Need clarification on documentation for kms_secret - data.

[derFunk]

Hi there,

this issue is about a clarification of the documentation on https://www.terraform.io/docs/providers/aws/d/kms_secret.html, yet with a aws_db_instance instead of a aws_rds_cluster .

What I assume as a expected behaviour is derived from this document.

Terraform Version

v0.9.0

Affected Data Source

• aws_kms_secret

Affected Resource

• aws_db_instance

Preconditions

$ echo 'master-password' > plaintext-password
$ aws kms encrypt \
> --key-id ab123456-c012-4567-890a-deadbeef123 \
> --plaintext fileb://plaintext-example \
> --encryption-context foo=bar \
> --output text --query CiphertextBlob
AQECAHgaPa0J8 ... MmDBdqP8dPp28OoAQ==

Terraform Configuration Files

data "aws_kms_secret" "db" {
  secret {
    name    = "master_password"
    payload = "AQECAHgaPa0J8 ... MmDBdqP8dPp28OoAQ=="

    context {
      foo = "bar"
    }
  }
}

resource "aws_db_instance" "db" {

   # ...
  identifier = "test"
  storage_encrypted  = "${data.aws_kms_secret.db.master_password}"
  kms_key_id         = "ab123456-c012-4567-890a-deadbeef123"
  storage_encrypted  = true
  # ...

}

Debug Output

* aws_db_instance.db: Error creating DB Instance: InvalidParameterValue:
The parameter MasterUserPassword is not a valid password.
Only printable ASCII characters besides '/', '@', '"', ' ' may be used.

Expected Behavior

The RDS instance should be initialized with the decrypted password master-password.

Actual Behavior

The database is initialized with the encrypted password, which fails.

Steps to Reproduce

1. terraform apply

Important Factoids

• The key ab123456-c012-4567-890a-deadbeef123 is a valid KMS key in my test case (of course mine has another ID).

References

• Docs: https://www.terraform.io/docs/providers/aws/d/kms_secret.html

• provider/aws: New data provider to decrypt KMS secrets #7886

• provider/aws: New data provider to decrypt KMS secrets #11460

• Question in the Terraform Google Group: https://groups.google.com/forum/#!searchin/terraform-tool/kms$20encrypt%7Csort:relevance/terraform-tool/e1dhAcOsOyA/R1U996WhBgAJ

[mike-zenith]

Hi @mitchellh ,

I also had issues with understanding that part of the documentation.
Look up data source aws_db_instance.kms_key_id - If StorageEncrypted is true, the KMS key identifier for the encrypted DB instance.
(https://www.terraform.io/docs/providers/aws/d/db_instance.html)

Same is on resource side.
With kms_key_id you can set up storage device encryption. This is an AWS feature to make sure no one can read your "raw" db from disk. It is not about master password.
You can read more about this on aws' site.
I usually read the golang source of that resource to check how the aws api is being called to figure out the actually meaning of an attribute.

Your resource should be up after you set up master_password . In your case, it should be ${data.aws_kms_secret.db.master_password} .
Just a note, few versions before, this password was shown up in your state file so it was not safe to use for me. I use provisioner script which changes the password to a random one, encrypts it against a KMS key and puts the password to an output variable.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.