Error reading CryptoKeyVersion - provider defined wrong type vs GCP API response

[boxanhngo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.2.7
on linux_amd64

Affected Resource(s)

• google_kms_crypto_key_version

Terraform Configuration Files

resource "google_kms_crypto_key_version" "key_version" {
  count      = length(var.keys)
  crypto_key = google_kms_crypto_key.key[count.index].id
}

Debug Output

2023-03-06T20:46:57.932-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:57 [DEBUG] Retry Transport: Stopping retries, last request was successful: timestamp=2023-03-06T20:46:57.932-0800
2023-03-06T20:46:57.932-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:57 [DEBUG] Retry Transport: Returning after 1 attempts: timestamp=2023-03-06T20:46:57.932-0800
2023-03-06T20:46:57.932-0800 [WARN]  Provider "registry.terraform.io/hashicorp/google" produced an unexpected new value for google_kms_crypto_key.key[1] during refresh.
      - .labels: was null, but now cty.MapValEmpty(cty.String)
2023-03-06T20:46:57.935-0800 [WARN]  Provider "registry.terraform.io/hashicorp/google" produced an invalid plan for google_kms_crypto_key.key[1], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .skip_initial_version_creation: planned value cty.False for a non-computed attribute
      - .labels: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
2023-03-06T20:46:57.937-0800 [INFO]  ReferenceTransformer: reference not found: "var.keys"
2023-03-06T20:46:57.937-0800 [INFO]  ReferenceTransformer: reference not found: "google_kms_crypto_key.key"
2023-03-06T20:46:57.937-0800 [INFO]  ReferenceTransformer: reference not found: "count.index"
2023-03-06T20:46:57.937-0800 [DEBUG] ReferenceTransformer: "google_kms_crypto_key_version.key_version[0]" references: []
2023-03-06T20:46:57.937-0800 [INFO]  ReferenceTransformer: reference not found: "var.keys"
2023-03-06T20:46:57.937-0800 [INFO]  ReferenceTransformer: reference not found: "google_kms_crypto_key.key"
2023-03-06T20:46:57.937-0800 [INFO]  ReferenceTransformer: reference not found: "count.index"
2023-03-06T20:46:57.937-0800 [DEBUG] ReferenceTransformer: "google_kms_crypto_key_version.key_version[1]" references: []
2023-03-06T20:46:57.939-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:57 [DEBUG] Waiting for state to become: [success]: timestamp=2023-03-06T20:46:57.939-0800
2023-03-06T20:46:57.939-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:57 [DEBUG] Waiting for state to become: [success]: timestamp=2023-03-06T20:46:57.939-0800
2023-03-06T20:46:57.939-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:57 [DEBUG] Retry Transport: starting RoundTrip retry loop: timestamp=2023-03-06T20:46:57.939-0800
2023-03-06T20:46:57.939-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:57 [DEBUG] Retry Transport: starting RoundTrip retry loop: timestamp=2023-03-06T20:46:57.939-0800
2023-03-06T20:46:57.939-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:57 [DEBUG] Retry Transport: request attempt 0: timestamp=2023-03-06T20:46:57.939-0800
2023-03-06T20:46:57.939-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:57 [DEBUG] Retry Transport: request attempt 0: timestamp=2023-03-06T20:46:57.939-0800
2023-03-06T20:46:57.939-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:57 [DEBUG] Google API Request Details:
---[ REQUEST ]---------------------------------------
GET /v1/projects/ABC/locations/us/keyRings/ABC/cryptoKeys/ABC-CMEK/cryptoKeyVersions/2?alt=json HTTP/1.1
Host: cloudkms.googleapis.com
User-Agent: Terraform/1.2.7 (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google/4.56.0 IAC-Atlantis/IAC/ABC-iac-something/126 blueprints/terraform/terraform-google-kms/v2.1.0
Content-Type: application/json
Accept-Encoding: gzip
-----------------------------------------------------: timestamp=2023-03-06T20:46:57.939-0800
2023-03-06T20:46:57.939-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:57 [DEBUG] Google API Request Details:
---[ REQUEST ]---------------------------------------
GET /v1/projects/ABC/locations/us/keyRings/ABC/cryptoKeys/ABC-cmek/cryptoKeyVersions/2?alt=json HTTP/1.1
Host: cloudkms.googleapis.com
User-Agent: Terraform/1.2.7 (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google/4.56.0 IAC-Atlantis/IAC/ABC-iac-something/126 blueprints/terraform/terraform-google-kms/v2.1.0
Content-Type: application/json
Accept-Encoding: gzip


