Can aws_kms_ciphertext output be stable

Question

In my terraform config I have aws_kms_ciphertext data sources whose ciphertext_blob attribute changes on every terraform apply.

As an example...

variable "profile" {
  type = "string"
}

provider "aws" {
  region  = "us-west-2"
  profile = "${var.profile}"
}

resource aws_kms_key "test_key" {
  description = "terraform test"
  is_enabled = true
}

data aws_kms_ciphertext "test_ciphertext" {
  key_id = "${aws_kms_key.test_key.key_id}"
  plaintext = "plaintext"
}

output "ciphertext" {
  value = "${data.aws_kms_ciphertext.test_ciphertext.ciphertext_blob}"
}

If youterraform apply the above config the output ciphertext is different every time. Is it possible for the ciphertext to be stable or to keep it in the state file so that it doesn't need to be applied every time even though the plaintext has not changed?

score 3 · Answer 1 · answered Apr 10 '18 at 13:40

3

It's normal behavior of KMS encryption - every request with constant Plaintext will produce different Ciphertext each time.

There is no possibility to change (make Ciphertext "stable") that behavior so encrypt once and keep it.

answered Apr 10 '18 at 13:40

Michał Z.

1,322
1
10
17

Can aws_kms_ciphertext output be stable

1 Answers1