Unblock EXTERNAL/EXTERNAL_VPC Cloud KMS key creation.

[tdbhacks]

The external_protection_level_options field had been nested within the attestation field by accident. See hashicorp/terraform-provider-google#15004 for more information about this change..

NOTE: this is the initial deprecation notice, and we are just adding a duplicate set of fields outside of attestation. When the old field is eventually removed, it should not break any CUJs because the current state of things does not allow for successful key creation (malformed requests would be rejected by the server). The old, deprecated field will be removed in the next release.

Release Note Template for Downstream PRs (will be copied)

kms: added top-level `external_protection_level_options` field in `google_kms_crypto_key_version` resource

kms: `attestation.external_protection_level_options` has been deprecated in favor of `external_protection_level_options` in `google_kms_crypto_key_version` 

kms: added `crypto_key_backend` field to `google_kms_crypto_key` resource

[modular-magician]

Hello! I am a robot. It looks like you are a: Community Contributor Googler Core Contributor. Tests will run automatically.

@trodge, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Breaking Change(s) Detected

The following breaking change(s) were detected within your pull request.

• Field attestation.cert_chains.cavium_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains.google_card_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains.google_partition_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains MinItems went from 0 to 0 on google_kms_crypto_key_version - reference
• Field attestation.cert_chains became Computed only on google_kms_crypto_key_version - reference
• Field attestation.external_protection_level_options.ekm_connection_key_path within resource google_kms_crypto_key_version was either removed or renamed - reference
• Field attestation.external_protection_level_options.external_key_uri within resource google_kms_crypto_key_version was either removed or renamed - reference
• Field attestation.external_protection_level_options within resource google_kms_crypto_key_version was either removed or renamed - reference

If you believe this detection to be incorrect please raise the concern with your reviewer.
If you intend to make this change you will need to wait for a major release window.
An override-breaking-change label can be added to allow merging.

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 165 insertions(+), 52 deletions(-))
Terraform Beta: Diff ( 3 files changed, 165 insertions(+), 52 deletions(-))
TF Conversion: Diff ( 1 file changed, 40 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_kms_crypto_key_version (18 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_kms_crypto_key_version" "primary" {
  external_protection_level_options {
    ekm_connection_key_path = # value needed
    external_key_uri        = # value needed
  }
}

[modular-magician]

Tests analytics

Total tests: 30
Passed tests 26
Skipped tests: 3
Affected tests: 1

Click here to see the affected service packages

• kms

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions

Get to know how VCR tests work

[modular-magician]

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Breaking Change(s) Detected

The following breaking change(s) were detected within your pull request.

• Field attestation.cert_chains.cavium_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains.google_card_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains.google_partition_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains MinItems went from 0 to 0 on google_kms_crypto_key_version - reference
• Field attestation.cert_chains became Computed only on google_kms_crypto_key_version - reference
• Field attestation.external_protection_level_options.ekm_connection_key_path within resource google_kms_crypto_key_version was either removed or renamed - reference
• Field attestation.external_protection_level_options.external_key_uri within resource google_kms_crypto_key_version was either removed or renamed - reference
• Field attestation.external_protection_level_options within resource google_kms_crypto_key_version was either removed or renamed - reference

If you believe this detection to be incorrect please raise the concern with your reviewer.
If you intend to make this change you will need to wait for a major release window.
An override-breaking-change label can be added to allow merging.

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 171 insertions(+), 52 deletions(-))
Terraform Beta: Diff ( 3 files changed, 171 insertions(+), 52 deletions(-))
TF Conversion: Diff ( 1 file changed, 40 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_kms_crypto_key_version (18 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_kms_crypto_key_version" "primary" {
  external_protection_level_options {
    ekm_connection_key_path = # value needed
  }
}

[modular-magician]

Tests analytics

Total tests: 30
Passed tests 26
Skipped tests: 3
Affected tests: 1

Click here to see the affected service packages

• kms

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions

Get to know how VCR tests work

[modular-magician]

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Breaking Change(s) Detected

The following breaking change(s) were detected within your pull request.

• Field attestation.cert_chains.cavium_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains.google_card_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains.google_partition_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains MinItems went from 0 to 0 on google_kms_crypto_key_version - reference
• Field attestation.cert_chains became Computed only on google_kms_crypto_key_version - reference
• Field attestation.external_protection_level_options.ekm_connection_key_path within resource google_kms_crypto_key_version was either removed or renamed - reference
• Field attestation.external_protection_level_options.external_key_uri within resource google_kms_crypto_key_version was either removed or renamed - reference
• Field attestation.external_protection_level_options within resource google_kms_crypto_key_version was either removed or renamed - reference

If you believe this detection to be incorrect please raise the concern with your reviewer.
If you intend to make this change you will need to wait for a major release window.
An override-breaking-change label can be added to allow merging.

