Cannot replicate multi-region key due to missing permission

[kstevensonnv]

Description

When creating a multi-region key, the 'key_administrators' IAM policy does not provide the 'kms:ReplicateKey' permission and replication fails with an access denied error.

The comment above the IAM policy for 'key_administrators' points to AWS KMS docs - Default key policy (key administrators) and states:

AWS KMS adds the following permissions to the default key administrators statement when you create special-purpose keys.

kms:ReplicateKey
    The kms:ReplicateKey permission allows key administrators to create a replica of a multi-Region primary key in a     different AWS Region. This permission is included in the key policy only when you create a multi-Region primary or     replica key.

kms:UpdatePrimaryRegion
    The kms:UpdatePrimaryRegion permission allows key administrators to change a multi-Region replica key to a     multi-Region primary key. This permission is included in the key policy only when you create a multi-Region     primary or replica key.

This doesn't happen when creating it via Terraform.
Both permissions should be added to the policy.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 1.5.0

• Terraform version: 1.5.5

• Provider version(s):

.
├── provider[registry.terraform.io/hashicorp/helm] ~> 2.10.1
├── provider[registry.terraform.io/hashicorp/kubernetes] ~> 2.23.0
├── provider[registry.terraform.io/hashicorp/random] ~> 3.5.1
├── provider[registry.terraform.io/hashicorp/aws] ~> 5.12.0
├── module.cluster_secrets_kms_primary
│ └── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0
└── module.cluster_secrets_kms_replica
└── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0

Reproduction Code [Required]

Steps to reproduce the behavior:

provider "aws" {
  region   = "eu-west-1"
  profile  = "profile"
}

provider "aws" {
  alias    = "replica"
  region   = "eu-west-2"
  profile  = "profile"
}

data "aws_caller_identity" "current" {}

module "kms_primary" {
  source  = "terraform-aws-modules/kms/aws"

  description             = "Primary"
  key_usage               = "ENCRYPT_DECRYPT"
  deletion_window_in_days = 7
  enable_key_rotation     = true

  multi_region = true

  enable_default_policy = false
  key_administrators    = [data.aws_caller_identity.current.arn]
  key_users             = [data.aws_caller_identity.current.arn]
}

module "kms_replica" {
  source  = "terraform-aws-modules/kms/aws"

  providers = {
    aws = aws.replica
  }

  description             = "Replica"
  key_usage               = "ENCRYPT_DECRYPT"
  deletion_window_in_days = 7
  enable_key_rotation     = false

  create_replica  = true
  primary_key_arn = module.kms_primary.key_arn

  enable_default_policy = false
  key_administrators    = [data.aws_caller_identity.current.arn]
  key_users             = [data.aws_caller_identity.current.arn]
}

Expected behavior

The key is replicated in another region.

Actual behavior

Access denied error:

Error: creating KMS Replica Key: AccessDeniedException: User: arn:aws:sts::account:assumed-role/role/session_id is not authorized to perform: kms:ReplicateKey on resource: arn:aws:kms:region:account:key/mrk-key because no resource-based policy allows the kms:ReplicateKey action
status code: 400, request id: id

[antonbabenko]

This issue has been resolved in version 2.0.1 🎉

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.