Error when supplying a value to the kms_key attribute in the mwaa module
Derekma73 opened this issue · comments
Found a bug? Maybe our Slack Community can help.
Describe the Bug
When attempting to use an aws customer managed key as an input for kms_key attribute (instantiated via cloudposse's kms_key module), the mwaa environment fails to create the environment with the kms_key and instead creates the environment with the default aws/airflow kms key.
Expected Behavior
I would expect the addition of a kms_key parameter to still allow the mwaa module to include this kms key in the mwaa environment upon successful creation.
Steps to Reproduce
Steps to reproduce the behavior:
- Run
terraform init
with a .tf file containing the dynamic subnets, vpc, kms_key, and mwaa modules with the kms_key attribute of mwaa populated - Run
terraform apply
- wait for completion
- navigate to key management service (KMS) in the aws console and note that a kms key has been produced
- navigate to mwaa environment in aws console and note the key being used in this environment does not match what was produced in kms
Screenshots
Environment (please complete the following information):
- OS: Mac 12.5
- MWAA module version: 0.4.8
- VPC module version: 1.1.0
- kms_key module version: 0.12.1
- dynamic subnet module version: 2.0.0
Anything that will help us triage the bug will help. Here are some ideas:
I suspect that it has something to do with the mwaa role not being able to access the kms key or the default iam role not having the necessary permissions. I'm going to try the steps outlined in this article, because the role created by the mwaa module doesn't have the PutKey policy attached to it, so I figure that's a good place to start.
Additional Context
Though I see that aws/airflow is indeed the aws managed key being used by the mwaa environment when specifying the kms_key attribute, I don't see this key in the kms dashboard with the other AWS managed keys. This may change once mwaa is used, though I have not tested this yet. I'm only defining a kms key so that I can use it's output to grant policies to IAM users to use MWAA features, though now I'll either do this in a separate terraform directory or do it in the console.