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 172 insertions(+), 52 deletions(-))
Terraform Beta: Diff ( 3 files changed, 172 insertions(+), 52 deletions(-))
TF Conversion: Diff ( 1 file changed, 40 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_kms_crypto_key_version (18 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_kms_crypto_key_version" "primary" {
  external_protection_level_options {
    ekm_connection_key_path = # value needed
  }
}

[modular-magician]

Tests analytics

Total tests: 30
Passed tests 26
Skipped tests: 3
Affected tests: 1

Click here to see the affected service packages

• kms

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions

Get to know how VCR tests work

[modular-magician]

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[tdbhacks]

Note to reviewer: following internal discussions, this PR will need to be reworked a bit. I will let you know when it's ready for review.

[tdbhacks]

Reworked this PR, looking for /gcbrun to see if the test works now, as well as an initial review!

[trodge]

/gcbrun

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Breaking Change(s) Detected

The following breaking change(s) were detected within your pull request.

• Field attestation.cert_chains.cavium_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains.google_card_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains.google_partition_certs became Computed only on google_kms_crypto_key_version - reference
• Field attestation.cert_chains MinItems went from 0 to 0 on google_kms_crypto_key_version - reference
• Field attestation.cert_chains became Computed only on google_kms_crypto_key_version - reference

If you believe this detection to be incorrect please raise the concern with your reviewer.
If you intend to make this change you will need to wait for a major release window.
An override-breaking-change label can be added to allow merging.

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 210 insertions(+), 27 deletions(-))
Terraform Beta: Diff ( 3 files changed, 210 insertions(+), 27 deletions(-))
TF Conversion: Diff ( 1 file changed, 40 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_kms_crypto_key_version (18 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_kms_crypto_key_version" "primary" {
  external_protection_level_options {
    ekm_connection_key_path = # value needed
  }
}

[modular-magician]

Tests analytics

Total tests: 30
Passed tests: 26
Skipped tests: 3
Affected tests: 1

Click here to see the affected service packages

• kms

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions

Get to know how VCR tests work

[modular-magician]

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[tdbhacks]

Updated to undo remaining breaking changes, which will be done in a follow up PR. Looking for /gcbrun again

[tdbhacks]

@trodge mind /gcbrun -ing again? Thanks!

[trodge]

/gcbrun

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 190 insertions(+), 1 deletion(-))
Terraform Beta: Diff ( 3 files changed, 190 insertions(+), 1 deletion(-))
TF Conversion: Diff ( 1 file changed, 40 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_kms_crypto_key_version (19 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_kms_crypto_key_version" "primary" {
  external_protection_level_options {
    ekm_connection_key_path = # value needed
  }
}

[modular-magician]

Tests analytics

Total tests: 32
Passed tests: 28
Skipped tests: 3
Affected tests: 1

Click here to see the affected service packages

• kms

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions

Get to know how VCR tests work

[modular-magician]

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[c2thorn]

@trodge You can assign me to this if you want, it's similar to another PR that I reviewed.

[c2thorn]

/gcbrun

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 5 files changed, 382 insertions(+), 1 deletion(-))
google-beta provider: Diff ( 5 files changed, 382 insertions(+), 1 deletion(-))
terraform-google-conversion: Diff ( 2 files changed, 50 insertions(+))

[modular-magician]

Tests analytics

Total tests: 33
Passed tests: 29
Skipped tests: 3
Affected tests: 1

Click here to see the affected service packages

• kms

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccKmsCryptoKeyVersion_externalProtectionLevelOptionsVpc

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccKmsCryptoKeyVersion_externalProtectionLevelOptionsVpc[Debug log]

$\textcolor{green}{\textsf{No issues found for passed tests after REPLAYING rerun.}}$

---

$\textcolor{green}{\textsf{All tests passed!}}$
View the build log or the debug log for each test

[tdbhacks]

I just squashed all commits, now waiting for a successful VCR run before I add the tag to only run the VPC test in nightly/GA builds

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 5 files changed, 382 insertions(+), 1 deletion(-))
google-beta provider: Diff ( 5 files changed, 382 insertions(+), 1 deletion(-))
terraform-google-conversion: Diff ( 2 files changed, 50 insertions(+))

[modular-magician]

Tests analytics

Total tests: 33
Passed tests: 30
Skipped tests: 3
Affected tests: 0

Click here to see the affected service packages

• kms

$\textcolor{green}{\textsf{All tests passed!}}$
View the build log

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 5 files changed, 388 insertions(+), 1 deletion(-))
google-beta provider: Diff ( 5 files changed, 388 insertions(+), 1 deletion(-))
terraform-google-conversion: Diff ( 2 files changed, 50 insertions(+))

[modular-magician]

Tests analytics

Total tests: 33
Passed tests: 29
Skipped tests: 4
Affected tests: 0

Click here to see the affected service packages

• kms

$\textcolor{green}{\textsf{All tests passed!}}$
View the build log

[tdbhacks]

Alright, looks like the test was skipped correctly! @c2thorn ready for the final review, I've updated the PR title and description but let me know if you'd like me to tweak something. Thanks!

[c2thorn]

LGTM, confirmed test logs stored on internal ticket for other EKM tests.
I'll check the nightly tomorrow to see how it goes with the permissions.