-----------------------------------------------------: timestamp=2023-03-06T20:46:57.939-0800
2023-03-06T20:46:58.011-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:58 [DEBUG] Google API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Tue, 07 Mar 2023 04:46:58 GMT
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
  "name": "projects/ABC/locations/us/keyRings/ABC/cryptoKeys/ABC-CMEK/cryptoKeyVersions/2",
  "state": "ENABLED",
  "createTime": "2023-03-06T23:51:04.333908334Z",
  "protectionLevel": "HSM",
  "attestation": {
    "format": "CAVIUM_V2_COMPRESSED",
    "content": "redacted"
    "certChains": {
      "caviumCerts": [
        "-----BEGIN CERTIFICATE-----redacted --END CERTIFICATE------\n",
"-----BEGIN CERTIFICATE-----\n--edacted --END CERTIFICATE -----\n"
 ],
      "googlePartitionCerts": [
"-----BEGIN CERTIFICATE-----\n redacted --END CERTIFICATE ----\n"
      ]
    }
  },
  "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
  "generateTime": "2023-03-06T23:51:04.333908334Z"
}

-----------------------------------------------------: timestamp=2023-03-06T20:46:58.011-0800
2023-03-06T20:46:58.011-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:58 [DEBUG] Retry Transport: Stopping retries, last request was successful: timestamp=2023-03-06T20:46:58.011-0800
2023-03-06T20:46:58.011-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:58 [DEBUG] Retry Transport: Returning after 1 attempts: timestamp=2023-03-06T20:46:58.011-0800
2023-03-06T20:46:58.011-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/06 20:46:58 [ERROR] setting state: attestation.0.cert_chains.0.cavium_certs: '' expected type 'string', got unconvertible type '[]interface {}', value: '[-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
]': timestamp=2023-03-06T20:46:58.011-0800
2023-03-06T20:46:58.012-0800 [ERROR] provider.terraform-provider-google_v4.56.0_x5: Response contains error diagnostic: tf_rpc=ReadResource diagnostic_detail= diagnostic_severity=ERROR diagnostic_summary="Error reading CryptoKeyVersion: attestation.0.cert_chains.0.cavium_certs: '' expected type 'string', got unconvertible type '[]interface {}', value: '[-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
]'" tf_provider_addr=provider tf_req_id=06a093b3-ccca-abab-c4ae-6f3223e526b3 tf_resource_type=google_kms_crypto_key_version @caller=github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/internal/diag/diagnostics.go:55 @module=sdk.proto tf_proto_version=5.3 timestamp=2023-03-06T20:46:58.011-0800
2023-03-06T20:46:58.012-0800 [ERROR] vertex "google_kms_crypto_key_version.key_version[1]" error: Error reading CryptoKeyVersion: attestation.0.cert_chains.0.cavium_certs: '' expected type 'string', got unconvertible type '[]interface {}', value: '[-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
]'

Panic Output

Error: Error reading CryptoKeyVersion: attestation.0.cert_chains.0.google_partition_certs: '' expected type 'string', got unconvertible type '[]interface {}'

Expected Behavior

https://github.com/hashicorp/terraform-provider-google/blob/v4.56.0/google/resource_kms_crypto_key_version.go#L79

Schema: map[string]*schema.Schema{
		"cavium_certs": {
		       Type:        schema.TypeString,

Actual Behavior

"certChains": {
      "caviumCerts": [
        "-----BEGIN CERTIFICATE-----\n<redacted>\n-----END CERTIFICATE-----\n",

Steps to Reproduce

1. terraform plan

Important Factoids

References

• #0000

b/299683525

[edwardmedia]

@boxanhngo can you share your config and the debug log?

[boxanhngo]

@edwardmedia Can you take a look ? We shared tf config and debug log.

[hao-nan-li]

In the log it looks like the referenced crypto_key is not found.
2023-03-06T20:46:57.937-0800 [INFO] ReferenceTransformer: reference not found: "var.keys" 2023-03-06T20:46:57.937-0800 [INFO] ReferenceTransformer: reference not found: "google_kms_crypto_key.key"

To which crypto_keys are the versions applying to?

[boxanhngo]

In the log it looks like the referenced crypto_key is not found. 2023-03-06T20:46:57.937-0800 [INFO] ReferenceTransformer: reference not found: "var.keys" 2023-03-06T20:46:57.937-0800 [INFO] ReferenceTransformer: reference not found: "google_kms_crypto_key.key"

To which crypto_keys are the versions applying to?

yes. We have a list of keys basically and then we apply crypto keys version against. google_kms_crypto_key.key[count.index].id

[hao-nan-li]

The error above shows that the referenced crypto_key is not found, and before that the count variable seems not referenced to var.keys.

