[Bug]: Error "connection reset by peer" when performing kms:ListAliases

[erikpaasonen]

Terraform Core Version

1.9.6,1.10.5

AWS Provider Version

5.90.0

Affected Resource(s)

aws_kms_alias (data source)
aws_kms_key (data source)

Expected Behavior

data.aws_kms_alias.lambda: Reading...
data.aws_kms_alias.lambda: Read complete after 1s [id=arn:aws:kms:us-east-1:xxxx:alias/aws/lambda]

Changes to Outputs:
  + kms_alias = {
      + arn            = "arn:aws:kms:us-east-1:xxxx:alias/aws/lambda"
      + id             = "arn:aws:kms:us-east-1:xxxx:alias/aws/lambda"
      + name           = "alias/aws/lambda"
      + target_key_arn = "arn:aws:kms:us-east-1:xxxx:key/481cxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
      + target_key_id  = "481cxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    }

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Actual Behavior

data.aws_kms_alias.lambda: Reading...
data.aws_kms_alias.lambda: Still reading... [10s elapsed]
data.aws_kms_alias.lambda: Still reading... [20s elapsed]
data.aws_kms_alias.lambda: Still reading... [30s elapsed]
data.aws_kms_alias.lambda: Still reading... [40s elapsed]
data.aws_kms_alias.lambda: Still reading... [50s elapsed]
data.aws_kms_alias.lambda: Still reading... [1m0s elapsed]
data.aws_kms_alias.lambda: Still reading... [1m10s elapsed]
...(rinse-repeat)...
data.aws_kms_alias.lambda: Still reading... [50m50s elapsed]
data.aws_kms_alias.lambda: Still reading... [51m0s elapsed]
data.aws_kms_alias.lambda: Still reading... [51m10s elapsed]
data.aws_kms_alias.lambda: Still reading... [51m20s elapsed]
data.aws_kms_alias.lambda: Still reading... [51m30s elapsed]
data.aws_kms_alias.lambda: Still reading... [51m40s elapsed]

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: reading KMS Alias (alias/aws/lambda): operation error KMS: ListAliases, exceeded maximum number of attempts, 25, https response error StatusCode: 0, RequestID: , request send failed, Post "https://kms.us-east-1.amazonaws.com/": read tcp 10.x.y.z:59723->209.x.y.z:443: read: connection reset by peer
│ 
│   with data.aws_kms_alias.lambda,
│   on main.tf line 15, in data "aws_kms_alias" "lambda":
│   15: data "aws_kms_alias" "lambda" {
│ 
╵

Relevant Error/Panic Output Snippet

Terraform Configuration Files

provider "aws" {
  region = "us-east-1"
  max_retries = 0  # didn't seem to have done any good though
}

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.90.0"
    }
  }
}

data "aws_kms_alias" "lambda" {
  name = "alias/aws/lambda"
}

output "kms_alias" {
  value = data.aws_kms_alias.lambda
}

Steps to Reproduce

TF plan with a configuration which includes data "aws_kms_alias" "foo"" {...} is all that is needed.

Debug Output

No response

Panic Output

No response

Important Factoids

The "encountered an error generating this plan" is likely because I deleted the credentials for the profile out of my ~/.aws/credentials file to avoid waiting any longer.

This data source works quickly and consistently on v5.89.0 and fails consistently on v5.90.0, with changing nothing else in the configuration or runtime environment.

Side note/separate issue/observation: the max_retries setting in the provider configuration seems to not have been honored by this data source lookup, at least according to the error message. 🤷

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[erikpaasonen]

Further testing revealed that the aws_kms_key data source is also affected, regardless of whether the key_id field is specified by alias, by raw key ID or by ARN. I'll edit the issue description to add aws_kms_key as well.

[justinretzolk]

Potentially related #41731

[justinretzolk]

@erikpaasonen 👋 We've identified the issue here and are planning for a patch release on Monday to resolve it. In the meantime, we'd recommend pinning to 5.89.0, since it's unaffected.

[github-actions]

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.