I can t able to create AWS KMS key using terraform

0 votes

Hi,

I created one IAM user using terraform. Now I have tried to create a KMS key with created user ARN. But whenever I run the terraform code I got error "Error: MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future."

Its my terraform code

provider "aws" {

}

resource "aws_kms_key" "my-kms-key" {
  description         = "My KMS Keys for Data Encryption"
  enable_key_rotation = true

  tags = {
    Name = "my-kms-keys"
  }

  policy = <<EOF
{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                      "kms:Create*",
                      "kms:Describe*",
                      "kms:Enable*",
                      "kms:List*",
                      "kms:Put*",
                      "kms:Update*",
                      "kms:Revoke*",
                      "kms:Disable*",
                      "kms:Get*",
                      "kms:Delete*",
                      "kms:ScheduleKeyDeletion",
                      "kms:CancelKeyDeletion"
                  ],
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}
EOF
}

resource "aws_kms_alias" "smc-kms-alias" {
  target_key_id = "${aws_kms_key.my-kms-key.key_id}"
  name          = "alias/my-terraform-final-encryption-key"
}
Jul 31, 2020 in Other DevOps Questions by Lakshminarayanan
• 1,370 points
4,320 views

1 answer to this question.

0 votes

Hello @ Lakshminarayanan,

Is that your actual Terraform for the key policy or have you truncated the IAM actions on it? And is the account_id definitely the same as the user that is creating the key? It might help to use the aws_caller_identity data source to force the use of the caller's account ID programatically as well.

answered Aug 3, 2020 by Niroj
• 82,880 points

Related Questions In Other DevOps Questions

0 votes
1 answer

How to get the most recent ebs snapshot using terraform datasource?

It's not available in the latest release ...READ MORE

answered Jul 9, 2018 in Other DevOps Questions by Atul
• 10,240 points
1,697 views
0 votes
1 answer

Copy log files to local machines using Jenkins

Try initializing the variables with values according ...READ MORE

answered May 2, 2018 in Other DevOps Questions by ajs3033
• 7,300 points
1,645 views
0 votes
1 answer

Unable to create BlueMix DevOps services account

Jazzhub is shut now. try https://console.bluemix.net/devops/getting-started. It's ...READ MORE

answered May 28, 2018 in Other DevOps Questions by ajs3033
• 7,300 points
543 views
+1 vote
2 answers

When do we use Chef or Azure SDK to create VM and deploy in automation

The solution to the automated deployment in ...READ MORE

answered Aug 21, 2018 in Other DevOps Questions by Priyaj
• 58,100 points
1,050 views
0 votes
1 answer
+1 vote
2 answers
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP