TL;DR

#52 makes it sound like the only change is constraints, but #50 also changes google_kms_key_ring.key_ring.self_link to google_kms_key_ring.key_ring.id which results in all google_kms_crypto_key_iam_binding resources needing to be re-created.

Expected behavior

No change in terraform plan after updating the module

Observed behavior

All google_kms_crypto_key_iam_binding resources are marked for replacement

Terraform Configuration

Create a key with minimal example, using version 2.0.1, then change version to 2.1.0

Terraform Version

1.1.2

Additional information

Breaking change and potential migration path should be indicated in the release notes.

When running terraform destroy on a workspace that uses this module to provision a single key, I get the following error which seems internal to this module despite using prevent_destroy=false.

Error: Invalid function argument
  on .terraform/modules/test_data_lake.kms/terraform-google-kms-1.2.0/main.tf line 18, in locals:
  18:   keys_by_name = zipmap(var.keys, var.prevent_destroy ? slice(google_kms_crypto_key.key[*].self_link, 0, length(var.keys)) : slice(google_kms_crypto_key.key_ephemeral[*].self_link, 0, length(var.keys)))
    |----------------
    | var.keys is list of string with 1 element
Invalid value for "end_index" parameter: end index must not be greater than
the length of the list.

Do the integration tests check behavior on destroy? It seems this module's integration test has two keys perhaps this behavior is unique to when this module is used to provision only a single key.

config that produced this issue:

module "kms" {
  source  = "terraform-google-modules/kms/google"
  version = "~> 1.2"

  project_id = var.project
  location   = split("-", var.region)[0]
  keyring    = var.kms_key_ring
  keys               = [var.dataproc_kms_key]
  set_owners_for     = [var.dataproc_kms_key]
  set_encrypters_for = [var.dataproc_kms_key]
  set_decrypters_for = [var.dataproc_kms_key]
  owners             = ["user:${var.data_lake_super_admin}"]
  encrypters = [
    module.service_accounts.iam_emails["${var.kdc_cluster}-sa"]
  ]
  decrypters = [
    join(",", [
      module.service_accounts.iam_emails["${var.kdc_cluster}-sa"],
      module.service_accounts.iam_emails["${var.metastore_cluster}-sa"],
      module.service_accounts.iam_emails["${var.analytics_cluster}-sa"],
    ])
  ]
  prevent_destroy = "false"
}

TL;DR

Setting more than one entity in encrypters and decrypters does not work. The other entities other than the first get silently ignored.

Expected behavior

All entities in encrypters and decrypters are given the roles roles/cloudkms.cryptoKeyEncrypter and roles/cloudkms.cryptoKeyDecrypter

Observed behavior

Adding a second entity to encrypters and decrypters does nothing.

Terraform Configuration

This adds the roles roles/cloudkms.cryptoKeyEncrypter and roles/cloudkms.cryptoKeyDecrypter to the service account google_service_account.kanister.

module "kms" {
  source  = "registry.terraform.io/terraform-google-modules/kms/google"
  version = "2.2.1"

  project_id = var.project.name
  location   = "europe"
  keyring    = "backup"
  keys       = ["kanister"]

  encrypters = [
    "serviceAccount:${google_service_account.kanister.email}",
  ]
  decrypters = [
    "serviceAccount:${google_service_account.kanister.email}",
  ]

  set_encrypters_for = ["kanister"]
  set_decrypters_for = ["kanister"]
}

Adding a secondary account does nothing:

module "kms" {
  source  = "registry.terraform.io/terraform-google-modules/kms/google"
  version = "2.2.1"

  project_id = var.project.name
  location   = "europe"
  keyring    = "backup"
  keys       = ["kanister"]

  encrypters = [
    "serviceAccount:${google_service_account.kanister.email}",
    "serviceAccount:[email protected]",
  ]
  decrypters = [
    "serviceAccount:${google_service_account.kanister.email}",
    "serviceAccount:[email protected]",
  ]

  set_encrypters_for = ["kanister"]
  set_decrypters_for = ["kanister"]
}

Terraform Version

Terraform v1.3.5
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.44.1
+ provider registry.terraform.io/hashicorp/google-beta v4.44.1
+ provider registry.terraform.io/hashicorp/kubernetes v2.16.0
+ provider registry.terraform.io/hashicorp/random v3.4.3

