使用 Terraform for AWS 时出现错误："The new key policy will not allow you to update the key policy in the future."

Question

运行 terraform for creatind AWS KMS 中的关键策略我收到错误：

aws_kms_key.dyn_logs_server_side_cmk: MalformedPolicyDocumentException: 新的密钥策略将不允许您在未来更新密钥策略。状态码：400，请求id：e34567896780780

关于这个问题的帖子很多，但都没有帮助。所以，我的 kms.tf 文件如下：

provider "aws" {
    access_key = "${var.aws_access_key}"
    secret_key = "${var.aws_secret_key}"
    region     = "${var.aws_region}"
} 
resource "aws_kms_key" "dyn_logs_server_side_cmk" {
    description = "dyn-logs-sse-cmk-${var.environment}"
    enable_key_rotation = "true"
    policy = <<EOF
{
    "Version":"2015-11-17",
    "Statement":[
    {
        "Sid": "Enable IAM User Permissions",
        "Effect": "Allow",
        "Principal": {"AWS": "arn:aws:iam::${var.account_id}:root"},
        "Action": "kms:*",
        "Resource": "*"
    }
    ]
    }EOF
}

这就是我在

之后的输出中看到的内容

地形应用"dyn-vpc.plan"

aws_kms_key.dyn_logs_server_side_cmk: Creating...
arn:                 "" => "<computed>"
description:         "" => "dyn-logs-server-dyn"
enable_key_rotation: "" => "true"
is_enabled:          "" => "true"
key_id:              "" => "<computed>"
key_usage:           "" => "<computed>"
policy:              "" => "{\n   \"Version\":\"2015-11-17\",\n   \"Statement\":[\n      {\n         \"Sid\": \"Enable IAM User Permissions\",\n         \"Effect\": \"Allow\",\n         
\"Principal\": {\"AWS\": \"arn:aws:iam::12345678901234:root\"},\n         \"Action\": \"kms:*\",\n         \"Resource\": \"*\"\n      }\n   ]\n}\n"

aws_kms_key.dyn_logs_server_side_cmk: Still creating... (10s elapsed)
aws_kms_key.dyn_logs_server_side_cmk: Still creating... (20s elapsed)
Error applying plan:
1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk: 1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk:
MalformedPolicyDocumentException: The new key policy will not allow
you to update the key policy in the future.

Answer 1

基本上，@ydaetskcoR 的评论是正确的。策略中的 account_id 不正确，这导致了错误。 MalformedPolicyDocumentException 并不能真正提供信息，需要找到真正的原因

Answer 2

在我的例子中，帐户 ID 是正确的，但创建密钥的用户未包含在 Enable IAM User Permissions 语句中。我不得不这样做

resource "aws_kms_key" "dyn_logs_server_side_cmk" {
    description = "dyn-logs-sse-cmk-${var.environment}"
    enable_key_rotation = "true"
    policy = <<EOF
{
    "Version":"2015-11-17",
    "Statement":[
    {
        "Sid": "Enable IAM User Permissions",
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                 "arn:aws:iam::${var.account_id}:root",
                 "arn:aws:iam::${var.account_id}:user/system/terraform-user" 
             ]
        },
        "Action": "kms:*",
        "Resource": "*"
    }
    ]
    }EOF
}

使用 Terraform for AWS 时出现错误："The new key policy will not allow you to update the key policy in the future."

Getting the error in using Terraform for AWS: "The new key policy will not allow you to update the key policy in the future."

amazon-web-services

terraform

aws-kms