I'd probably try to solve these before moving forward to investigate in crypto_key_versions

[boxanhngo]

@hao-nan-li We reproduced the same issue w/o references issue . Log is updated as below. PTAL ?

2023-03-07T14:12:51.837-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/07 14:12:51 [DEBUG] Retry Transport: Stopping retries, last request was successful: timestamp=2023-03-07T14:12:51.837-0800
2023-03-07T14:12:51.837-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/07 14:12:51 [DEBUG] Retry Transport: Returning after 1 attempts: timestamp=2023-03-07T14:12:51.837-0800
2023-03-07T14:12:51.840-0800 [WARN]  Provider "registry.terraform.io/hashicorp/google" produced an invalid plan for google_kms_crypto_key.key, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .labels: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
      - .skip_initial_version_creation: planned value cty.False for a non-computed attribute
      - .rotation_period: planned value cty.StringVal("") for a non-computed attribute
2023-03-07T14:12:51.841-0800 [DEBUG] ReferenceTransformer: "google_kms_crypto_key_version.key_version" references: []
2023-03-07T14:12:51.843-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/07 14:12:51 [DEBUG] Waiting for state to become: [success]: timestamp=2023-03-07T14:12:51.843-0800
2023-03-07T14:12:51.843-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/07 14:12:51 [DEBUG] Retry Transport: starting RoundTrip retry loop: timestamp=2023-03-07T14:12:51.843-0800
2023-03-07T14:12:51.843-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/07 14:12:51 [DEBUG] Retry Transport: request attempt 0: timestamp=2023-03-07T14:12:51.843-0800
2023-03-07T14:12:51.843-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/07 14:12:51 [DEBUG] Google API Request Details:
---[ REQUEST ]---------------------------------------
GET /v1/projects/ABC/locations/us/keyRings/ABC/cryptoKeys/ABC-cmek/cryptoKeyVersions/3?alt=json HTTP/1.1
Host: cloudkms.googleapis.com
User-Agent: Terraform/1.2.7 (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google/4.56.0 IAC-Atlantis/IAC/ABC-iac-something/126 blueprints/terraform/terraform-google-kms/v2.1.0
Content-Type: application/json
Accept-Encoding: gzip
-----------------------------------------------------: timestamp=2023-03-07T14:12:51.843-0800
2023-03-07T14:12:52.043-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/07 14:12:52 [DEBUG] Google API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Tue, 07 Mar 2023 22:12:52 GMT
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
  "name": "projects/ABC/locations/us/keyRings/ABC/cryptoKeys/ABC-cmek/cryptoKeyVersions/3",
  "state": "ENABLED",
  "createTime": "2023-03-07T22:01:13.131861605Z",
  "protectionLevel": "HSM",
  "attestation": {
    "format": "CAVIUM_V2_COMPRESSED",
    "content": "redact",
    "certChains": {
      "caviumCerts": [
        "-----BEGIN CERTIFICATE-----\ redacted",
"-----BEGIN CERTIFICATE-----redacted\n
      ],
      "googleCardCerts": [
"-----BEGIN CERTIFICATE-----\ redacted\n
      ],
      "googlePartitionCerts": [
"-----BEGIN CERTIFICATE-----\n  redacted\n
   ]
    }
  },
  "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
  "generateTime": "2023-03-07T22:01:13.131861605Z"
}

