terraform-aws-kms icon indicating copy to clipboard operation
terraform-aws-kms copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Terraform Fails with MalformedPolicyDocumentException When Creating KMS Key for EBS Encryption on EKS Cluster Nodes

Open Moep90 opened this issue 1 year ago β€’ 1 comments

Description

I try to create a KMS Key with respective policies using this module. It then should be used with EKS Autoscaling.

  • [x] βœ‹ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: v2.2.1
  • Terraform version:
$ terraform --version
Terraform v1.5.7
on darwin_arm64
  • Provider version(s):
[...]
+ provider registry.terraform.io/hashicorp/aws v5.43.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.3
+ provider registry.terraform.io/hashicorp/null v3.2.2
+ provider registry.terraform.io/hashicorp/time v0.11.1
[...]

Reproduction Code [Required]

data "aws_caller_identity" "current" {}

module "kms" {
  source = "terraform-aws-modules/kms/aws"

  description = "EC2 AutoScaling key usage"
  key_usage   = "ENCRYPT_DECRYPT"

  # Policy
  key_administrators                 = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/admin"] # <-- role exists
  key_service_roles_for_autoscaling  = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"]

  # Aliases
  aliases = ["mycompany/ebs"]

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Steps to reproduce the behavior:

$ rm -rf .terraform
$ terraform init -upgrade
$ terraform apply -target module.kms

Expected behavior

The KMS Policy should be created.

Actual behavior

Terraform fails after about 1.5 minutes with a MalformedPolicyDocumentException.

Terminal Output Screenshot(s)

β”‚ Error: creating KMS Key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
β”‚
β”‚   with module.kms.aws_kms_key.this[0],
β”‚   on .terraform/modules/kms/main.tf line 18, in resource "aws_kms_key" "this":
β”‚   18: resource "aws_kms_key" "this" {

Additional context

Moep90 avatar Apr 09 '24 11:04 Moep90

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar May 10 '24 00:05 github-actions[bot]

This issue was automatically closed because of stale in 10 days

github-actions[bot] avatar May 21 '24 00:05 github-actions[bot]

I have the same issue when specifying existing role arns...

cthiebault avatar Jun 12 '24 06:06 cthiebault

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Jul 14 '24 02:07 github-actions[bot]