Additional information

No response

TL;DR

I am going through this https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key_version and I am not sure how to pass external key uri to it. My keys reside in ekms. Manually I can set the external uri but not via terraform

Expected behavior

No response

Observed behavior

No response

Terraform Configuration

resource "google_kms_key_ring" "my_key_ring" {
  name     = "crypto-key-ring-example"
  location = "europe-west3"
}


resource "google_kms_crypto_key" "my_crypto_key" {
  name     = "crypto-key-example"
  key_ring = google_kms_key_ring.my_key_ring.id
  purpose  = "ENCRYPT_DECRYPT"
  version_template {
  protection_level ="EXTERNAL"
  algorithm = "EXTERNAL_SYMMETRIC_ENCRYPTION"

}
skip_initial_version_creation = "true"
}

resource "google_kms_crypto_key_version" "example-key" {
  crypto_key = google_kms_crypto_key.my_crypto_key.id
#attestation{
#external_protection_level_options {
@external_key_uri = "****************************"
#}
#}
}

Terraform Version

Terraform v1.6.4

Additional information

No response

How do I import existing keyring to this module?
I have some terraform code:

module "kms-keys" {
  source  = "terraform-google-modules/kms/google"
  version = "~>2.0"

  project_id              = module.project.project_id

  keyring                 = var.kms_keyring_name
  location                = var.kms_keyring_location
  
  key_algorithm           = "GOOGLE_SYMMETRIC_ENCRYPTION"
  key_protection_level    = var.kms_key_protection
  
  keys                    = tolist([var.kms_gke_key_name])
  
  prevent_destroy         = false
}

And I have a keyring named "main-keyring". I'm trying to import state like this:

terraform import "module.kms-keys.google_kms_key_ring.key_ring" "myproject-631c/europe-west3-a/main-keyring"

And I'm getting an error:

module.kms-keys.google_kms_key_ring.key_ring: Refreshing state... [id=projects/myproject-631c/locations/europe-west3-a/keyRings/main-keyring]
╷
│ Error: Invalid function argument
│ 
│   on .terraform/modules/kms-keys/main.tf line 18, in locals:
│   18:   keys_by_name = zipmap(var.keys, var.prevent_destroy ? slice(google_kms_crypto_key.key[*].self_link, 0, length(var.keys)) : slice(google_kms_crypto_key.key_ephemeral[*].self_link, 0, length(var.keys)))
│     ├────────────────
│     │ var.keys is list of string with 1 element
│ 
│ Invalid value for "end_index" parameter: end index must not be greater than the length of the list.

Is it a bug?

I've run into an issue where I add the module.kms.keyring_resource to a depends_on block of a null resource which uses a gcloud local-exec to use this key to encrypt something and upload to GCS. (For context's sake this is to provision random kerberos secrets for dataproc cluster to GCS for an example data lake).

Behavior of my module becomes non-deterministic because there is a corner case where the null resource tries to use the keyring before the appropriate iam permission has been set because there is no dependency on the iam binding.

This will resolve itself after a few applies because eventually the iam binding will have been deployed before the local-exec is attempted.
However, it would be cleaner if I could depend on the iam bindings created by this module.

If there is a better way to do this please let me know and I will close this issue.

Using Cloud Build

Terraform destroy fails when you try to delete keys in Cloud KMS with Error: Instance cannot be destroyed

As a workaround, you can remove KMS from tfstate via terraform state rm 'module.kms' to remove KMS modules. This allows terraform destroy to complete, however, we receive an Invalid Function Argument:

Error: Invalid function argument

  on .terraform/modules/kms/main.tf line 18, in locals:
  18:   keys_by_name = zipmap(var.keys, var.prevent_destroy ? slice(google_kms_crypto_key.key[*].self_link, 0, length(var.keys)) : slice(google_kms_crypto_key.key_ephemeral[*].self_link, 0, length(var.keys)))
    |----------------
    | var.keys is list of string with 1 element

Invalid value for "end_index" parameter: end index must not be greater than
the length of the list.

To me, it seems like var.keys is populated somewhere (although I can't see where). It would be good if we could override to remove the error or exit gracefully if google_kms_crypto_key.key[*].self_link returns as an empty list.

What are your thoughts on refactoring this module to receive a more detailed keys variable with all of its metadata, and managing the IAM for each key using an authoritative policy?

