Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Invalid count argument (The "count" value depends...) with s3-archive module when using optional KMS key #87

Open
HansBraun opened this issue Sep 8, 2023 · 4 comments
Open

Error: Invalid count argument (The "count" value depends...) with s3-archive module when using optional KMS key #87

HansBraun opened this issue Sep 8, 2023 · 4 comments

Comments

@HansBraun
Copy link

I am following the instructions on https://coralogix.com/docs/archive-s3-bucket-forever/ in order to configure the s3-archive . So I try to create the s3 archive buckets via terraform and I want to use a KMS key to encrypt them. But during terraform plan I ran into the following problem:

 Error: Invalid count argument
│ 
│   on .terraform/modules/s3-archive/modules/provisioning/s3-archive/main.tf line 60, in resource "aws_s3_bucket_server_side_encryption_configuration" "logs_encryption":
│   60:   count  = local.kms_logs_validation ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that
│ the count depends on.

My terraform configuration looks like:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.6"
    }
  }
  required_version = "1.5.4"
}

provider "aws" {
  region = "eu-central-1"
  assume_role {
    role_arn = "arn:aws:iam::${local.aws_account_id}:role/terraform-master-role"
  }
}



module "s3-archive" {
  source  = "coralogix/aws/coralogix//modules/provisioning/s3-archive"
  version = "1.0.56"

  bypass_valid_region  = "eu-central-1"
  custom_coralogix_arn = local.cx_custom_coralogix_arn
  logs_bucket_name     = "random-bucket-637467832639478l"
  logs_kms_arn         = aws_kms_key.cx_bucket_key.arn
  metrics_bucket_name  = "random-bucket-637467832639478m"
  metrics_kms_arn      = aws_kms_key.cx_bucket_key.arn

  #depends_on = [aws_kms_key.cx_bucket_key]
}

resource "aws_kms_key" "cx_bucket_key" {
  description              = "This key is used to encrypt bucket objects"
  deletion_window_in_days  = 30
  enable_key_rotation      = true
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  policy                   = data.aws_iam_policy_document.cx_kms.json
}

resource "aws_kms_alias" "cx_bucket_key-alias" {
  name          = "alias/coralogix-key"
  target_key_id = aws_kms_key.cx_bucket_key.id
}

data "aws_iam_policy_document" "cx_kms" {
  statement {
    sid    = "coralogix-account"
    effect = "Allow"
    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
    ]
    resources = ["*"]
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${local.cx_custom_coralogix_arn}:root"]
    }
  }
  statement {
    sid = "own-account"
    actions = [
      "kms:*"
    ]
    resources = ["*"]
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${local.aws_account_id}:root"]
    }
  }
}

The value for the local variable cx_custom_coralogix_arn is "625240141681" and aws_account_id is my own AWS account id.
@MichaelBriggs-Coralogix
Copy link
Contributor

@HansBraun The issue you're running into here is that the s3-archive module needs to use the actual ARN of your kms key to do some logic, and because the ARN doesn't exist as you're creating the KMS within the TF, it's providing you this error.
As you can see here, https://github.com/coralogix/terraform-coralogix-aws/blob/master/modules/provisioning/s3-archive/main.tf#L9, we're splitting the ARN to validate that it's in the correct region.
You'll need to pass in an actual ARN to the s3-archive module, not just a reference to an object being created within the TF plan.

@HansBraun
Copy link
Author

@MichaelBriggs-Coralogix Thank you for your response. Yes, I can confirm that after I use terraform apply --target for the kms related resources the error is gone. But since terraform is a declarative language this can't be the solution you intended, can it?
Imho the solution would be to create the kms key and policy within the module.

@MichaelBriggs-Coralogix
Copy link
Contributor

MichaelBriggs-Coralogix commented Sep 8, 2023
edited
Loading

@HansBraun I have seen reservations to creating KMS resources within our modules as there are so many different variables and options for KMS that we'd have a hard time managing that element to meet our customer expectations. As such, it is expected that you provide an existing KMS, configured exactly how you like it, during deployment of our module. I will certainly take this feedback to the team and see if they have any additional thoughts on the topic.

@MichaelBriggs-Coralogix
Copy link
Contributor

@HansBraun
As KMS has many configuration options available, we do not intend to add the creation of the KMS to our TF module. A premade KMS, to your exact requirements, will need to be provided as a resource during the deployment. If you need to create it within the same TF plan, then you'll pass it in as a resource, the way you did, and use that flag to prevent the error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HansBraun @MichaelBriggs-Coralogix