Terraform unable to detect file changes for aws_s3_bucket_object when using KMS encryption

[Arnvid Lau Karstad]

Hi all

In many of our projects we used terraform to maintain and update scripts and other files used by EC2 instances during launch. And previously one would be using etag for storing the MD5.

With KMS encryption enabled this is no longer an option as the etag is not compatible with server side encryption. So some suggested to place the md5 in a tag but this will only cause Terraform to update the tag and ignore uploading the file to AWS S3.

resource "aws_s3_bucket_object" "nginx_conf" {

  # Uploads the nginx.conf to tools bucket

  bucket = "${var.s3_tools_bucket_name}"

  key    = "s3/path/${var.app_name}/nginx.conf"

  source = "files/nginx.conf"

  tags = {

    md5 = "${md5(file("files/nginx.conf"))}"

  }

}

Is there any way to taint the object or to force update on tags change or by any other means allow the md5 to trigger a new upload.. or for terraform to actually see that the file has changed when encryption is used!?

Br

Arnvid

[Alex Gottschalk]

Hi, Arnvid,

I'm running into exactly this issue - have you found any workaround?

--Alex