-----------------------------------------------------: timestamp=2023-03-07T14:12:52.042-0800
2023-03-07T14:12:52.043-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/07 14:12:52 [DEBUG] Retry Transport: Stopping retries, last request was successful: timestamp=2023-03-07T14:12:52.042-0800
2023-03-07T14:12:52.043-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/07 14:12:52 [DEBUG] Retry Transport: Returning after 1 attempts: timestamp=2023-03-07T14:12:52.042-0800
2023-03-07T14:12:52.043-0800 [INFO]  provider.terraform-provider-google_v4.56.0_x5: 2023/03/07 14:12:52 [ERROR] setting state: attestation.0.cert_chains.0.cavium_certs: '' expected type 'string', got unconvertible type '[]interface {}', value: '[-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
]': timestamp=2023-03-07T14:12:52.043-0800
2023-03-07T14:12:52.043-0800 [ERROR] provider.terraform-provider-google_v4.56.0_x5: Response contains error diagnostic: @module=sdk.proto tf_req_id=d6b8a6dd-a5c3-b20c-f291-328ced0f2820 tf_rpc=ReadResource @caller=github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_detail= diagnostic_severity=ERROR diagnostic_summary="Error reading CryptoKeyVersion: attestation.0.cert_chains.0.cavium_certs: '' expected type 'string', got unconvertible type '[]interface {}', value: '[-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
]'" tf_proto_version=5.3 tf_provider_addr=provider tf_resource_type=google_kms_crypto_key_version timestamp=2023-03-07T14:12:52.043-0800
2023-03-07T14:12:52.043-0800 [ERROR] vertex "google_kms_crypto_key_version.key_version" error: Error reading CryptoKeyVersion: attestation.0.cert_chains.0.cavium_certs: '' expected type 'string', got unconvertible type '[]interface {}', value: '[-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
]'
2023-03-07T14:12:52.043-0800 [ERROR] vertex "google_kms_crypto_key_version.key_version" error: Error reading CryptoKeyVersion: attestation.0.cert_chains.0.cavium_certs: '' expected type 'string', got unconvertible type '[]interface {}', value: '[-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
]'
2023-03-07T14:12:52.043-0800 [ERROR] vertex "google_kms_crypto_key_version.key_version (expand)" error: Error reading CryptoKeyVersion: attestation.0.cert_chains.0.cavium_certs: '' expected type 'string', got unconvertible type '[]interface {}', value: '[-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
]'

[hao-nan-li]

Sure I will take a look into it. Could you send me the TF config where caviumCerts is defined?

[hao-nan-li]

Any update?

[cscherban]

I've actually recieved a rather similar error to do with imports (on version 4.63.0 of the provider.

terraform import google_kms_crypto_key_version.default project/abc/locations/us/keyRings/ring-name/cryptoKeys/key-name/cryptoKeyVersions/1

Leads to

Error: Error reading CryptoKeyVersion: attestation.0.cert_chains.0.google_card_certs: '' expected type 'string', got unconvertible type '[]interface {}', value: '[-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
]'

Seems like these could be related

[daniel1302]

I am getting the same issue

➜  windows_sign_apps git:(add-experimental-data-node) ✗ terraform import google_kms_crypto_key_version.digicert_ev_signing_key_ecc_256_v1 "projects/<my-project>/locations/europe-west2/keyRings/windows-sign-apps/cryptoKeys/digicert-ev-signing-key-ecc-256/cryptoKeyVersions/1"
google_kms_crypto_key_version.digicert_ev_signing_key_ecc_256_v1: Importing from ID "projects/<my-project>/locations/europe-west2/keyRings/windows-sign-apps/cryptoKeys/digicert-ev-signing-key-ecc-256/cryptoKeyVersions/1"...
google_kms_crypto_key_version.digicert_ev_signing_key_ecc_256_v1: Import prepared!
  Prepared google_kms_crypto_key_version for import
google_kms_crypto_key_version.digicert_ev_signing_key_ecc_256_v1: Refreshing state... [id=projects/<my-project>/locations/europe-west2/keyRings/windows-sign-apps/cryptoKeys/digicert-ev-signing-key-ecc-256/cryptoKeyVersions/1]
╷
│ Error: Error reading CryptoKeyVersion: attestation.0.cert_chains.0.cavium_certs: '' expected type 'string', got unconvertible type '[]interface {}', value: '[-----BEGIN CERTIFICATE-----

This is my config:

resource "google_kms_key_ring" "windows_sign_apps" {
  name     = "windows-sign-apps"
  location = "europe-west2"
}

resource "google_kms_crypto_key" "digicert_ev_signing_key_ecc_256" {
  name            = "digicert-ev-signing-key-ecc-256"
  key_ring        = google_kms_key_ring.windows_sign_apps.id

  purpose = "ASYMMETRIC_SIGN"
  destroy_scheduled_duration = "86400s"

  timeouts {}

  version_template {
    algorithm        = "EC_SIGN_P256_SHA256"
    protection_level = "HSM"
  }

  lifecycle {
    prevent_destroy = true
  }
}

// This version has been used to generate the Digicert EV Key. DO NOT DESTROY!!!!
resource "google_kms_crypto_key_version" "digicert_ev_signing_key_ecc_256_v1" {
  crypto_key = google_kms_crypto_key.digicert_ev_signing_key_ecc_256.id

  lifecycle {
    prevent_destroy = true

  }
}

[gnarea]

I'm getting this error with HSM keys only. Software ones are OK.

[gnarea]

A workaround is to let the crypto key resource create the initial key version, and then import it. See how I've done it here: relaycorp/terraform-google-awala-endpoint#21

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.