For reference, I created a module at a previous job that did this pretty well: https://github.com/soggycactus/terraform-google-kms-keyring

We looked at using this module, as we prefer not to write our own Terraform if there's an officially support module for it. But we felt it was best to manage our KMS keys using an authoritative policy.

This issue prevents doing any imports when kms module is used along with other modules/resources.

Error: Error in function call

  on .terraform/modules/kms/terraform-google-modules-terraform-google-kms-6de47d4/main.tf line 18, in locals:
  18:   keys_by_name = zipmap(var.keys, var.prevent_destroy ? google_kms_crypto_key.key[*].self_link : google_kms_crypto_key.key_ephemeral[*].self_link)
    |----------------
    | google_kms_crypto_key.key is tuple with 1 element
    | google_kms_crypto_key.key_ephemeral is empty tuple
    | var.keys is empty list of string
    | var.prevent_destroy is true

Call to function "zipmap" failed: number of keys (0) does not match number of
values (1).

Dear all

I try to create a keyring with keys which are stored in an HMS instead of software protection.
I haven't seen any option how to specify where the key is stored.
Is this use case supported already?

Thanks in advance

TL;DR

When creating a KMS key, the rotation_period is initially set to 100000s instead of the default values from variables.tf

which is about 27h instead of 90d and leads undesired 20$ of cost per month and key

  + resource "google_kms_crypto_key" "key" {
      + destroy_scheduled_duration = (known after apply)
      + id                         = (known after apply)
      + import_only                = (known after apply)
      + key_ring                   = (known after apply)
      + name                       = "secrets-key"
      + purpose                    = "ENCRYPT_DECRYPT"
      + rotation_period            = "100000s"

      + version_template {
          + algorithm        = "GOOGLE_SYMMETRIC_ENCRYPTION"
          + protection_level = "SOFTWARE"
        }
    }

not sure why it happens. if I supply the exact same value as in default, its set correctly

Expected behavior

key_rotation_period default from variables.tf being respected

Observed behavior

100000s is used instead as default

Terraform Configuration

module "kms2" {
  source  = "terraform-google-modules/kms/google"
  version = "2.2.3"

  project_id          = data.google_project.project.name
  location            = "europe"
  keyring             = "sops"
  keys                = ["secrets-key"]
  set_decrypters_for  = ["secrets-key"]

  decrypters = [
    "serviceAccount:${data.google_project.project.number}@cloudbuild.gserviceaccount.com"
  ]
}

Terraform Version

Terraform v1.4.6
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.84.0
+ provider registry.terraform.io/hashicorp/google-beta v4.84.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.23.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1

Additional information

No response

Need to update module to support Google provider 3.x, including updating test/setup to the latest project factory.

TL;DR

After a terraform import for all the keys in a key ring. So, when I try to to execute a terraform apply there's an error message it seems to try to recreate all the keys with the same key_algorithm, then I try to force the recreation of these keys with the default key_algorithm with the prevent_destroy: false without successful.

19:23:07  │   on main.tf line 27:
19:23:07  │   27: resource "google_kms_crypto_key" "key" {
19:23:07  │ 
19:23:07  │ Resource google_kms_crypto_key.key[0] has lifecycle.prevent_destroy set,
19:23:07  │ but the plan calls for this resource to be destroyed. To avoid this error
19:23:07  │ and continue with the plan, either disable lifecycle.prevent_destroy or
19:23:07  │ reduce the scope of the plan using the -target flag.

In the main.tf of this module the prevent_destroy argument doesn't change according to the value of var.prevent_destroy

resource "google_kms_crypto_key" "key" {
  count           = var.prevent_destroy ? length(var.keys) : 0
  name            = var.keys[count.index]
  key_ring        = google_kms_key_ring.key_ring.id
  rotation_period = var.key_rotation_period

  lifecycle {
    prevent_destroy = true
  }

  version_template {
    algorithm        = var.key_algorithm
    protection_level = var.key_protection_level
  }

  labels = var.labels
}

resource "google_kms_crypto_key" "key_ephemeral" {
  count           = var.prevent_destroy ? 0 : length(var.keys)
  name            = var.keys[count.index]
  key_ring        = google_kms_key_ring.key_ring.id
  rotation_period = var.key_rotation_period

  lifecycle {
    prevent_destroy = false
  }

  version_template {
    algorithm        = var.key_algorithm
    protection_level = var.key_protection_level
  }

  labels = var.labels
}

Terraform Resources

This code can be found here:
https://github.com/terraform-google-modules/terraform-google-kms/blob/master/main.tf

