Remove provider region for KMS-CMK

Question

Remove provider region for KMS-CMK

Closed this issue 3 years ago · 5 comments

Hello,

due to the fact that you share this module publicly, you shall probably mention in README that KMS-CMK resource will be created in us-east-1 region. I would suggest that you remove the region specification and you leave it on the client provider to avoid confusion and surprises and make this module more generic.

Thank you

Answer 1 · 2022-01-06T14:34:40.000Z

Sorry, I've overlooked the Route53 DNSSEC requirements - KSK must be in that region. Therefore closing this.

Answer 2 · 2022-01-06T18:00:37.000Z

Thanks for taking a look at the module, I am always grateful for others to double-check and peer review my efforts to ensure I'm not missing something or that I go about it in the best manner.

Yes, as you realized the KSK is required to be in us-east-1 which is not uncommon with certain things within AWS. ACM certificates for Cloudfront are another that comes to mind quickly. I do see that mentioning that explicitly in the README could still be a good point. As well I do plan to revise the documentation to make it more complete.

Answer 3 · 2022-01-11T17:00:11.000Z

There is one more thing worth to mention in the documentation even though it's long time known "feature". When the provider is present in the module, module removal (code deletion) results in this error:

To work with module.route53-dnssec-ksk.aws_kms_alias.this (orphan) its original provider configuration at module.route53-dnssec-ksk.provider["registry.terraform.io/hashicorp/aws"].use1 is required, but it has been removed. This occurs when a provider configuration is removed while objects created by that provider still exist in the state. Re-add the provider configuration to destroy module.route53-dnssec-ksk.aws_kms_alias.this (orphan), after which you can remove the provider configuration again.

Therefore module removal consists of two steps:

terraform destroy -target=module.route53-dnssec-ksk
git rm route53-dnssec.tf (assuming the module is located in this file alone)

Answer 4 · 2022-01-11T17:31:16.000Z

Yes, I believe that is a remnant from pre-1.x version of Terraform. Recent changes actually recommend against modules including provider blocks and instead just use configuration_aliases as I read the doc so I'll take a look at that as well. As mentioned this is a special case where it does need to occur in a specific region which was why I configured it this way but perhaps there is a better way to accomplish the same thing now with newer Terraform version.

Answer 5 · 2022-01-11T20:20:16.000Z

I think I've fixed this in my devel branch at this point while I work on the other issues.
A method I found to get around this during the update process is to do the following:

module "route53-dnssec-ksk" {
  source = "github.com/ugns/terraform-aws-route53-dnssec?ref=devel"

  providers = {
    aws.use1  = aws
  }
}

After the state has been updated the providers block could be removed of changed to be aws = aws.use1 the default aws provider in the root module is in a zone other than us-east-1 as required by Route53.