-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding Labels to google_kms_crypto_key
Indirectly Forces Replacement via skip_initial_version_creation
#8947
Adding Labels to google_kms_crypto_key
Indirectly Forces Replacement via skip_initial_version_creation
#8947
Comments
@byronmccollum I can't repro it. Can you share your debug log? |
I can work on getting a debug log, but in the mean time, you might want to try creating the key ring and crypto key with a provider version prior to the introduction of |
@byronmccollum |
You are correct, it is optional, but it also has |
I'm currently working on a reduction for reproducing it. |
Use Google Provider < 3.46.0 # main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "< 3.46.0"
}
}
}
provider "google" {
region = "us-central1"
project = "my-project"
}
resource "google_kms_key_ring" "my_key_ring" {
name = "my-key-ring"
location = "us-central1"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key" "my_crypto_key" {
name = "my-crypto-key"
key_ring = google_kms_key_ring.my_key_ring.self_link
rotation_period = "7776000s"
lifecycle {
prevent_destroy = false
}
} Init, Plan, and Apply Changes
Inspect State
Update Google Provider = 3.46.0 # main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "= 3.46.0"
}
}
}
provider "google" {
region = "us-central1"
project = "my-project"
}
resource "google_kms_key_ring" "my_key_ring" {
name = "my-key-ring"
location = "us-central1"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key" "my_crypto_key" {
name = "my-crypto-key"
key_ring = google_kms_key_ring.my_key_ring.self_link
rotation_period = "7776000s"
lifecycle {
prevent_destroy = false
}
} Init and Plan Changes
Add Labels to Crypto Key # main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "= 3.46.0"
}
}
}
provider "google" {
region = "us-central1"
project = "my-project"
}
resource "google_kms_key_ring" "my_key_ring" {
name = "my-key-ring"
location = "us-central1"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key" "my_crypto_key" {
name = "my-crypto-key"
key_ring = google_kms_key_ring.my_key_ring.self_link
rotation_period = "7776000s"
labels = {
foo = "bar"
}
lifecycle {
prevent_destroy = false
}
} Plan Changes
|
We are seeing this but not consistently. We have shared VPC projects with multiple GKE clusters that are encrypting application secrets with KMS keys. It is odd that of 5 projects with GKE clusters and Cloud KMS keys, 3 of them see the issue, but the other 2 have a plan where the skip_initial_version_creation is already seen as false. One thing I can see different between the projects is that the ones that fail have 1 or 2 keyrings. The ones that pass have 3 keyrings in the project. The ones that pass were also created in January 2021, but the other 3 failing cases were created prior to 2021. |
I figured out by the timing that the working clusters were created after skip_initial_version_creation was included in 3.46.0. |
@byronmccollum I tested by starting v3.44.0 and then upgrading to v3.46.0, still couldn't repro it. I don't see that field in the api response, and not sure why this could be an issue. Do you mind sharing the debug log that should include all the requests & responses? |
Thanks @billyfoss for the additional confirmation of what you're seeing. |
@edwardmedia The above with debug logs... Use Google Provider < 3.46.0 # main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "< 3.46.0"
}
}
}
provider "google" {
region = "us-central1"
project = "my-project"
}
resource "google_kms_key_ring" "my_key_ring" {
name = "my-key-ring"
location = "us-central1"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key" "my_crypto_key" {
name = "my-crypto-key"
key_ring = google_kms_key_ring.my_key_ring.self_link
rotation_period = "7776000s"
lifecycle {
prevent_destroy = false
}
} Init, Plan, and Apply Changes
Inspect State
Update Google Provider = 3.46.0 # main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "= 3.46.0"
}
}
}
provider "google" {
region = "us-central1"
project = "my-project"
}
resource "google_kms_key_ring" "my_key_ring" {
name = "my-key-ring"
location = "us-central1"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key" "my_crypto_key" {
name = "my-crypto-key"
key_ring = google_kms_key_ring.my_key_ring.self_link
rotation_period = "7776000s"
lifecycle {
prevent_destroy = false
}
} Clean Out Provider Configs
Init and Plan Changes
Add Labels to Crypto Key # main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "= 3.46.0"
}
}
}
provider "google" {
region = "us-central1"
project = "my-project"
}
resource "google_kms_key_ring" "my_key_ring" {
name = "my-key-ring"
location = "us-central1"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key" "my_crypto_key" {
name = "my-crypto-key"
key_ring = google_kms_key_ring.my_key_ring.self_link
rotation_period = "7776000s"
labels = {
foo = "bar"
}
lifecycle {
prevent_destroy = false
}
} Plan Changes
|
@byronmccollum now I see. Thanks for providing the details |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
Affected Resource(s)
Terraform Configuration Files
Before Config Change
After Config Change (Labels Added)
Expected Behavior
Labels get added to crypto key.
Actual Behavior
When
labels
are added, the attributeskip_initial_version_creation
also gets added, which forces replacement of the resource.The text was updated successfully, but these errors were encountered: