terraform-provider-awsamazon-kmsamazon-workspaces

terraform and kms key aliases

I am using the aws provider and trying to create an aws_workspaces_workspace with encrypted volumes.

I created an aws_kms_key with an associated alias (aws_kms_alias).

I specified the key alias (as a string) for volume_encryption_key. The resource is created as expected and I can verify in the console that the volumes are encrypted with the specified key.

My issue is that every time I re-run terraform apply, terraform reports that the aws_workspaces_workspace needs to be replaced because of an update in the key value (from a key id to the alias)

How can I prevent this form happening? Is this a bug? Am I doing something incorrectly? Some of the relevant code is below.

resource "aws_workspaces_workspace" "workspace" {
    directory_id = aws_workspaces_directory.ws-ad.id
    bundle_id    = var.bundle_id
    user_name    = var.username

    root_volume_encryption_enabled = true
    user_volume_encryption_enabled = true
    volume_encryption_key          = "alias/workspace-volume"

    workspace_properties {
        compute_type_name                         = "POWER"
        user_volume_size_gib                      = 80
        root_volume_size_gib                      = 50
        running_mode                              = "AUTO_STOP"
        running_mode_auto_stop_timeout_in_minutes = 60
    }
}

resource "aws_kms_key" "kms-ws-volume" {
    description             = "Workspace Volume Encryption Key"
    key_usage               = "ENCRYPT_DECRYPT"
    deletion_window_in_days = 30
    is_enabled              = true
}

resource "aws_kms_alias" "kms-ws-volume-alias" {
    name          = "alias/workspace-volume"
    target_key_id = aws_kms_key.kms-ws-volume.key_id
}

Here's what terraform apply reports:

  # aws_workspaces_workspace.workspace["1"] must be replaced
-/+ resource "aws_workspaces_workspace" "workspace" {
      ~ computer_name                  = "WSAMZN-T34E23BK" -> (known after apply)
      ~ id                             = "ws-v98b0y17z" -> (known after apply)
      ~ ip_address                     = "10.0.0.45" -> (known after apply)
      ~ state                          = "STOPPED" -> (known after apply)
        tags                           = {
            "Name"    = "workspace-user1-env1"
            "Owner"   = "mario"
            "Profile" = "dev"
            "Stack"   = "env1"
        }
      ~ volume_encryption_key          = "arn:aws:kms:us-west-2:927743275319:key/09de3db9-ecdd-4be1-a781-705fdd0294f9" -> "alias/workspace-volume" # forces replacement
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }
Solution

  • Use the ARN of the key: aws_kms_key.kms-ws-volume.arn

    volume_encryption_key is storing the ARN of the key, and therefore the plan detects a change.

    The example on https://registry.terraform.io/providers/hcavarsan/aws/latest/docs/resources/workspaces_workspace might be misleading in this regard, despite an alias will also work.

    Something similar happens with kms_key_id of aws_instance, in that it stores the ARN and not the key_id , and the plan always requires a volume replacement when using key_id instead of ARN. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id