amazon-web-servicesterraformterraform-provider-aws

Invalid arn error for terraform code with kms data resource


Have the code below:

data "aws_kms_key" "rds_key" {
  key_id = "alias/rds_cluster_enryption_key"
}

And I want to use this key to encrypt rds instance

resource "aws_rds_cluster" "tf-aws-rds-1" {
  cluster_identifier      = "aurora-cluster-1"
  engine                  = "aurora-mysql"
  engine_version          = "5.7.mysql_aurora.2.03.2"
  availability_zones      = ["us-east-1a", "us-east-1b", "us-east-1c"]
  database_name           = "cupday"
  master_username         = "administrator"
  master_password         = var.password
  backup_retention_period = 5
  preferred_backup_window = "07:00-09:00"
  storage_encrypted       = true
  kms_key_id              = "data.aws_kms_key.rds_key.arn"
}

However, I'm getting an error like below:

Error: "kms_key_id" (data.aws_kms_key.rds_key.id) is an invalid ARN: arn: invalid prefix

  on main.tf line 42, in resource "aws_rds_cluster" "tf-aws-rds-1":
  42:   kms_key_id              = "data.aws_kms_key.rds_key.id"

Error: "kms_key_id" (data.aws_kms_key.rds_key.arn) is an invalid ARN: arn: invalid prefix

  on main.tf line 42, in resource "aws_rds_cluster" "tf-aws-rds-1":
  42:   kms_key_id              = "data.aws_kms_key.rds_key.arn"

How on the earth I should refer them?

I do not want to disclose my account id in kms_key_id


Solution

  • Your use of :

    kms_key_id              = "data.aws_kms_key.rds_key.arn"
    

    will result in kms_key_id being literally string "data.aws_kms_key.rds_key.arn".

    It should be either (tf 0.12+):

    kms_key_id              = data.aws_kms_key.rds_key.arn
    

    or for tf 0.11:

    kms_key_id              = "${data.aws_kms_key.rds_key.arn}"