Skip to content

Comments

fix(sqs): reconcile SqsManagedSseEnabled when KmsMasterKeyId is set#13780

Open
mcrolly wants to merge 1 commit intolocalstack:mainfrom
mcrolly:fix/sqs-managed-sse-enabled-13539
Open

fix(sqs): reconcile SqsManagedSseEnabled when KmsMasterKeyId is set#13780
mcrolly wants to merge 1 commit intolocalstack:mainfrom
mcrolly:fix/sqs-managed-sse-enabled-13539

Conversation

@mcrolly
Copy link

@mcrolly mcrolly commented Feb 16, 2026

Motivation

Fixes #13539

On AWS, KmsMasterKeyId and SqsManagedSseEnabled are mutually exclusive encryption modes:

  • When KmsMasterKeyId is set → SqsManagedSseEnabled becomes "false"
  • When KmsMasterKeyId is removed → SqsManagedSseEnabled reverts to "true"

LocalStack was not reconciling these, so SqsManagedSseEnabled remained "true" even when KMS encryption was configured. This caused terraform-provider-aws SQS encryption tests to fail and produced incorrect snapshot diffs.

Changes

  • models.py: Added _reconcile_sse_attributes() method to SqsQueue that ensures mutual exclusivity between KMS and SQS-managed SSE. Called during queue creation when attributes include KmsMasterKeyId.
  • provider.py: Call _reconcile_sse_attributes() in set_queue_attributes when KmsMasterKeyId is modified, handling both setting and removing KMS keys.
  • test_sqs.py: Removed skip_snapshot_verify for SqsManagedSseEnabled on test_set_queue_attributes_default_values since the fix makes the snapshot match correctly.

Tests

  • Verified queue creation with KmsMasterKeyIdSqsManagedSseEnabled is "false"
  • Verified queue creation without KMS → SqsManagedSseEnabled is "true" (default)
  • Verified SetQueueAttributes with KmsMasterKeyId flips SqsManagedSseEnabled to "false"
  • Verified removing KmsMasterKeyId restores SqsManagedSseEnabled to "true"
  • Existing snapshot test_set_queue_attributes_default_values should now pass without skip

Related

@mcrolly
fix(sqs): reconcile SqsManagedSseEnabled when KmsMasterKeyId is set
63399ab 
Fixes localstack#13539

On AWS, KmsMasterKeyId and SqsManagedSseEnabled are mutually exclusive:
- When KmsMasterKeyId is set, SqsManagedSseEnabled becomes 'false'
- When KmsMasterKeyId is removed, SqsManagedSseEnabled reverts to 'true'

LocalStack was not reconciling these attributes, causing
SqsManagedSseEnabled to remain 'true' even when KMS encryption was
configured. This broke terraform-provider-aws encryption tests.

Changes:
- Add _reconcile_sse_attributes() to SqsQueue model
- Call it on queue creation (when attributes include KmsMasterKeyId)
- Call it from set_queue_attributes when KmsMasterKeyId is modified
- Remove skip_snapshot_verify for SqsManagedSseEnabled in
  test_set_queue_attributes_default_values (now passes correctly)
@localstack-bot
Copy link
Contributor

localstack-bot commented Feb 16, 2026
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

localstack-bot
localstack-bot reviewed Feb 16, 2026
View reviewed changes
Copy link
Contributor

@localstack-bot localstack-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome to LocalStack! Thanks for raising your first Pull Request and landing in your contributions. Our team will reach out with any reviews or feedbacks that we have shortly. We recommend joining our Slack Community and share your PR on the #community channel to share your contributions with us. Please make sure you are following our contributing guidelines and our Code of Conduct.

@mcrolly
Copy link
Author

mcrolly commented Feb 16, 2026

I have read the CLA Document and I hereby sign the CLA

localstack-bot added a commit that referenced this pull request Feb 16, 2026
@localstack-bot
@mcrolly has signed the CLA in #13780
e528cd4
@purcell purcell added semver: patch Non-breaking changes which can be included in patch releases docs: skip Pull request does not require documentation changes notes: skip Pull request does not have to be mentioned in the release notes labels Feb 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@localstack-bot localstack-bot localstack-bot left review comments

@baermat baermat Awaiting requested review from baermat baermat is a code owner

@gregfurman gregfurman Awaiting requested review from gregfurman gregfurman is a code owner

@thrau thrau Awaiting requested review from thrau thrau is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@baermat baermat

Labels

docs: skip Pull request does not require documentation changes notes: skip Pull request does not have to be mentioned in the release notes semver: patch Non-breaking changes which can be included in patch releases

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: SQA SqsManagedSseEnabled discrepancy with AWS

4 participants

@mcrolly @localstack-bot @purcell @baermat