I can't able to create AWS KMS key using terraform

0 votes

Hi,

I created one IAM user using terraform. Now I have tried to create a KMS key with created user ARN. But whenever I run the terraform code I got error "Error: MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future."

Its my terraform code

provider "aws" {

}

resource "aws_kms_key" "my-kms-key" {
  description         = "My KMS Keys for Data Encryption"
  enable_key_rotation = true

  tags = {
    Name = "my-kms-keys"
  }

  policy = <<EOF
{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                      "kms:Create*",
                      "kms:Describe*",
                      "kms:Enable*",
                      "kms:List*",
                      "kms:Put*",
                      "kms:Update*",
                      "kms:Revoke*",
                      "kms:Disable*",
                      "kms:Get*",
                      "kms:Delete*",
                      "kms:ScheduleKeyDeletion",
                      "kms:CancelKeyDeletion"
                  ],
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}
EOF
}

resource "aws_kms_alias" "smc-kms-alias" {
  target_key_id = "${aws_kms_key.my-kms-key.key_id}"
  name          = "alias/my-terraform-final-encryption-key"
}
Jul 31 in Other DevOps Questions by Lakshminarayanan
• 1,000 points
194 views

1 answer to this question.

0 votes

Hello @ Lakshminarayanan,

Is that your actual Terraform for the key policy or have you truncated the IAM actions on it? And is the account_id definitely the same as the user that is creating the key? It might help to use the aws_caller_identity data source to force the use of the caller's account ID programatically as well.

answered Aug 3 by Niroj
• 58,500 points

Related Questions In Other DevOps Questions

0 votes
1 answer

How to get the most recent ebs snapshot using terraform datasource?

It's not available in the latest release ...READ MORE

answered Jul 8, 2018 in Other DevOps Questions by Atul
• 10,240 points
553 views
0 votes
1 answer

Copy log files to local machines using Jenkins

Try initializing the variables with values according ...READ MORE

answered May 2, 2018 in Other DevOps Questions by ajs3033
• 7,280 points
94 views
0 votes
1 answer

Unable to create BlueMix DevOps services account

Jazzhub is shut now. try https://console.bluemix.net/devops/getting-started. It's ...READ MORE

answered May 28, 2018 in Other DevOps Questions by ajs3033
• 7,280 points
91 views
+1 vote
2 answers

When do we use Chef or Azure SDK to create VM and deploy in automation

The solution to the automated deployment in ...READ MORE

answered Aug 21, 2018 in Other DevOps Questions by Priyaj
• 57,640 points
243 views
0 votes
1 answer
0 votes
1 answer
+1 vote
2 answers