Detailed design

I have 5 keys in the same key ring with differente algorithms. This module doesn't provide the ability to use a different algorithm for each key.
"algorithm": "RSA_DECRYPT_OAEP_2048_SHA256",
"algorithm": "RSA_DECRYPT_OAEP_3072_SHA256",
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"algorithm": "RSA_SIGN_PSS_2048_SHA256",
"algorithm": "RSA_DECRYPT_OAEP_3072_SHA256",

Additional information

No response

TL;DR

I have enabled Cloud Key Management Service API. and assigned Cloud KMS CryptoKey Encrypter/Decrypter role to google user created keyrings in Cryptographic Keys tabs using Terraform. On apply IAM policy for the keys, it is throwing an error:

Expected behavior

It should enable IAM policy for the keys.

Observed behavior

Error: Error applying IAM policy for KMS CryptoKey "projects/sylvan-faculty-330506/locations/europe-west3/keyRings/module_test/cryptoKeys/test": Error setting IAM policy for KMS CryptoKey "projects/sylvan-faculty-330506/locations/europe-west3/keyRings/module_test/cryptoKeys/test": googleapi: Error 403: Permission 'cloudkms.cryptoKeys.setIamPolicy' denied on resource 'projects/sylvan-faculty-330506/locations/europe-west3/keyRings/module_test/cryptoKeys/test' (or it may not exist)., forbidden

Terraform Configuration

module "kms" {
  source = "../terraform-google-kms-master"
  #version = "~> 1.2"
  project_id     = var.project_id
  location       = var.location
  keyring        = var.keyring
  keys           = var.keys
  #set_owners_for = var.set_owners_for
  #owners         = var.owners
  set_encrypters_for = var.set_encrypters_for
  set_decrypters_for = var.set_decrypters_for
  encrypters = var.encrypters
  decrypters = var.decrypters
}

Terraform Version

Terraform v1.0.11

Additional information

No response

TL;DR

I have manually destroyed a KMS key version in GCP. When I try to create plan for kms using terraform. It keeps giving the error that lifecycle.prevent_destroy is set. I am not trying to destroy anything anymore. I am only trying to create a new KMS key version and set encrypters and decryters for it.

Expected behavior

The existing key creates a new version with my given decrypters and encrypters.

Observed behavior

Terraform plan fails stating it cannot destroy the instance. It should ideally not destroy anything

Terraform Configuration

module "kms" {
  source  = "terraform-google-modules/kms/google"
  version = "~> 2.2"

  project_id          = local.project
  location            = "global"
  keyring             = "containersign-keyring"
  keys                = ["containersign-key"]
  key_algorithm       = "RSA_SIGN_PSS_4096_SHA512"
  key_rotation_period = null
  decrypters = [ ... ]
  encrypters = [ ... ]
  set_decrypters_for = [ "containersign-key" ]
  set_encrypters_for = ["containersign-key" ]
}

Terraform Version

Terraform v1.5.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.47.0

Additional information

The output of $ terraform plan -lock=false

data.google_project.project: Reading...
module.kms.google_kms_key_ring.key_ring: Refreshing state... [id=projects/fzo-uapl/locations/global/keyRings/containersign-secret-keyring]     
module.kms.google_kms_crypto_key.key[0]: Refreshing state... [id=projects/fzo-uapl/locations/global/keyRings/containersign-secret-keyring/cryptoKeys/containersign-secret-key]
data.google_project.project: Read complete after 1s [id=projects/fzo-uapl]

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Instance cannot be destroyed
│
│   on .terraform/modules/kms/main.tf line 27:
│   27: resource "google_kms_crypto_key" "key" {
│
│ Resource module.kms.google_kms_crypto_key.key[0] has lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed. To 
│ avoid this error and continue with the plan, either disable lifecycle.prevent_destroy or reduce the scope of the plan using the -target      
│ flag.

GCS-CMEK

When the above linked GCS-CMEK is run in the terraform-example-foundation Cloud Build pipeline, it creates Keyrings, Keys, and GCS buckets encrypted with the generated keys in multiple projects parallelly; this produces an error.

