform will create your resources in parallel, if it's unable to see any dependency / relationship between them. In your example, the role and key are not related, so it creates both at the same(-ish) time, which results in the error you've seen. The policy you're using does not derive any of it's contents from the role you're creating, so it doesn't know that it needs to allow the role to be created first, and then the key. So, the creation graph of your example looks like so: After the Provider is established, the other 2 remaining resources can be created in parallel. To explicitly declare a dependency, you can use the
This explicitly declares a dependency, and the graph to create your infrastructure becomes this: Where you see the role must be created first before the key can be created. Hope that helps! |
I did as you described but still got the same behavior as before: |
Any chance of this being reopened? The issue still happens after adding |
Likely fixed in 0.7. See #4709 |
this is still happening on 0.7.3 I added the depends_on with no luck. Same behavior: Fails the first run, passes the second run. |
Could a maintainer please reopen this issue? |
I would believe this may be still happening even with direct dependency connection between The best solution would be probably similar to #7324 which addressed EC2 instance & IAM Role itself (possibly referencing other IAM identities). |
Just had the same issue with TF version 8.7.
I think the retry isn't happening. |
This issue is still present in Terraform version 0.11.14.4 using AWS provider 2.39.0. Can we please reopen the issue? |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
When creating a new KMS key with the AWS provider, if the key policy references an IAM role that was just created from the same Terraform configuration, a generic
MalformedPolicyDocumentException
is returned by the AWS API and the operation fails. Waiting a minute and running apply again results in success. It seems that there may be a short delay between the time an IAM entity (in my case it's a role, but I'd bet it'd be the same for a user) is created and the time KMS is able to see it and use it in a key policy. Terraform should probably wait and retry the operation a few times like it does with other resources that may take time to complete.Unfortunately, the KMS key creation API uses this generic
MalformedPolicyDocumentException
for any error related to the contents of the key policy (a syntax error in the policy or using a malformed ARN will also result in the same exception) so it may not be possible to differentiate between this case and an actual failure that will not succeed on a subsequent attempt. The exception doesn't include a message or any sort of information other than its name.Terraform Version
0.6.15
Affected Resource(s)
Terraform Configuration Files
The policy looks like this:
Note that the "example" IAM role is created by Terraform, but the IAM users "alice" and "bob" already exist and are not managed by Terraform.
Expected Behavior
The key should be created and
terraform apply
should complete successfully.Actual Behavior
The following error is produced, which halts the
terraform apply
:Waiting a minute and running
terraform apply
again successfully creates the key.Steps to Reproduce
terraform apply
The text was updated successfully, but these errors were encountered: