[AWS::Redshift::Cluster] Drift Detection false positive for KmsKeyId property under AWS::Redshift::Cluster resource

[FarrOut]

There is an issue with this resource type whereby false-positive drift is reported for the KmsKeyId property. A similar issue has been opened in the Cloudformation roadmap, but opening another here as this team is responsible for this resource type handler.

Will be happy to provide any further info as required.

---

Name of the resource
AWS::Redshift::Cluster

Issue Description
The KmsKeyId property for the AWS::Redshift::Cluster resource is marked as drifted when just the Id (not full ARN) is specified in the template and the stack is created.

Ideally, drift detection should not have been performed on the KmsKeyId property as per - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html#drift-considerations

CloudFormation does not perform drift detection on the KMSKeyId property of any resources. Because AWS KMS keys can be referenced by multiple aliases, CloudFormation can't guarantee consistently accurate drift results for this property.

Expected Behavior

The KmsKeyId property should be IN_SYNC or NOT_CHECKED status.
Observed Behavior

The KmsKeyId property is marked as NOT_EQUAL with

expected = xxxx-xxxx-xxxx-xxxx
actual = arn:aws:kms:us-east-1:000000000:key/xxxx-xxxx-xxxx-xxxx

Test Cases

Steps to reproduce:

• Create Stack using following template -

Resources:
    myCluster:
      Type: 'AWS::Redshift::Cluster'
      Properties:
        DBName: mydb
        Encrypted: true
        MasterUsername: master
        MasterUserPassword: xxxxxxxxxx
        NodeType: ds2.xlarge
        ClusterType: single-node
        KmsKeyId: xxxx-xxxx-xxxx-xxxx

• Run drift detection
• View drift results

[FarrOut]

Retested and confirmed.

CDK v2.76.0

        key = kms.Key(self, "MyKey",
                      removal_policy=RemovalPolicy.DESTROY,
                      )

        cluster = CfnCluster(self, 'ClusterMitKmsId',
                             cluster_type='single-node',
                             db_name='dev',
                             master_username='bevelvoerder',
                             master_user_password='Wagw00rdEen',
                             node_type='dc2.large',
                             encrypted=True,
                             kms_key_id=key.key_id,
                             classic=True,
                             )
        cluster.apply_removal_policy(RemovalPolicy.DESTROY)

Expected

{
  "KmsKeyId": "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx",
  "Encrypted": true,
  "NodeType": "dc2.large",
  "MasterUsername": "bevelvoerder",
  "DBName": "dev",
  "ClusterType": "single-node",
  "Classic": true
}

Actual

{
  "KmsKeyId": "arn:aws:kms:eu-central-1:00000000000:key/xxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "Encrypted": true,
  "NodeType": "dc2.large",
  "MasterUsername": "bevelvoerder",
  "DBName": "dev",
  "ClusterType": "single-node"
}

[FarrOut]

Seems to work however, when supplying kms_arn

        cluster = CfnCluster(self, 'ClusterMitKmsArn',
                             cluster_type='single-node',
                             db_name='dev',
                             master_username='bevelvoerder',
                             master_user_password='Wagw00rdEen',
                             node_type='dc2.large',
                             encrypted=True,
                             kms_key_id=key.key_arn,
                             classic=True,
                             )

CDK v2.76.0

Expected
{
"KmsKeyId": "arn:aws:kms:eu-central-1:00000000000:key/xxxxxx-xxxxx-xxxxx-xxxxx-xxxxxx",
"Encrypted": true,
"NodeType": "dc2.large",
"MasterUsername": "bevelvoerder",
"DBName": "dev",
"ClusterType": "single-node",
"Classic": true
}

Actual

{
  "KmsKeyId": "arn:aws:kms:eu-central-1:0000000:key/xxxxxxx-xxxxxx-xxxxx-xxxx-xxxxxxxx",
  "Encrypted": true,
  "NodeType": "dc2.large",
  "MasterUsername": "bevelvoerder",
  "DBName": "dev",
  "ClusterType": "single-node"
}