aws_imagebuilder_image_recipe ebs kms_key_id should allow KMS Key Aliases

[iancward]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.12.29

• provider.aws v3.21.0
• provider.random v3.0.0

Affected Resource(s)

• aws_imagebuilder_image_recipe

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_imagebuilder_image_recipe" "main" {
  description  = "Image Builder Recipe"
  name         = "test1"
  parent_image = "arn:aws:imagebuilder:us-west-2:aws:image/windows-server-2019-english-core-base-x86/x.x.x"
  version      = "1.0.0"

  # root disk
  block_device_mapping {
    device_name = "/dev/sda1"

    ebs {
      delete_on_termination = true
      encrypted             = true
      kms_key_id            = "alias/aws/ebs"
      volume_size           = 40
      volume_type           = "gp2"
    }
  }

  component {
    component_arn = "arn:aws:imagebuilder:us-west-2:aws:component/update-windows/x.x.x"
  }
}

Expected Behavior

I would expect Terraform to attempt creation of the Image Builder Pipeline. Based on my previous experience managing Image Builder resources with CloudFormation, the API will accept KMS Key Aliases as well as KMS Key ARNs.

Actual Behavior

I received an error stating that the provided value (alias/aws/kms) was not a valid ARN.

Error: "block_device_mapping.0.ebs.0.kms_key_id" (alias/aws/ebs) is an invalid ARN: arn: invalid prefix

  on main.tf line 30, in resource "aws_imagebuilder_image_recipe" "main":
  30: resource "aws_imagebuilder_image_recipe" "main" {

Steps to Reproduce

1. terraform apply

Important Factoids

The AWS API documentation makes no mention of a specific KMS Key ARN requirement, only that the provided value should be between 1 and 1024 characters (inclusive).

References

• Support for EC2 Image Builder #11084
• New Resource: aws_imagebuilder_image_recipe #16218

[gdavison]

Hi @iancward. kms_key_id takes the full ARN of the KMS key or key alias.

The easiest way to look this up is to use the data source aws_kms_alias

data "aws_kms_alias" "ebs" {
  name = "alias/aws/ebs"
}

and access the ARN using data.aws_kms_alias.ebs.arn.

I'm going to close this issue. If this does not resolve the problem, please open a new issue.

[iancward]

Hi @gdavison the issue I reported is that, while kms_key_id in this resource should accept Key alias, it doesn't; it only allows ARN.
Note in the code that it calls validateArn.

Instead, it should use the criteria specified in the AWS API, which is string length between 1-1024 characters. Compare with kms_key_id on aws_imagebuilder_component which does use the correct validation

[iancward]

Opened (effectively duplicate) issue #16757, as requested and provided the information from my comment above pinpointing the specific line of code where the bug exists and contrasting it with a property in a similar resource which uses the correct validation.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!