[Bug]: aws_dms_s3_endpoint is getting recreated for every run

[Yogesh-BK]

Terraform Core Version

1.4.5

AWS Provider Version

5.6.2

Affected Resource(s)

aws_dms_s3_endpoint is getting destroyed and recreated on every run when i attach the kmy_key_arn parameter with a valid kms key arn

resource "aws_dms_s3_endpoint" "example" {
  kmy_key_arn = {KMS_KEY_ARN}
}

The above resource is getting destroyed and recreated on every run but then when i have kms_key_arn as null as below, it is working as expected.

resource "aws_dms_s3_endpoint" "example" {
  kmy_key_arn = null
}

Expected Behavior

The resource should be recreated only if there is a change in the value provided to the kms_key_arn parameter, otherwise it should not delete and re-create the resource.

Actual Behavior

The resource is getting destroyed and re-created every time irrespective of whether there is a change or not in the value provided to the kms_key_arn parameter.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

main.tf

resource "aws_s3_bucket" "example" {
  bucket = "bucket_name"

  tags = {
    Name        = "bucket_name"
    Environment = "Dev"
  }
}

data "aws_iam_policy_document" "instance_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["dms.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "example" {
  name                = "instance_role"
  path                = "/system/"
  assume_role_policy  = data.aws_iam_policy_document.instance_assume_role_policy.json
  managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"]
}

resource "aws_kms_key" "example" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
}

resource "aws_dms_s3_endpoint" "example" {
  endpoint_id             = "donnedtipi"
  endpoint_type           = "target"
  bucket_name             = "bucket_name"
  service_access_role_arn = aws_iam_role.example.arn
  kms_key_arn             = aws_kms_key.example.arn
}

terraform.tf

terraform {
  required_version = ">= 1.4.5"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.6.2"
    }
  }
}

Steps to Reproduce

• Connect with aws
• Run terraform plan to see the plan
• Run terraform apply to create the resources
• Rerun terraform apply again, (we can see the endpoint getting destroyed and created once again)

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @Yogesh-BK 👋 Thank you for taking the time to raise this! So that we have the necessary information in order to look into this, can you supply debug logs (redacted as needed) as well?

[Yogesh-BK]

But, I'm not changing the kms_key_arn, it is the same value for all the runs

[jeremychauvet]

Hello @Yogesh-BK 👋🏼
You are facing this issue because both EncryptionMode and ServerSideEncryptionKmsKeyId are not set as endpoint settings (checked in the console). That explains why Terraform show a drift.
I'm working on 👍🏼

[jeremychauvet]

@justinretzolk I've seen the following in my logs, and I want to have your opinion:

2023-07-29T11:07:00.776+0200 [WARN]  Provider "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected new value for aws_dms_s3_endpoint.example, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .kms_key_arn: was cty.StringVal("arn:aws:kms:eu-north-1:112233445566:key/a1ae40f6-91k-45e0-b4a9-fop54118z30c"), but now cty.StringVal("")

I guess this is the root cause of this issue 😄

[justinretzolk]

Hey @jeremychauvet 👋 Thanks for taking some time to work on that! Are you able to supply full debug logs (redacted as needed), so that we can see everything that leads up to that point as well?

[pvassiliev]

DMS S3Settings are missing KmsKeyArn. I opened Bug with aws-sdk-go-v2 [https://github.com/aws/aws-sdk-go-v2/issues/2908]. That's probably why it's not being set in dms/s3_endpoint.go.