Error: MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future.

+2 votes
Hi,

i have created terraform template to create KMS on AWS Cloud. But when i trying to run this template , i got error "Error: MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future.". I have attached my terraform template. Where im wrong? Why it doesn't allow me to create KMS key on AWS Cloud?

provider "aws" {
  version = "~> 2.0"
  region = "us-west-2"
}

resource "aws_kms_key" "my-kms-key" {
  description         = "My KMS Keys for Data Encryption"
  enable_key_rotation = true

  tags = {
    Name = "my-kms-keys"
  }

  policy = <<EOF
{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${var.user_arn}"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}
EOF
}

resource "aws_kms_alias" "smc-kms-alias" {
  target_key_id = "${aws_kms_key.my-kms-key.key_id}"
  name          = "alias/my-terraform-final-encryption-key"
}
Aug 10 in Terraform by Lakshminarayanan
• 1,000 points
184 views

1 answer to this question.

0 votes

Hi,

I think there is a problem with aws_kms_key with iam_role. aws_kms_key depends on iam_role. So start your troubleshooting by checking iam_user. Also when you create your aws_kms_key add depends_on keyword. 

answered Aug 10 by MD
• 56,480 points
i think so bro. Many thanks i will do same.

Related Questions In Terraform

0 votes
1 answer
0 votes
1 answer

How to create one key in AWS using terraform?

Hi@akhtar, You can use aws_key_pair resource n terraform. ...READ MORE

answered Jun 11 in Terraform by MD
• 56,480 points
249 views
0 votes
1 answer

How to create a service account key in GCP Cloud using Terraform?

Hi@akhtar, You need to create a service account ...READ MORE

answered Sep 12 in Terraform by MD
• 56,480 points
24 views
+2 votes
1 answer

Deploy Docker Containers from Docker Cloud

To solve this problem, I followed advice ...READ MORE

answered Sep 3, 2018 in AWS by Priyaj
• 57,640 points
775 views
+15 votes
2 answers

Git management technique when there are multiple customers and need multiple customization?

Consider this - In 'extended' Git-Flow, (Git-Multi-Flow, ...READ MORE

answered Mar 26, 2018 in DevOps & Agile by DragonLord999
• 8,450 points
677 views
0 votes
1 answer