Wrong output during terraform plan

[bharti8085]

Is there an existing issue for this?

• I have searched the existing issues

Description of the bug

I am using following resource block:

resource "aws_kms_key_policy" "cmk" {
key_id = data.aws_kms_key.by_alias.id
policy = jsonencode({

"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "SId#1",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789:root"
        },
        "Action": "kms:CreateGrant",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "kms:CallerAccount": "123456789",
                "kms:GranteePrincipal": "arn:aws:iam::123456789:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService"
            },
            "ForAllValues:StringEquals": {
                "kms:GrantOperations": [
                    "CreateGrant",
                    "DescribeKey",
                    "Encrypt",
                    "Decrypt",
                    "GenerateDataKey",
                    "GenerateDataKeyWithoutPlaintext"
                ]
            },
            "Bool": {
                "aws:ViaAWSService": "true"
            }
        }
    },
    {
        "Sid": "Sid#2",
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::123456789:root",
                "arn:aws:iam::123456789:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService"
            ]
        },
        "Action": [
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "kms:CallerAccount": "123456789",
                "kms:ViaService": "ec2.us-east-1.amazonaws.com"
            }
        }
    }
]

}
)
}

terraform plan output

                          + "kms:CallerAccount"    = "123456789"
                          + "kms:GranteePrincipal" = "arn:aws:iam::123456789:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService"
                        }
                    }
                  + Effect    = "Allow"
                  + Principal = {
                      + AWS = "arn:aws:iam::123456789:root"
                    }
                  + Resource  = "*"
                  + Sid       = "Sid#2"
                },
              + {
                  + Action    = [
                      + "kms:ReEncrypt*",
                      + "kms:GenerateDataKey*",
                    ]
                  + Condition = {
                      + StringEquals = {
                          + "kms:CallerAccount" = "123456789"
                          + "kms:ViaService"    = "ec2.***.amazonaws.com"
                        }
                    }
                  + Effect    = "Allow"
                  + Principal = {
                      + AWS = [
                          + "arn:aws:iam::123456789:root",
                          + "arn:aws:iam::123456789:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService",
                        ]
                    }
                  + Resource  = "*"
                  + Sid       = "Sid#1"
                },
            ]
          + Version   = "2012-10-17"
        }
    )
}

I don't understand why the kms:ViaService = ec2..amazonaws.com in output with three star () rather than exact region name.

Steps To Reproduce

provider "aws" {
region = var.region
}

terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}

Which version of the app are you using?

1.0.0, 1.1.0, 1.2.0

[github-actions]

👋 Welcome! Looks like this is your first issue.

Hey, thanks for your contribution! Please give us a bit of time to review it. 😄

Be sure to follow the issue template!