Error for bypass_policy_lockout_safety_check when applying aws_kms_key

[jniebuhr]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.3
AWS Provider 3.49 / 3.53

Affected Resource(s)

• aws_kms_key

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_kms_key" "some_key" {
  key_usage                          = "ENCRYPT_DECRYPT"
  is_enabled                         = true
  enable_key_rotation                = true
  bypass_policy_lockout_safety_check = false
  deletion_window_in_days            = 7
  tags                               = local.tags

  policy = jsonencode({...})
}

Expected Behavior

The terraform apply command should run through as usual.

Actual Behavior

Up until last friday (2021-08-06) everything was working fine, since then terraform fails with an error.
We've tried updating the provider to 3.53 and also explicitly setting bypass_policy_lockout_safety_check.

The apply finishes but logs an error at the end:

│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ aws_kms_key.some_key
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for
│ .bypass_policy_lockout_safety_check: was cty.False, but now null.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Steps to Reproduce

1. Add a aws_kms_key resource like above
2. terraform apply

Important Factoids

Region: eu-central-1

References

• r/aws_kms_key: Support policy lockout check bypass #18117

[jniebuhr]

We found a workaround for this issue. The issue seems to be that the existing state is incompatible with the output of the AWS API. In order to fix it, you can use terraform state rm <path-to-resource> to delete the resource from the state and then terraform import <path-to-resource> <resource-id> to import it again (with the new value)

[varsanojidan]

Started seeing these issues too

[aburgel]

this is still occurring and the workaround above of removing and reimporting no longer works. with version 1.5.2 it imports with bypass_policy_lockout_safety_check set to null, despite the default value being false.

it would be great to get this fixed. but in the meantime, setting the value to false is another workaround.