Giters

cloudposse / terraform-aws-mwaa

Terraform module to provision Amazon Managed Workflows for Apache Airflow (MWAA)

Home Page:https://cloudposse.com/accelerate

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Error when supplying a value to the kms_key attribute in the mwaa module

Derekma73 opened this issue · comments

commented

Found a bug? Maybe our Slack Community can help.

Slack Community

Describe the Bug

When attempting to use an aws customer managed key as an input for kms_key attribute (instantiated via cloudposse's kms_key module), the mwaa environment fails to create the environment with the kms_key and instead creates the environment with the default aws/airflow kms key.

Expected Behavior

I would expect the addition of a kms_key parameter to still allow the mwaa module to include this kms key in the mwaa environment upon successful creation.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Run terraform init with a .tf file containing the dynamic subnets, vpc, kms_key, and mwaa modules with the kms_key attribute of mwaa populated
  2. Run terraform apply
  3. wait for completion
  4. navigate to key management service (KMS) in the aws console and note that a kms key has been produced
  5. navigate to mwaa environment in aws console and note the key being used in this environment does not match what was produced in kms

Screenshots

Environment (please complete the following information):

  • OS: Mac 12.5
  • MWAA module version: 0.4.8
  • VPC module version: 1.1.0
  • kms_key module version: 0.12.1
  • dynamic subnet module version: 2.0.0

Anything that will help us triage the bug will help. Here are some ideas:
I suspect that it has something to do with the mwaa role not being able to access the kms key or the default iam role not having the necessary permissions. I'm going to try the steps outlined in this article, because the role created by the mwaa module doesn't have the PutKey policy attached to it, so I figure that's a good place to start.

Additional Context

Though I see that aws/airflow is indeed the aws managed key being used by the mwaa environment when specifying the kms_key attribute, I don't see this key in the kms dashboard with the other AWS managed keys. This may change once mwaa is used, though I have not tested this yet. I'm only defining a kms key so that I can use it's output to grant policies to IAM users to use MWAA features, though now I'll either do this in a separate terraform directory or do it in the console.