Error: googleapi: Error 403: Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key., forbidden

Causality: The GCS module only requires the key as input, creating the implicit dependency only to the key self-link being available, ignoring the IAM bindings.

As such, Terraform tries to create the GCS bucket before the IAM binding for Role: Encrypter/Decrypter is linked to the KMS Key in many cases, the test even goes further after the failure point and completes the IAM Binding, thus leaving no trace that it was the root cause, if not looking closely at the output. It can only be detected by comparing the line numbers of successfully deployed buckets vs. unsuccessful buckets; in cases where the bucket randomly deploys after the binding has been set, it is successful and fails with the above error when the opposite occurs.

In the linked module, the above was resolved by adding an explicit dependency on the entire KMS module (Only possible in Terraform 0.13+) depends_on = [module.kms]

Suggested Improvement to KMS module until a better solution is ascertained

• Add Key IAM Binding output variable if someone needs to add a specific binding dependency and not on the entire module. Output Variable

TL;DR

In TestSimpleExample there is an assertion that uses the first element of the gcloud command (kms keyrings list) output. This gcloud command, by default, is sorted by keyring's name and causes flaky error at the test when running multiple times locally.
Reason: because keyring is not "removable", if you run the same test multiple times, a bunch of keyrings will be generated and the test will start to fail due to a wrong comparison. (it will compare with the first keyring returned, which is not always the correct)

Expected behavior

The gcloud command should return the expected keyring instead

Observed behavior

No response

Terraform Configuration

N/A

Terraform Version

N/A

Additional information

No response

TL;DR

google_kms_crypto_key resource supports import_only and skip_initial_version_creation input variables, but it is not possible to achieve the same crypto key creation (if set both variables mentioned as true) using the KMS module. The KMS module doesn't have these inputs options.

Usually, this use case will happen when the purpose attribute is RAW_ENCRYPT_DECRYPT - which is not mentioned as a possible value in module's inputs documentation.

Terraform Resources

google_kms_crypto_key
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key#

Detailed design

No response

Additional information

No response

Fixed in TF 0.12 PR:
#5

TL;DR

google_kms_crypto_key resource supports 4 types of protection_level ("SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC") while kms module key_protection_level lists only "SOFTWARE" and "HSM" as valid options.

Terraform Resources

google_kms_crypto_key

Detailed design

Looks like key_protection_level input would already accept "EXTERNAL_VPC", it is just missing in "possible values" example string list. The new input field that we would need to implement is crypto_key_backend in order to make "EXTERNAL_VPC" key protection level type fully work.

Additional information

No response

TL;DR

I use the following example to create a key ring and add a key.

`resource "google_kms_key_ring" "keyring" {
name = "keyring-example"
location = "global"
project_id = var.project_id
}

resource "google_kms_crypto_key" "example-asymmetric-sign-key" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
purpose = "ASYMMETRIC_SIGN"

version_template {
algorithm = "EC_SIGN_P384_SHA384"
}

lifecycle {
prevent_destroy = true
}
}`

but even if i provided the project_id property, terraform is trying to create the keyring in the provider project.

Expected behavior

the keyring should be created in the project with provided project_id.

Observed behavior

error shows the terraform is trying to create the keyring in the provider project.

Terraform Configuration

resource "google_kms_key_ring" "dataflow-keyring" {
  name     = "dataflow-keyring"
  project  = var.project_id
  location = var.region
}

resource "google_kms_crypto_key" "example-asymmetric-sign-key" {
  name     = "crypto-key-example"
  key_ring = google_kms_key_ring.dataflow-keyring.id
  purpose  = "ASYMMETRIC_SIGN"

  version_template {
    algorithm = "EC_SIGN_P384_SHA384"
  }

  lifecycle {
    prevent_destroy = true
  }
}

Terraform Version

I am running terraform from atlantis, atlantis version commend provide the following version info:

Terraform v1.1.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v3.90.1
+ provider registry.terraform.io/hashicorp/google-beta v3.90.1
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.2.0
+ provider registry.terraform.io/hashicorp/time v0.7.2

Your version of Terraform is out of date! The latest version
is 1.2.0. You can update by downloading from https://www.terraform.io/downloads.html

Additional information

No response

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Status Checks

These updates await pending status checks. To force their creation now, click the checkbox below.

• chore(deps): Update module github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test to v0.16.1

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository