pulumi-aws icon indicating copy to clipboard operation
pulumi-aws copied to clipboard

Published 20 hours ago verified publisher icon pulumi

aws.glue.DataCatalogEncryptionSettings always change if using AWS managed key

Open ViktorCollin opened this issue 1 year ago • 2 comments

What happened?

When creating a aws.glue.DataCatalogEncryptionSettings resource trying to use the AWS managed KMS key for connection password encryption by leaving the optional property dataCatalogEncryptionSettings.connectionPasswordEncryption.awsKmsKeyId empty the following change is always detected

~ dataCatalogEncryptionSettings: {
    ~ connectionPasswordEncryption: {
        - awsKmsKeyId: "alias/aws/glue"
      }
  }

If I try to set dataCatalogEncryptionSettings.connectionPasswordEncryption.awsKmsKeyId to "alias/aws/glue" it fails with the following error message

error: aws:glue/dataCatalogEncryptionSettings:DataCatalogEncryptionSettings resource 'enc-settings' has a problem: "data_catalog_encryption_settings.0.connection_password_encryption.0.aws_kms_key_id" (alias/aws/glue) is an invalid ARN: arn: invalid prefix. Examine values at 'enc-settings.dataCatalogEncryptionSettings.connectionPasswordEncryption.awsKmsKeyId'.

### Example

new aws.glue.DataCatalogEncryptionSettings('enc-settings', {
  dataCatalogEncryptionSettings: {
    connectionPasswordEncryption: {
      returnConnectionPasswordEncrypted: true,
    },
    encryptionAtRest: {
      catalogEncryptionMode: 'DISABLED',
    },
  },
});

### Output of `pulumi about`

CLI          
Version      3.109.0
Go Version   go1.22.1
Go Compiler  gc

Plugins
NAME    VERSION
aws     6.24.1
aws     5.43.0
docker  3.6.1
nodejs  unknown
random  4.16.0
random  4.15.1

Host     
OS       darwin
Version  14.0
Arch     arm64

This project is written in nodejs: executable='***/.nvm/versions/node/v18.18.1/bin/node' version='v18.18.1'

Pulumi locates its logs in /var/folders/3g/n5k6n5dn6vl68jp3xgvz44500000gn/T/ by default
warning: Failed to get information about the Pulumi program's dependencies: could not find either ***/pulumi/yarn.lock or ***/pulumi/package-lock.json

### Additional context

_No response_

### Contributing

Vote on this issue by adding a 👍 reaction. 
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

ViktorCollin avatar Mar 13 '24 12:03 ViktorCollin

Hey @ViktorCollin. Thanks for reporting this to us. My team will have a look as soon as we can.

It would help us if you could write a Pulumi program that we can use to reproduce the bug.

iwahbe avatar Mar 14 '24 17:03 iwahbe

Hi!

Sorry for my late reply. It turns our that AWS do not support using amazon managed keys for password encryption. That is the response that I got from there support team when struggling with this. The glue service have no permission to use the aws manage key called alias/aws/glue so it ends up in a access denied on kms:Decrypt request.

here is all that is needed to reproduce it

import * as aws from '@pulumi/aws';

new aws.glue.DataCatalogEncryptionSettings(
  'glue-catalog-encryption-settings',
  {
    dataCatalogEncryptionSettings: {
      connectionPasswordEncryption: {
        returnConnectionPasswordEncrypted: true,
      },
      encryptionAtRest: {
        catalogEncryptionMode: 'DISABLED',
      },
    },
  }
);

ViktorCollin avatar Apr 04 '24 08:04 ViktorCollin